Employee Privacy Notice
This Employee Privacy Notice sets out what personal data we, Avery Berkel, hold about you and how we collect and use it, both whilst you are working for us and after you have left. It applies to current and former employees, workers, contractors, agency workers, consultants, interns, volunteers, partners and directors (together referred to as ‘Employees' or ‘you').
We are required by data protection law to give you the information in this Privacy Notice. It is important that you read the Privacy Notice carefully, together with any other information that we might give you from time to time about how we collect and use your personal data. You should also read our Data Protection Policy which explains our obligations in relation to personal data and how we keep it secure, as well as what we expect from you when you are handling personal data in the course of your work.
This Privacy Notice applies from 25 May 2018, when the General Data Protection Regulation comes into force. It does not form part of your contract of employment or other contract to provide service and does not give you any contractual rights. We may update this Privacy Notice at any time.
Who is the controller?
Avery Berkel is the “controller” for the purposes of data protection law. This means that we are responsible for deciding how we hold and use personal data about you.
Morkel Muller, Business Unit Controller is responsible for informing and advising us about our data protection law obligations and monitoring our compliance with these obligations. He also acts as your first point of contact if you have any questions or concerns about data protection.
- This Privacy Notice also covers how ITW Limited uses any personal data about you that we share with them (for more information, see the Table in the Appendix, who we share your data with. ITW Limited is the controller of any personal data they hold and use about you. Morkel Muller, Business Unit Controller is responsible for informing and advising ITW Limited about its data protection law obligations and monitoring its compliance with those obligations. The GDPR team also acts as your first point of contact if you have any questions or concerns about data protection via Email: email@example.com. ITW Limited applies the same high standards to data protection compliance as we do.
What type of personal data do we hold about you?
Personal data means any information relating to a living individual who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, NI number, employee number, email address, physical features). It can be factual (e.g. contact details or date of birth), an opinion about an individual's actions or behaviour, or information that may otherwise impact that individual in a personal or business capacity.
We hold and use various types of personal data about you, including, for example: biographical details; recruitment information; details of the terms of your employment with us; pay and benefits details; working hours; performance information; details of your holidays and other leave; disciplinary, conduct and grievance matters; employee representation; health and safety; CCTV footage; business equipment, technology and systems usage information, etc.
Data protection law divides personal data into two categories: ordinary personal data and special category data. Any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, or biometric or genetic data that is used to identify an individual is known as special category data. (The rest is ordinary personal data).
We hold and use various types of special category data about you, including: sickness absence and medical information; details of family leave which could include information about your health; equal opportunities monitoring data which could include information about your race or ethnicity, health, trade union membership.
Why do we hold your personal data and on what legal grounds?
We hold and use your ordinary personal data for employment, HR and business administration purposes. This will include, for example: management of our employment relationship with you; administration of pay and benefits; monitoring and assessment of performance; provision and regulation of holidays and other leave; addressing conduct, disciplinary and grievance issues; performance of day-to-day business activities, etc.
Data protection law specifies the legal grounds on which we can hold and use personal data.
Most commonly, we rely on one or more of the following legal grounds when we process your personal data:
- Where we need it to perform the contract we have entered into with you (performance of the contract), whether this is an employment contract, a contract for services or another type of contract. This may include, for example, ensuring that we pay you correctly and that we provide your contractual holiday entitlement.
- Where we need it to comply with a legal obligation (legal obligation). Typically, this may include legal obligations such as the obligation: to provide statutory holidays and statutory family leave and pay (maternity, paternity, adoption, shared parental, etc.); to pay the National Living Wage /National Minimum Wage; to comply with limits on working time; to meet health and safety requirements; not to discriminate or dismiss Employees unfairly.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (legitimate interest). This may include, for example, managing working hours to ensure effective business operations, and monitoring your use of computers or other technology.
We hold and use your special category data for purposes including, for example: managing absence and ensuring cover; making adjustments to your job to accommodate health conditions; facilitating the taking of family related leave; paying sick pay, maternity, paternity, adoption or shared parental pay as applicable; monitoring equality of opportunity and diversity in our organisation; paying trade union subscriptions, facilitating meetings and permitting time off for the European Council Representatives.
Since special category data is usually more sensitive than ordinary personal data, we need to have an additional legal ground to use and hold it. Most commonly, as well as one of the legal grounds listed above, we rely on one or more of the following additional legal grounds when we process your special category data:
- Where we need to exercise our legal rights or carry out our legal obligations in relation to employment or social security and the processing is in line with our Data Protection Policy (legal obligation/right in relation to employment)
- Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme, and in line with our Data Protection Policy (public interest in monitoring equal opportunities within the workforce)
- Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards (assessment of working capacity)
Occasionally, we may also hold and use ordinary personal data: in the public interest for the detection or prevention of crime; or where needed to protect your vital interests or those of another person. We may also occasionally hold and use special category data: to establish, exercise or defend a legal claim; where needed to protect your interests (or someone else's interests) where you are not capable of giving your consent; or where you have already made the information public.
Sometimes we may use your personal data for purposes that are different from or incompatible with those for which we collected it. If we do this, we will notify you and explain our legal ground for using your data in this way, as required under data protection law.
The Appendix to this Privacy Notice sets out in more detail the types of ordinary and special category personal data we collect and hold about you, what we use it for, who we share it with and the relevant legal grounds under data protection law for doing so.
How do we collect your personal data?
You provide us with most of the personal data about you that we hold and use. Other personal data about you we hold and use is generated by you in the course of carrying out your duties. For example, during email correspondence or when producing documents or when you are using certain equipment such as computers, door entry systems/clocking-in and out systems.
Some of the personal data we hold and use about you is provided by or generated from internal sources during the course of running our business. For example, colleagues may refer to you in emails or documents, your manager will assess you as part of the appraisal process and information about you may be generated as part of our business and operational planning.
Some of the personal data about you that we hold and use may come from external sources. For example: when we offered you a job, we may have collected references from previous employers; we may obtain information about you from publicly available sources such as your LinkedIn profile or other media sources; we may ask for a report from an occupational health professional if you have long-term sickness absence; customers may give feedback about you; we might seek advice from a professional adviser that includes information about you; or your trade union representative might correspond with us in particular situations.
If you give us someone else's personal data
Sometimes, you might provide us with another person's personal data – e.g. details of your emergency contact or next of kin. In such cases, we require you to inform the individual what personal data of theirs you are giving to us. You must also give them our contact details and let them know that they should contact us if they have any queries about how we will use their personal data.
Who do we share your personal data with?
We will only share your personal data with third parties where we have an appropriate legal ground under data protection law which permits us to do so. Commonly, this could include situations where we are legally obliged to provide the information e.g. to HMRC for tax purposes, to comply with our contractual duties e.g. to providers of your contractual benefits such as; occupational pension, health insurance, etc, or where it is necessary in our legitimate interest e.g. to an IT service provider for maintenance of our IT systems, Payroll Services in order to pay you and Fleet Management Services to ensure management of the company car.
Further details of who we share your personal data with, and our purposes and legal grounds for doing so, are set out in the Appendix to this Privacy Notice.
Consequences of not providing personal data
We only ask you to provide personal data when we have a good reason and there may therefore be consequences if you do not provide particular information to us.
Some of the personal data you provide to us is required by law. For example, if you do not provide your national insurance number, we will not be able to make correct tax/NI deductions on PAYE, and, if you are pregnant, we require a MATB1 in order to pay statutory maternity pay.
We may require you to provide other personal data, where it is necessary for us, or our pensions/benefits providers to fulfil our contractual obligations to you, or for you to fulfil your contractual obligations to us, or where our use of the data is necessary in our legitimate interests. For example, if you do not provide us with a suitable timesheet or clocking in details, we cannot pay you for the potential overtime hours you have worked.
If you choose not to provide us with personal data requested, we will tell you about the particular implications of any such decision at the relevant time.
How long will we keep your personal data?
We will not keep your personal data for longer than we need it for our legitimate purposes.
We take into account the following criteria when determining the appropriate retention period for Employees' personal data:
- the amount, nature, and sensitivity of the personal data
- the risk of harm from unauthorised use or disclosure
- the purposes for which we process your personal data and how long we need the particular data to achieve these purposes
- how long the personal data is likely to remain accurate and up-to-date
- for how long the personal data might be relevant to possible future legal claims
- any applicable legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept
Given the variety of Employees' personal data that we use and the varying circumstances in which we use it, it is difficult to specify ahead of time precisely how long we will keep particular items of personal data. Where possible, the Tables in the Appendix to this Privacy Notice identify retention periods applicable to your personal data, which have been determined on the basis of the above criteria and which represent the longest period for which we will ordinarily keep it. We may often keep particular items of your personal data for less time. However, there may also be circumstances in which it is appropriate for us to keep particular items of your personal data for a longer period than that set out in the Tables. In particular, we will always keep your personal data for so long as we are required to do so under legal, accounting, reporting or regulatory requirements.
In addition, for some types of personal data, it is more appropriate to decide retention periods on a case by case basis (also using the criteria described above), and this is indicated in the Tables where applicable.
We will base these decisions on relevant circumstances, taking into account the criteria listed above.
Transferring personal data outside the EEA
An overseas transfer of personal data takes place when the data is transmitted or sent to, viewed, accessed or otherwise used in, a different country. Data protection law restricts transfers of personal data to countries outside of the European Economic Area (EEA) because the law in those countries might not provide the same level of protection to personal data as the law in the EEA. To ensure that the level of protection afforded to personal data is not compromised, therefore, we are only able to transfer your personal data outside the EEA if certain conditions are met, as explained below.
We may transfer some of your personal data to ITW Limited US who are outside the EEA:
- We have put in place a binding corporate rule as a measure to ensure that any personal data transferred is treated in a way that is consistent with and which respects the EEA and UK laws on data protection and receives an adequate level of protection. If you require further information about this measure, you can request it from Morkel Muller, Business Unit Controller via Email: firstname.lastname@example.org.
You have a number of legal rights relating to your personal data, which are outlined here:
- The right to make a subject access request. This enables you to receive certain information about how we use your personal data, as well as to receive a copy of it and to check that we are lawfully processing it.
- The right to request that we correct incomplete or inaccurate personal data that we hold about you.
- The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- The right to object to our processing your personal data where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing.
- The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- The right to request that we transfer your personal data to you or to another party, in a structured format. This right applies in respect of data that you have provided where our legal ground for using the data is that it is necessary for the performance of a contract or that you have consented to us using it (this is known as the right to “data portability”).
If you would like to exercise any of the above rights, please contact the GDPR Team via email (email@example.com).
Note that these rights are not absolute and in some circumstances we may be entitled to refuse some or all of your request.
If you have any questions or concerns about how your personal data is being used by us, you can contact the GDPR Team via email (firstname.lastname@example.org).
If you have any questions or concerns about how your personal data is being used by Avery Berkel you can contact the GDPR Team via email (email@example.com).
Note too that you have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website: https://ico.org.uk.
APPENDIX – FURTHER DETAILS
This section of the Privacy notice tells you in more detail about the type of personal data we hold about you, what we use it for, our legal grounds for doing so, who we share it with and how long we keep it.
Please note that we will not necessarily hold, use or share all of the types of personal data as described in this Appendix in relation to you. The specific types of data about you that we will hold, use and share will depend on your role, the terms on which you work for us, your individual circumstances and circumstances affecting the company from time to time. For example, if you do not have a work computer or use any other technical device in your role, we will not hold any computer or device usage records for you; if you work for us as a self-employed contractor, we will not hold records about benefits that you are not entitled to; if you have not yet taken a day off sick, we will not currently hold any sickness absence records for you; and we are only likely to share information about you with professional advisers in particular circumstances.
Note also that the first two Tables below divide items of personal data into relatively broad categories (under the heading “Type of ordinary personal data held by us”, or “Type of special category personal data held by us”). Where multiple purposes and/or legal grounds for our use of a given “type” of personal data are identified, this does not necessarily mean that all of the purposes and/or legal grounds are applicable to all items of personal data falling within that “type” of personal data.
More information about your ordinary personal data