DATA PROTECTION COMPLIANCE STATEMENT

This document demonstrates our commitment to protect the privacy and security of your personal information. It contains information regarding how we collect and use personal data or personal information about you in advance of any employment relationship in accordance with the General Data Protection Regulation (GDPR) and all other data protection legislation currently in force.

Pursuant to that legislation, when processing data we will:

• process it fairly, lawfully and in a clear, transparent way;
• collect your data only for reasons that we find proper for the course of your employment in ways that have been explained to you;
• only use it in the way that we have told you about;
• ensure it is correct and up to date;
• keep your data for only as long as we need it;
• process it in a way that ensures it will not be lost or destroyed or used for anything that you are not aware of or have consented to as appropriate.

Engage Technical Solutions Ltd is a “Data Controller”. This means that we are responsible for determining the purpose and means of processing personal data relating to you.

“Personal Data” or “Personal Information” means any information relating to an identified or identifiable individual in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

There are special categories of sensitive personal data, meaning data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sex life or sexual orientation, genetic data, and biometric data, which require a higher level of protection.

This Data Protection Compliance Statement (Privacy Notice) applies to all current and former employees, workers and contractors.

Details of Information We Will Hold About You

The list below identifies the kind of data that we will hold about you:

• personal contact details such as name, title, addresses, telephone numbers and personal email addresses;
• date of birth;
• gender;
• your photograph;
• marital status and dependents;
• next of kin and their details;
• national insurance number;
• bank account details, payroll records and tax codes;
• salary, pension and benefits information;
• leave records including annual leave, family leave and sickness absence;
• start date;
• location of employment or workplace;
• copy of driving licence;
• information included on your CV including references, education history and employment history;
• documentation relating to your right to work in the UK;
• medical or health information including whether or not you have a disability;
• current and previous job titles, job descriptions, pay grades, training records, hours of work, professional membership and other terms and conditions relating to your employment with us;
• compensation history;
• internal performance information including measurements against targets, formal warnings and related documentation with regard to capability procedures and appraisal forms;
• information and relevant communications regarding disciplinary and grievance issues;
• CCTV footage and other information obtained through electronic means such as building entry card records;
• information about your use of our information and communications systems.

The following list identifies the kind of data that we will process, and which falls within the scope of special categories of more sensitive personal information:

• information relating to your race or ethnicity, religious beliefs, sexual orientation, sex life and political opinions;
• trade union membership;
• information about your health including any medical conditions and disabilities;
• information about criminal convictions and offences;

How We Collect Your Personal Information

Your personal information is obtained through the application and recruitment process. This may be directly from candidates, via an employment agency or via a third party who undertakes background checks. Further information will be collected directly from you when you complete forms at the start of your employment, such as your bank details and next of kin details. Other details may be collected directly from you in the form of official documentation, such as your driving licence, passport or other right to work evidence. Data may be collected during the course of your engagement with us to enable its continued existence or development. Personal data is kept in personnel files, HR systems and IT systems.

Processing Information About You

We will only administer personal information in accordance with the lawful bases for processing. At least one of the following will apply when we process personal data:

• Consent: You have given clear consent for us to process your personal data for a specific purpose.
• Contract: The processing is necessary for a Contract we have with you, or because we have asked you to take specific steps before entering into a Contract.
• Legal Obligation: The processing is necessary for us to comply with the law, not including contractual obligations.
• Vital Interests: The processing is necessary to protect someone’s life.
• Public Task: The processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
• Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

Lawful Basis for Processing your Personal Information

We consider that the basis for which we will process the data contained in the list above is necessary for the performance of the Contract we have with you and to enable us to comply with our legal obligations. Occasionally, we may process personal information about you to pursue legitimate interests of our own or those of third parties, provided there is no good reason to protect your interests and your fundamental rights do not override those interests.

The circumstances in which we will process your personal information are listed below:

• making decisions about who to offer initial employment to, and subsequent internal appointments and promotions;
• responding to requests from third parties such as a reference request or mortgage approval;
• making decisions about salary and other benefits;
• providing contractual benefits to you;
• maintaining comprehensive up to date personnel records about you to ensure amongst other things effective correspondence can be achieved and appropriate contact points in the event of an emergency are maintained;
• effectively monitoring both your conduct and your performance and to undertake procedures with regard to both of these if the need arises;
• offering a method of recourse for you against decisions made about you via a grievance procedure;
• assessing training needs;
• implementing an effective sickness absence management system including monitoring the amount of leave and subsequent actions to be taken including the making of reasonable adjustments;
• gaining expert medical opinion when making decisions about your fitness for work;
• managing statutory leave and pay systems such as maternity leave and pay;
• business planning and restructuring exercises;
• dealing with legal claims made against us;
• preventing fraud;
• ensuring our administrative and IT systems are secure and robust against unauthorised access.

There may be more than one reason to validate the reason for processing your personal information.

Lawful Basis for Processing Special Categories of Sensitive Data

Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

• Consent: You have given clear consent for us to process your personal data for a specific purpose.
• Contract: The processing is necessary for a Contract we have with you, or because we have asked you to take specific steps before entering into a Contract.
• Legal Obligation: The processing is necessary for us to comply with the law, not including contractual obligations and meets the obligations under our Data Protection Policy.
• Vital Interests: The processing is necessary to protect someone’s life.
• Public Task: The processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law and meets the obligations under our Data Protection Policy.
• Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

Occasionally, special categories of data may be processed where you are not capable of giving your consent, where you have already made the information public or in the course of legitimate business activities or legal obligations and in line with the appropriate safeguards.

