GDPR Staff Policy
1. Why have you been given this privacy notice?
The Falstaff in Canterbury is a “data controller”. This means that we are required under data protection legislation to notify you of how we will process your personal data both during the employment relationship and post termination. This notice will explain how we collect your personal data, its use, storage, transfer and security. We will also explain what rights you have in relation to how we process your personal data. It is important that you read this notice, together with any other privacy notice we may provide during your employment, so that you are aware of how and why we are processing your personal data. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time.
2. What are our obligations to you in relation to how we process your personal data?
We are required by law to ensure that when processing any of your personal data that it is:
• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept in a form which permits you to be identified for only as long as necessary for the purposes we have told you about.
• Kept securely.
3. What personal data will we collect, use and store about you?
• Your name, addresses, contact numbers, and personal email addresses.
• Date of birth.
• Gender.
• Next of kin and emergency contact information.
• National Insurance number.
• Bank account details, payroll records and tax status information.
• Salary, annual leave, pension and benefits information.
• Start date.
• Location of employment or workplace.
• Copy of driving licence or Passport
• Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
• Employment records (including job titles, work history, working hours, training records and professional memberships).
• Compensation history.
• Performance information.
• Disciplinary and grievance information.
• CCTV footage and other information obtained through electronic means such as swipe card records.
• Information about your use of our information and communications systems.
• Photographs.
We may also collect, store and use the following “special categories” of more sensitive personal information:
• Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
• Information about your health, including any medical condition, health and sickness records.
• Genetic information or biometric data.
• Information about criminal convictions and offences.
4. How do we collect your personal data?
We collect your personal data by a variety of means. At recruitment stage we have already collected data through the application process directly from you or an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, educational outlets and personal referees.
Whilst you are working with us periodically, we may need to collect additional personal information from you not identified on the above list but before doing so we will provide you with a written notice setting out details of the purpose and the lawful basis of why we are collecting that data, its use, storage and your rights.
5. How will we use your personal data?
For the most part we will use your personal data for one of the following lawful bases:
a) Where we need to perform the contract, we have entered into with you.
b) Where we need to comply with a legal obligation.
c) Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
d) There are other rare occasions where we may use your personal data, which are:
- Where we need to protect your interests (or someone else’s interests).
- Where it is needed in the public interest or for official purposes.
6. When will we use your personal data?
During your employment and for a short period after the relationship has ended, we will use your personal information for specific purposes. The list below describes the purpose of our processing, the personal data involved (from clause 3 above) and the lawful basis for our processing (from clause 5 above):
Determining the terms on which you work for us.
Checking your right to work in the UK.
When making payments to you to also include any necessary tax and NI deductions.
Providing the following benefits to you:
Liaising with your pension provider and making payments.
Administration related to the contract of employment.
Business management and work force planning, including accounting and auditing.
Conducting and managing reviews of performance and determining performance requirements.
Making decisions regarding remuneration, bonus, commission and compensation.
Making decisions regarding promotions to include assessing qualifications for a particular role
Gathering evidence for a possible disciplinary or gathering evidence in respect of an informal complaint or grievance.
Making decisions about your continued employment or engagement.
Making arrangements for the termination of our working relationship.
Education, training and development requirements.
Dealing with legal disputes involving you or other employees, workers and contractors, including accidents at work.
Managing sickness absence, ascertaining your fitness to work.
Complying with health and safety obligations, completion of accident book and RIDDOR reporting.
Prevention of fraud through CCTV monitoring.
Monitoring use of our information and communication systems to ensure compliance with our internal procedures and prevention of security lapses and breach of data protection laws.
Preventing malicious software distribution.
Gathering data analytics to assess retention and attrition rates.
Equal opportunities monitoring.
It’s possible that some of the grounds for processing will overlap.
7. Your failure to provide information
We will only ask you to provide information which we believe is necessary for the performance of the contractual employment relationship (for example bank account details to pay you) or our associated legal obligations (for example giving salary information to HMRC). If you fail to provide certain information when requested we may not be able to meet our contractual obligations to you or we may not be able to fulfil our legal obligations.
8. What happens if we need to use your personal data for a new purpose?
We will only use your personal data for the stated purposes, unless we consider that there is a need to use it for another reason and that reason is compatible with the original purpose. However, if we consider that it is necessary and reasonable to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.
There may be circumstances where we have to process your personal data without your knowledge or consent, where this is required by law and in compliance with the above rules.
9. How do we use your sensitive personal information data?
Any personal data which reveals your, ethnic origin, political opinions, religious and philosophical beliefs, genetic, biometric or health data, sex life and sexual orientations will be regarded as special categories of personal data. We will only use this data in the following ways:
• In order to comply with employment and other laws when processing and managing situations connected with absences arising in relation to your sickness or family/ dependant related leave.
• To ensure we meet our health and safety obligations towards you and other employment related obligations we will use information about your physical or mental health or disability status to assess your capability to perform your role, monitor and manage your sickness absence, provide appropriate workplace adjustments and administer health related benefits.
