Privacy Notice for Purchasing & Corporate Cards

Your Personal Data 

The University of Glasgow will be what’s known as the ‘Data Controller’ of your personal data processed in relation to Purchasing and Corporate Cards applications. This privacy notice will explain how The University of Glasgow will process your personal data.

Why We Need It

We are collecting your basic personal data such as name, GUID, date of birth, nationality, College/School or Service area, and contact details (home address, work address, work email address) to administer applications for and report on the University’s Purchasing and Corporate Cards programme.  We will only collect data that we need in order to provide and oversee this service to you.

Your work email and/or contact telephone number will also be used to send you important communications about Purchasing and Corporate Cards and any authentication codes required to approve certain transactions.

Your work email address will also be used to set you up on the University Amazon Business account.

Your home address will be used by the University’s Procurement Office to send out new/replacement cards.  The University’s banking provider may also use your home address to send out cards.

Legal Basis for Processing Your Data

We must have a legal basis for processing all personal data. In this instance, the legal bases are:

  • Public task/Official authority – these cover activities undertaken as part of the core functions of the University.
  • Legal obligation – the bank anti-money laundering Regulations.
  • Legitimate interests –It is in the interests of both employees and the University to have a secure and efficient Purchasing and Corporate Cards system in place.

What We Do With It and Who We Share It With

  • All the personal data you submit is processed by staff at the University of Glasgow in the United Kingdom.
  • Your data will be shared with the University’s banking provider, HSBC, who may transfer and store it in locations outside the United Kingdom and the European Economic Area (EEA).  For further information on how HSBC may process your data please see their Privacy Notice here click here
  • Your personal data may be moved to a new banking supplier as required by the University.  We will inform you in the event of any such change in supplier.
  • Your work email address will be shared with the University’s Supplier Amazon in order to provide you with access to the University’s Amazon Business Account, please see their Privacy Notice click here.
  • Access to your data will be restricted to authorised University Procurement Office team members and HSBC bank.
  • Your data will be used to assess and approve your application; provide the bank with your application to obtain the credit card; update the Procurement system (P Card App) with the necessary details (your name, email address, GUID no., home address, date of birth, college/service, card limits); and to produce monthly usage reports as per below.
  • The University Procurement Office download monthly expenditure/KPI reports that will contain your name and College/School or Service area. The HSBC expenditure data will be held on the Procurement Supplier Spend Dashboard on QlikView, which details all expenditure/transactions made by the Purchasing or Corporate card holder by month or per annum.  The reports are shared with the Procurement Team, Heads of Finance, Heads of Schools/Colleges, and Heads of University Services.

How Long Do We Keep It For?

Your data will be retained by the University for the full duration that you hold a Purchasing or Corporate card on behalf of the University and thereafter 6 years in line with the Procurement retention Policy. After this time, data will be securely deleted.

What Are Your Rights?*

You can request access to the information we process about you at any time. If at any point you believe that the information, we process relating to you is incorrect, you can request to see this information and may in some instances request to have it restricted, corrected or erased. You may also have the right to object to the processing of data and the right to data portability.

If you wish to exercise any of these rights, please contact

*Please note that the ability to exercise these rights will vary and depend on the legal basis on which the processing is being carried out. 


If you wish to raise a complaint on how we have handled your personal data, you can contact the University Data Protection Officer who will investigate the matter.

Our Data Protection Officer can be contacted at

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO)