General Data Protection Regulation [GDPR]
This Notice which is effective from 25 May 2018, describes the practices of Credebt Exchange Limited (“Credebt”) regarding the collection, use, transfer, disclosure and other handling and Processing of the Personal Data of current and past employees of Credebt.
In relation to Personal Data provided by you to Credebt, Credebt will act as Data Controller of such Personal Data. This means that Credebt determines why and how such data is used. Credebt’s data Processing is generally undertaken in fulfilment of its legitimate interests and for the performance of contracts.
- What is Personal Data?
Personal data is any information relating to a living individual which allows either directly or indirectly the identification of that individual. Personal Data can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual and that would allow the individual to be identified or identifiable. The type of Personal Data that Credebt collects and Processes in relation to employees is described in more detail in the table at Appendix II of this Notice.
- How we Collect and Use your Personal Data
The table at Appendix II also describes in detail the particular purposes and lawful basis for Credebt’s processing of employee Personal Data as required by Data Protection Law. Credebt will generally Process your Personal Data for personnel administration purposes and for purposes as necessary for and connected with the performance of contracts, such as employment contracts, and in its legitimate interests.
Credebt may obtain Personal Data about you from third parties, such as former employers, educational institutions, recruitment agencies, recruitment platforms such as LinkedIn, government agencies, from information in the public domain and available on the internet and from other employees (e.g., other Credebt staff, members of the HR Department, etc.). We may also seek Personal Data about you from third parties in connection with: (I) locating former employees and beneficiaries for purposes of administering retirement, pension or other benefits; (II) performance evaluations; (III) academic and processional references; (IV) disciplinary matters and internal investigations; (V) purposes that relate to your employment relationship with us; and (VI) other purposes permitted in accordance with applicable law. Where we obtain Personal Data about you from third parties, we will do so in accordance with Data Protection Law.
- Special Categories of Data
Credebt Processes Special Categories of Data (“SCD”) relating to employees in limited circumstances, typically related to the ordinary course of personnel administration which is in accordance with the Data Protection Law. Such Processing of SCD is permitted under several provisions of the Data Protection Law, including the following:
4.1 Article 9(2)(f) GDPR where it is “necessary for the establishment, exercise or defence of legal claims” and this ground is amplified under the Data Protection Act 2018 which permits the Processing of SCD where it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights (and which may include Processing in the context of disciplinary proceedings); and
4.2 In relation to the management of medical risk and medical claims the Data Protection Act 2018 permits the Processing of SCD where it is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of an employee, for the management of health or social care systems and services or for ensuring high standards of quality and safety of health care.
- Your rights under Data Protection Law
5.1 Data Protection Laws provide certain rights in favour of data subjects. The rights in question are as follows (together the “Data Subject Rights”):
(a) The right of a data subject to receive detailed information on the Processing (by virtue of the transparency obligations on the Data Controller);
(b) The right of access to Personal Data;
(c) The right to rectify or erase Personal Data (known as the “right to be forgotten”);
(d) The right to restrict Processing;
(e) The right of data portability; and
(f) The right to object to automated decision making, including profiling and where processing is based on the legitimate interests of Credebt or a third party.
5.2 The Data Subject Rights are subject to certain conditions and accordingly will not be available in all circumstances.
5.3 Any data subject wishing to exercise their Data Subject Rights should contact the Credebt Andrew Hoey at firstname.lastname@example.org. Your request will be dealt with in accordance with Data Protection Law.
- Data Security and Data Breach
6.1 We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.
6.2 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of Personal Data security breaches (Art. 34). For further information on identifying and reporting a Data Breach please contact Andrew Hoey at the details below. If you become aware of or suspect that a Data Breach has taken place you are required to immediately notify the Credebt Data Officer by both phone and email:
- Disclosing Personal Data
7.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data).
7.2 We may also share Personal Data: (a) with a statutory body where there is a lawful basis to do so; (b) with selected third parties including our legal, financial and tax advisors and sub-contractors; (c) if we are under a legal obligation to disclose Personal Data. This includes exchanging information with other organisations for the purposes of fraud prevention or investigation.
7.3 Where we enter into agreements with third parties to Process Personal Data on our behalf we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data where required by Data Protection Law. Examples of such third party service providers that we engage, and to whom we may provide Personal Data include but are not limited to communications providers, payroll service providers, pension administrators, occupational health providers, marketing or recruitment agencies, operators of data centres used by us, security services, catering service providers, and professional advisors such as external lawyers, accountants, tax and pensions advisors.
- Data Retention
We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed (as such purposes are set out in this Notice).
- Data Transfers outside the EEA
- Further Information/Complaints Procedure
ANNEX I – Glossary
In this Notice, the terms below have the following meaning:
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and w which and the manner in which any personal data are, or are to be, processed. Consent.
“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider).
“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Acts 1988 – 2018 and any other laws which apply to Credebt in relation to the Processing of Personal Data.
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.
“Special Categories of Personal Data” (or “SCD”) are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.
APPENDIX II – Data Processing Purposes
The following table describes the type of Personal Data that is collected by Credebt relating to Credebt employees and the purposes and lawful basis for Processing that data under Data Protection Law:
|Description of Personal Data||Purpose of Processing||GDPR lawful basis|
|Information contained in: CVs, cover letters and job applications (includingprevious employment background, education history, professional qualifications, references, language and other relevant skills, certification, certification expiration dates), interview notes and feedback; details on performance management ratings, development programs planned and attended, e-learning programs, performance and development reviews, willingness to relocate or driver’s license information.)||Recruitment, personnel administration and HR management, including performance analysis, promotion purposes and booking work related travel and accommodation.||For the performance of contracts. (Art 6(1)(b)).|
|HR files and records (including passport copy, training records, disciplinary records, salary details, benefits, compensation type, pay grade, salary step within assigned grade, awards, pay frequency, effective date of current compensation, salary reviews, banking details, working time records (including vacation and other absence records, leave status, hours worked and department standard hours), pay data, national insurance or other number, marital/civil partnership status, domestic partners and dependents).||Personnel administration and HR management, including performance analysis and promotion purposes.||Compliance with legal obligations under employment legislation (Art 6(1)(c); and Protecting the vital interests of employees and other persons (Art 6(1)(d)).|
|Photographs of employees and Security Access Cards.||For security purposes in relation to Security Access Cards. For use on Outlook to enable staff to identify colleagues.||Protecting the vital interests of employees and other persons (Art 6(1)(d)).|
|Data related to pensions||To enable Credebt pension trustees and related service providers to administer your pension entitlements.||Contract performance (Art 6(1)(b)).|
|Medical information (including medical certificate and sick notes).||Personnel administration and to verify employee absences from work on sick leave and purposes of preventative or occupational medicine.||To assess the working capacity of an employee under the Data Protection Act 2018.|
|Data Processed in relation to optional staff schemes or benefits||In relation to Travelpass, Bike-to-work scheme etc.||Employee consent, which can be withdrawn at any time (Art 6(1)(a)); and Contract performance (Art 6(1)(b)).|
|CCTV Footage||Credebt has closed circuit television cameras (“CCTV”) located throughout its premises. Credebt’s CCTV system is implemented in a proportionate manner as necessary to protect Credebt property against theft or pilferage and for the security of staff and visitors to the Credebt premises (to protect their vital interests).||Protecting the vital interests of employees and other persons (Art 6(1)(d)).|