Examples of the circumstances in which we will process special categories of your particularly sensitive personal information are listed below. This list is non-exhaustive:

• in order to protect your health and safety in the workplace;
• to assess your physical or emotional fitness to work;
• to determine if reasonable adjustments are needed or are in place;
• to monitor and manage sickness absence, family leave, time off for dependants or other absences from work;
• to administer benefits;
• in order to fulfil equal opportunity monitoring or reporting obligations.

Where appropriate, we may seek your written authorisation to process special categories of data. Upon such an occasion, we will endeavour to provide full and clear reasons at that time in order for you to make an informed decision. In any situation where consent is sought, please be advised that you are under no contractual obligation to comply with a request. Should you decline to consent, you will not suffer a detriment.

Information About Criminal Convictions

Information regarding criminal convictions may be processed in accordance with our legal obligations. Occasionally, we may process such information to protect yours or someone else’s interests and you are not able to give your consent, or we may process such information in cases where you have already made the information public. Such information may be sought as part of the recruitment process or in the course of your employment with us. Where we process information regarding criminal convictions, we will adhere to the guidelines currently in force regarding data security and data retention as determined by the appropriate governing body.

We do not anticipate that we will process information about criminal convictions.

Automated Decision-Making

We do not anticipate that any of our decisions will occur without human involvement.

Sharing Data

Your data will be shared with individuals in our employment it is necessary for them to undertake their duties with regard to recruitment. This includes your Manager, the HR department for maintaining personnel records and the payroll department for administering payment under your Contract of Employment. It may be necessary for us to share your personal data with a third party or third-party service provider including but not limited to contractors, agents or other associated or group companies within, or outside of, the European Union (EU). Data sharing may arise due to a legal obligation, as part of the performance of a Contract or in situations where there is another legitimate interest including a legitimate interest of a third party to do so. The list below identifies which activities are carried out by third parties on our behalf:

• payroll;
• pension providers or administrators;
• IT services;
• legal advisors;
• security;
• insurance providers.

Data may be shared with third parties in the following circumstances:

• in the process of regular reporting activities regarding our performance;
• with regards to a business or group reorganisation, sale or restructure;
• in relation to the maintenance support and/or hosting of data;
• to adhere with a legal obligation;
• in the process of obtaining advice and help in order to adhere with legal obligations.

If data is shared, we expect third parties to adhere and comply with the GDPR and protect any data of yours that they process. We do not permit any third parties to process personal data for their own reasons. Where they process your data, it is for a specific purpose according to our instructions.

We do not anticipate that we will transfer data to other countries.

Data Security

As part of our commitment to protecting the security of any data we process, we have put the following measures in place:

• appointed the HR Coordinator as a Data Protection Officer;
• implemented a Data Protection Policy in our Handbook.

If you would like further details, please contact the Data Protection Officer.

In addition, we have put further security measures in place to avoid data from being accessed, damaged, interfered with, lost, stolen or compromised. In cases of a breach or suspected breach of data security, you will be informed as will any appropriate regulator in accordance with our legal obligations. Any data that is shared with third parties is restricted to those who have a business need in accordance with our guidance and the duty of confidentiality.

Data Retention

We anticipate that we will retain your data for as long as we need it, but for no longer than is necessary for the purpose for which it was collected.

We have considered the following in order to decide the appropriate retention period:

• Quantity;
• Nature;
• Sensitivity;
• Risk of harm;
• Purpose for processing;
• Legal obligations.

At the end of the retention period, upon conclusion of any Contract or Agreement we may have with you, or until we are no longer legally required to retain it, it will be reviewed and deleted unless there is some special reason for keeping it. Occasionally, we may continue to use data without further notice to you. This will only be the case where any such data is anonymised, and you cannot be identified as being associated with that data.

Your Rights in Relation to Your Data

We commit to ensure that any data we process is correct and up to date. It is your obligation to make us aware of any changes to your personal information. In some situations, you may have the:

• Right to be informed: This means that we must tell you how we use your data, and this is the purpose of this privacy notice.
• Right to request access: You have the right to access the data that we hold on you. To do so, you should make a subject access request.
• Right to request correction: If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it.
• Right to request erasure: If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason to continue processing it.
• Right to object to the inclusion of any information: In situations where we are relying on a legitimate interest or those of a third party, you have the right to object to the way we use your data where we are using it.
• Right to request the restriction of processing: You have the right to ask us to stop the processing of your personal information. We will stop processing the data whilst still holding it until we have ensured that the data is correct.
• Right to portability: You may transfer the data that we hold on you for your own purposes.
• Right to request the transfer: You have the right to request the transfer of your personal information to another party.

Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so. If you wish to exercise any of the rights explained above, please contact the Data Protection Officer.

If you neglect to provide certain information when requested, it may affect our ability to enter into or continue with a Contract of Employment with you and it may prevent us from complying with our legal obligations. We commit to only process your personal information for the purposes for which it was collected, except where we reasonably consider that the reason for processing changes to another reason and that reason is consistent with the original basis for processing. Should we need to process personal information for another reason, we will inform you of this and advise you of the lawful basis upon which we will process. We may process your personal information without your knowledge or consent, in compliance with the above rules.

Questions or Complaints

It is the responsibility of our Data Protection Officer (DPO) to oversee compliance with this Statement. Should you have any questions regarding this Statement, or how we process your personal information, please contact the Data Protection Officer. The supervisory authority in the UK for data protection matters is the Information Commissioner (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO.

I acknowledge receipt of the Privacy Notice for employees and contractors and confirm that I have read and understood it.