Employee and Other Contracted Individuals privacy notice for the Barcroft Group (GDPR compliant)
For the purposes of this GDPR policy, Barcroft Studios Limited and its subsidiary companies Barcroft Media Limited (including Windsor Support Services Pvt Limited) and Barcroft Productions Limited are defined as the “Group”. The Group is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to processing your data securely and transparently. This privacy notice sets out, in line with GDPR, the types of data that we hold on you as an employee or contracted individual of the Group. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
This Privacy Notice applies to:
a) any employee, subject to any type of (employment) agreement, including any internship or apprenticeship contract, training programme, access-to-work contract, on-call contract, and, when necessary (for example in emergency situations and for benefits administration), to such employee’s spouse, domestic/civil partner or dependents (together dependents);
b) self-employed workers and independent contractors and freelancers;
c) any other individual performing a work activity or professional performance or audio-visual contribution for the benefit of the Company.
(the above listed individuals are collectively defined as you and the relevant agreement with the Company, whatever form it takes as described under a), b) and c) above, is also defined as the working relationship).
together these three categories or data subjects are referred to as “Contracted Individuals”.
Data controller details
The Group is a data controller, meaning that it determines the processes to be used when using your personal data. Our contact details are as follows: Barcroft Studios Limited, Barcroft Productions Limited and Barcroft Media Limited, all of whose registered office is at Regina House, 124 Finchley Road, London NW3 5JS. Our trading address is 14 Shoreditch Stables, 138 Kingsland Road, London, E2 8DY.
Data protection principles
In relation to your personal data, we will:
· process it fairly, lawfully and in a clear, transparent way
· collect your data only for reasons that we find proper for the course of your employment in ways that have been explained to you
· only use it in the way that we have told you about
· ensure it is correct and up to date
· keep your data for only as long as we need it or are required to keep it by law or statute
· process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed
Types of data we process
We may hold many types of data about you, including:
· your personal details including your name, address, date of birth, email address, phone numbers
· your photograph
· marital status
· dependants, next of kin and their contact numbers
· medical or health information including whether or not you have a disability
· information used for equal opportunities monitoring about your sexual orientation, religion or belief and ethnic origin
· information included on your CV including references, education history and employment history
· documentation relating to your right to work in the UK
· driving licence
· bank details
· tax codes
· National Insurance number
· current and previous job titles, job descriptions, pay grades, pension entitlement, hours of work and other terms and conditions relating to your employment with us
· letters of concern, formal warnings and other documentation with regard to any disciplinary proceedings
· internal performance information including measurements against targets, formal warnings and related documentation with regard to capability procedures, appraisal forms
· leave records including annual leave, family leave, sickness absence etc.
· details of your criminal record (if relevant)
· training details
· CCTV footage
· building entry card records
· your use of email and the internet
· your use of company mobile phones.
How we collect your data
We collect data about you in a variety of ways and this will usually start when we undertake a recruitment or engagement exercise where we will collect the data from you directly. This includes the information you would normally include in a CV or a recruitment/engagement cover letter, or notes made by our hiring team during a recruitment or engagement interview. Further information will be collected directly from you when you complete forms at the start of your employment or engagement, for example, your bank and next of kin details. Other details may be collected directly from you in the form of official documentation such as your driving licence, passport or other right to work evidence. We also monitor communications, for example IT and email use and mobile phone use, to ensure that employees to ensure that employees only use equipment in accordance with the Company’s policies and procedures.
In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.
Personal data is kept in personnel files or within the Group’s HR, Finance and IT systems.
Why we process your data
The law on data protection allows us to process your data for certain reasons only:
· in order to perform the contract that we are party to
· in order to carry out legally required duties
· in order for us to carry out our legitimate interests
· to protect your interests and
· where something is done in the public interest.
All of the processing carried out by us falls into one of the permitted reasons. Generally, we will rely on the first three reasons set out above to process your data. For example, we need to collect your personal data in order to:
· carry out the contract that we have entered into with you and
· ensure you are paid.
We also need to collect your data to ensure we are complying with legal requirements such as:
· ensuring tax and National Insurance is paid
· carrying out checks in relation to your right to work in the UK and
· making reasonable adjustments for disabled employees.
We also collect data so that we can carry out activities which are in the legitimate interests of the Group. We have set these out below:
· making decisions about who to contract with to, and subsequent internal appointments, promotions etc.
· making decisions about salary/ rate and other benefits
· providing contractual benefits to you
· maintaining comprehensive up to date personnel records about you to ensure, amongst other things, effective correspondence can be achieved and appropriate contact points in the event of an emergency are maintained
· effectively monitoring both your conduct and your performance and to undertake procedures with regard to both of these if the need arises
· offering a method of recourse for you against decisions made about you via a grievance procedure
· assessing training needs
· implementing an effective sickness absence management system including monitoring the amount of leave and subsequent actions to be taken including the making of reasonable adjustments
· gaining expert medical opinion when making decisions about your fitness for work
· managing statutory leave and pay systems such as maternity leave and pay etc.
· business planning and restructuring exercises
· dealing with legal claims made against us
· preventing fraud
· ensuring our administrative and IT systems are secure and robust against unauthorised access
· ensuring that company policies are adhered to.