• Where it is needed in the public interest, for example for equal opportunity monitoring and reporting.
There may be circumstances where we need to process this type of information for legal claims or to protect your interests (or someone else’s) and you are not able capable of giving your consent or where the relevant information has already been made public.
10. Do we need your consent to use sensitive personal data?
If we are using your personal sensitive data in accordance with our written policy to perform our legal obligations or exercise specific rights connected to your employment, in these circumstances we do not need your written consent to use sensitive personal data.
However, in limited circumstances, we may request your written consent to allow us to process your sensitive personal data. For example, your written consent will be required before we instruct a medical practitioner to prepare a medical report. If, it becomes necessary to request your consent to process your sensitive personal data, we will provide you with details of the information that we require and why we need it, so that you can decide whether you wish to provide your consent. It is not a condition of your contract of employment with us that you must agree to any request for consent. Giving consent will always be a decision made by your freewill/choice.
11. Criminal convictions
We envisage that we will hold information about criminal convictions.
We will only collect information about criminal convictions if it is appropriate given the nature of the role and duties you will perform and where we are legally entitled to do so.
We have in place policy and safeguards which we are required by law to maintain when processing this data.
12. Automated decision making
It is our intention that you will not be subject to automated decision making which will have a significant impact on you, unless we have a lawful reason for doing so and we have notified you.
13. Will we share your personal data with third parties?
In order to meet our legal obligations connected with your employment relationship it is necessary to share your personal information with certain third parties (see below). We also need to share your data when we have legitimate business reasons for doing so and also where it is necessary in order to perform your contract.
14. Which third party service providers will we share your personal data with?
The following third-party service providers process personal information about you for the following purposes:
Seabreeze Accounting (payroll office)
Nest Pension
Rota / Payroll System
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.
15. Third party service providers and data security
Third party service providers are only permitted to process your personal data in accordance with our specified instructions. They are also required to take appropriate measures to protect your privacy and personal information. We do not allow your information to be used by the third parties for its own purposes and business activities.
16. Will we share your personal data with other entities within our business group?
As a consequence of the need to report on business performance, accounting, internal business transformations and IT activity, your personal data will be shared with other entities within the business group.
17. Will we transfer your personal data outside of the European Economic Area (EEA)?
If personal data is to be transferred outside the EEA, include details of the countries and of the relevant safeguards that you have implemented.
18. How do we ensure your personal data is secure?
We take your privacy and protection of data very seriously. Consequently, we have put in place appropriate security measures to prevent unauthorised use of your personal data. Details of the measures which are in place can be obtained from the HR Department. We will notify you and any applicable regulator of any suspected unauthorised use of your personal data.
19. How long will we keep your personal data?
We will retain your personal data for as long as is necessary to fulfil the purposes for which it was collected for. Details of retention
periods for specific purposes are available in our data retention policy which is available from the HR Department. When your employment relationship comes to an end with our business, we will either retain or securely destroy your personal data in accordance with our data retention policy or other applicable laws and regulations.
20. Your duty to inform us of any changes
In order that we can ensure that the personal data we hold in relation to you is accurate, it is important that you keep us informed of any changes to that data.
21. What rights do you have in respect of how we use your personal data?
Subject to legal limitations you have the right to:
• Request access to your data: You can ask us to provide a copy of the personal data we hold about you.
• Request corrections to be made to your data: If you think that your personal data is incomplete, inaccurate you can ask us to correct it.
• Request erasure of your data: If you consider there is no lawful basis for us to continue processing your data you can ask for that data to be deleted or removed.
• Object to the processing of your data: If our lawful basis for processing your data relates to a legitimate business interest (or third-party interest) you can raise an objection to that interest. You can also object to us using your information for direct marketing purposes.
• Request that processing restrictions be put in place: If you believe that your information is being processed without a lawful reason or that the information is incorrect you can request that a freeze/restricting is placed on the processing of the information until your concerns are addressed.
• Request a transfer of your personal data: You can ask us to transfer your personal data to a third party.
If you wish to exercise any of the above rights please contact the HR Department in writing.
22. Will I have to pay a fee?
You will not be expected to pay a fee to obtain your personal data unless we consider that your request for access to data is unfounded or excessive. In these circumstances we may charge you a reasonable fee or refuse to comply with your request.
23. Confirmation of identity
Whenever you make a request for access to personal data, we may request specific information to confirm your identity. This is usually done to ensure that we are releasing personal data to the correct person.
24. Right to withdraw your consent
If we have asked for your written consent to obtain information, you have the right to withdraw your consent at any time. To withdraw your consent please contact the HR Department. Once we receive your notice of withdrawal, we will cease processing your data unless we have any other lawful basis on which to continue processing that data.
25. Important information about this privacy notice
We reserve the right to amend or update this privacy notice at any time. We will provide you with a new notice when we make any updates.
26. How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact our data representative Lucy Stokes on 01227 462138. If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.