Cennox (the “Company”) is committed to protecting the privacy and security of your personal information This privacy notice describes how we collect and use personal information during and after your working relationship with us. This applies to all employees, workers, contractors, and candidates.
Cennox is the controller and processer of data for the DPA 18 and GDPR. This means that we are responsible for deciding how we hold and use personal information about you and we are responsible for processing the data. We are required under data protection legislation to notify you of the information contained in this notice. Cennox may utilise third parties for data processing for limited purposes including for providing services to us like payroll and other benefits administration.
This notice applies to current and former employees, workers, contractors, and candidates in respect of whom we hold personal data. This notice does not form part of any contract of employment, a contract to provide services or any other contract. We may update this notice at any time.
The kind of information we collect or process about you.
- The sort of information we hold includes: your name; date of birth; gender; marital status and dependents; contact and emergency contact details; next of kin; application form, including work history, qualifications and reference; copy of identity documents such as passport, driving license or utility bills; criminal, credit and driver’s records; your contract of employment, if applicable, and any amendments to it; correspondence with or about you, for example letters to you about pay raise or, at your request, a letter to your mortgage company confirming your salary; bank account details, payroll records and tax status information; information needed for benefits and expenses purposes including annual leave and pension information; records of absence; records relating to your career history, such as job role changes, training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records; CCTV footage and other information obtained through electronic means such as telephone recordings, email, mobile phone and internet usage data, swipe card records , records of work hours, and GPS data; Information about your use of our information and communication systems; photographs.
- We may also collect, store and use the following “special categories” of more sensitive personal information: Information about your health relevant to your work, including for example, any medical condition, health and sickness records; information about criminal convictions and offenses as part of the recruitment process; and information to support equal opportunity monitoring.
How your information will be collected
We may collect personal information about employees, workers contractors, and candidates in a number of ways. Much of the information we hold will have been provided by you, but some may come from other internal sources, such as your manager, or in some cases, external sources, such as referees, from a third-party employment agency, through a third-party recommendation or through an employment business or background check provider. We may sometimes also collect information from third parties including former employers, credit reference agencies, or other background check agencies. We may also collect personal data which is publicly available on websites such as job boards, LinkedIn, or similar recruitment related websites. We may use third-party applications which store their data from publicly available websites. We may collect additional personal information in the course of job-related activities throughout the period of you working for us or where you undertake a contract for us.
How your information will be used
- The Company needs to keep and process information about you for normal business purposes. The information we hold, and process will be used for our management and administrative purposes only. We will keep and use it to enable us to run the business and manage our relationship with you efficiently, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when our relationship ends and after you have left. This includes using information to enable us to comply with any employment or independent contractor agreement, to comply with any legal requirements, pursue the legitimate interest of the Company and protect our legal position in the event of legal proceedings. You will, of course, inevitably be referred to in many Company documents and records that are produced by you and your colleagues during carrying out your duties and the business of the Company.
- The Company may use special categories of information in the following ways: sickness or health information (including leaves of absence and physician’s notes) to comply with employment and other laws including those pertaining to any work place injuries and to consider how your health affects your ability to perform bona fide occupational duties or qualifications and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and Company sick pay, health, dental, vision, accident or life insurance, or policies. We may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation to ensure meaningful opportunity monitoring and reporting. We will collect information about criminal convictions if it is appropriate given the nature of your role with us and where we are legally able to do so in order to consider your suitability for a role with us.
- If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be unable in some circumstances to comply with our legal obligations (such as ensure the health and safety of our workers) and we will tell you about the implications of that decision.
- As a company engaged in facilities services for a variety of industries, we may sometimes need to process your data to pursue our legitimate business interests, for example to prevent fraud, administrative purpose or reporting potential crimes.
- We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another purpose and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and will explain the legal basis which allows us to do so.
- We may process your personal information without your knowledge or consent where this is required or permitted by law. Where we process special categories of information relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, biometric data or sexual orientation, we will always obtain your explicit consent to those activities unless this is not required by law or the information is required to protect your health in an emergency. Where we are processing data based on your consent, you have the right to withdraw that consent at any time. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
How your information will be shared
- Other than as mentioned below, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external payroll provider, pension or health insurance schemes, IT services, and recruitment services and we may share your information for purposes of completing background investigations and to check your references. In very rare instances, we may share your personal information with other third parties, for example, in the context of possible restructuring or sale of the business.
- We may transfer information about you to other group companies for purposes connected with your employment or the management of the Company’s business.
- All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your data for their own purposes. We only permit them to process your personal data for specific purposes and in accordance with our instructions.
- In limited and necessary circumstances, your information may be transferred outside of the EEA or to an international organisation to comply with our legal or contractual requirements and in some circumstances there may not be an adequacy decision by the European Commission in respect of that country. This means that the country’s domestic law or international commitments have not been determined by the European Commission to provide an adequate level of protection for your personal information. Therefore, to ensure that your personal information does receive an adequate level of protection, we have put into place safeguards to ensure your personal information is treated by those third parties in a way consistent with an which respects the EU and UK laws on data protection: the organisation(s) to which your personal data is sent outside of the EU have a legally binding contract with us; all personal data is kept strictly confidential and can be only disclosed as required by contract; and only those staff at those organisation(s) who need to have access to personal data for the performance of their contractual obligations are permitted to have access to it. Furthermore, in circumstances where your data is transferred outside of the EEA to group companies, additional security measures including role-based security with limited access rights, logical separation of data, and encryption at rest and in transit ensure the security of your data. A copy of the safeguards can be obtained from email@example.com.
How your information will be protected
- We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They may only process your personal information on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
- A copy of the Company’s Data Protection Policy may be obtained from the Human Resources Department.
How long your information will be retained
- The Company will not retain data longer than is necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
- In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
- Once you are no longer an employee, worker, contractor or candidate of the Company we will retain and securely destroy your personal information in accordance with applicable laws and regulations.
(Applicable to EU citizens. If you are a citizen of a country outside the EU, your rights depend upon the laws of that country.)
- Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), you have several rights about your personal data.
You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.
- If you have provided consent for the processing of your data, you have the right to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn. To withdraw your consent, please write to us. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
- You have the right to lodge a complaint to the information commissioners’ Office if you believe that we have not complied with the requirements of the GDPR or GPA 18 about your personal data.
- You will not have to pay a fee for access to your personal information or to exercise any of the other rights. However, the Company may charge a reasonable fee if the request for access is clearly unfounded or excessive.
Changes to this Privacy Notice
Cennox reserves the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make updates. We may also notify you in other ways, from time to time, about the processing of your personal information.
Information requests or questions
If you have any concerns as to how your data is processed or if you would like to exercise any of your rights, you can contact:
Chris Cockett, Data Protection Officer, at firstname.lastname@example.org
Or you can email email@example.com