How do we use your personal data?
We will process your personal data in compliance with applicable laws for the following purposes:
a. Managing Workforce: HR administration and managing work activities and personnel generally, including recruitment, absence, performance management, promotions and succession planning, rehiring, salary and payment administration, pension and benefits administration, managing business expenses and reimbursements, planning and monitoring of training requirements and career development activities and skills
b. Communications and Emergencies: facilitating communication with you, ensuring business continuity, protecting the health and safety of employees and others.
c. Business Operations and security: operating and managing IT and communications systems, managing product and service development and improvement, managing and allocating company assets and human resources, strategic planning, project management, business continuity, compilation of audit trails and other reporting tools, maintaining records relating to business activities, budgeting, financial management and reporting, communications, managing mergers, acquisitions, sales, re-organizations or disposals and integrations, building security and crime prevention.
d. Compliance: Complying with legal and other requirements, including audits, inspections and other requests from government or other public authorities.
e. Dispute resolution, responding to legal process, pursuing legal rights and remedies.
f. Health and safety: Complying with legal obligations on occupational safety and health.
Special categories of data
Special categories of data are data relating to your:
· sex life (if relevant)
· sexual orientation
· ethnic origin
· trade union membership
· genetic and biometric data.
We must process special categories of data in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:
· you have given explicit consent to the processing
· we must process the data in order to carry out our legal obligations
· we must process data for reasons of substantial public interest
· you have already made the data public.
We will use your special category data:
· for the purposes of equal opportunities monitoring
· in our sickness absence management procedures
· to determine reasonable adjustments to your working environment
We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time.
Criminal conviction data
We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment.
If you do not provide your data to us
One of the reasons for processing your data is to allow us to carry out our duties in line with your contract. If you do not provide us with the data needed to do this, we will unable to perform those duties e.g. ensuring you are paid correctly. We may also be prevented from confirming, or continuing with, your contract with us in relation to our legal obligations if you do not provide us with this information e.g. confirming your right to work in the UK or, where appropriate, confirming your legal status for carrying out your work via a criminal records check.
Sharing your data
Your data will be shared with colleagues within Barcroft Media Limited where it is necessary for them to undertake their duties. This includes, for example, your line manager for their management of you, the HR department for maintaining personnel records and the finance department for administering payment under your contract of employment.
We share your data with third parties in order to e.g. obtain references as part of the recruitment process. We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal or contractual obligation upon us.
Due to the global nature of the Group’s operations, the Group may disclose personal data to personnel and departments throughout the Group (and to some third parties providing services such as our payroll and pensions providers). In addition, some data may have to be provided to our customers as part of our deliverables packages. This may include transferring personal data to other countries (including countries other than where you are based that have a different data protection regime than the one existing in the country where you are based). If you are located in the European Economic Area (EEA), this may include countries outside of the EEA and in particular the United States. We have adopted appropriate safeguards to protect your personal data regardless of where it resides. Further information can be provided by filing a request to the Group, directed to email@example.com.
Protecting your data
We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.
Where we share your data with third parties, we provide written instructions to them to ensure that your data are held securely and in line with GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
How long we keep your data for
In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of your employment or contractual relationships with us though in some cases we will keep your data for a period after your employment or contractual relationship has ended. Retention periods can vary depending on why we need your data, as set out below:
· Organisational documentation e.g. Contracts of Employment and Appraisal records are kept for the duration of Employment and for five years thereafter for reference purposes, unless otherwise required by statute or law.
· Payroll information is retained for 6 years, unless otherwise required by statute, law or other legal commitment.
Automated decision making
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
Your rights in relation to your data
The law on data protection gives you certain rights in relation to the data we hold on you. These are:
· the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice
· the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request. You can read more about this in our Subject Access Request policy which is available from firstname.lastname@example.org
· the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it
· the right to have information deleted. If you would like us to stop processing your data, you have the right to request us to delete it from our systems where you believe there is no reason for us to continue processing it
· the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct
· the right to portability. You may transfer the data that we hold on you for your own purposes
· the right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests (as method of collecting and processing data)
· the right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in a way that adversely affects your legal rights.
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
If you wish to exercise any of the rights explained above, please contact Dave Wheels at email@example.com.
Please keep personal data up to date and inform us of any significant changes to personal data. You agree to inform your dependents, whose personal data you provide to the Group about the content of this Privacy Notice, and to obtain their consent (provided they are legally competent to give consent) for the processing of that personal data by the Group as set out in this Privacy Notice.
You further agree to follow applicable law and the Group’s policies, standards and procedures that are brought to your attention when handling any personal data to which you have access in the course of your working relationship with the group and the Group’s Data Protection Policy. You will not access or use any personal data for any purpose other than in connection with and to the extent necessary for your working relationship with the Group. You understand that these obligations continue to exist after termination of your working relationship with the Group.
Making a complaint
The supervisory authority in the UK for data protection matters is the Information Commissioner (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO.
Changes to the Privacy Notice
We may change or update this Privacy Notice including as a result of different interpretations, decisions and opinions relating to the EU Privacy Regulation and will notify you accordingly.
We do not collect your email address, name, social profile details or any other personal information.