ENSEK's Contractor Privacy Notice

ENSEK CONTRACTORS PRIVACY NOTICE (V2.0 2024-05-16)

 

This document is our privacy notice for the purposes of Articles 13 and 14 of the UK GDPR, with respect to our contractors (freelance workers, personal services companies, agency workers, independent contractors, and staff of contractors).



1. WHO IS THIS PRIVACY NOTICE FOR?

This privacy notice is addressed to the types of individuals listed below (the data subjects). PLEASE ENSURE THAT YOU READ THIS NOTICE.

Agency Staff

(1) Individuals who are supplied as hired or agency staff under a contract for services between us and an employment agency or business.

(2) You may be employed by that employment agency or business, or by an umbrella company set up by them.

(3) We are a controller with respect to your data, as well as the agency supplying you.

Contractors

(1) Sole traders.

(2) Individuals who are partners any partnership contractor we engage, where the contractor is not a corporate entity.

(3) Individuals who are directors or shareholders of contractors.

(4) Contractors include development companies, professional services companies, and software and system suppliers.

(5) We are a controller with respect to your data.

Contractor Staff

(1) Individuals who are staff of any contractors that we engage.

(2) Contractors include development companies, professional services companies, and software and system suppliers.

(3) Staff could be employees, consultants, shareholders, or directors.

(4) We are a controller with respect to your data, as well as the business employing you.

Freelance Workers

(1) Individuals who are freelance workers, working for us directly under a contract for services, or through a company they own (personal services companies), or through an umbrella company set up to provide their services.

(2) We are a controller with respect to your data.

Not Listed?

(1) We have separate privacy notices for staff, job applicants, and the public.

(2) These are available on request.

Any Questions?

If you have any questions, please contact our HR team in the first instance, and then our data protection officer if your question has not been resolved.


2. WHAT THIS THIS PRIVACY NOTICE ABOUT?

This privacy notice explains what personal data we hold about you, how we collect it, how we use it, who we share it with, and what your rights are. We are required to notify you of this information, under data protection legislation. Set out below are some general points to note before reading further.

What is the applicable law?

(1) This document is a privacy notice is published to comply with Article 13 and Article 14 of the UK GDPR.

(2) You can find out more information through the useful links section of this document.

What is our commitment as controller?

(1) The controller of your data is the person ultimately responsible for the processing of your data.

(2) As the controller of your data, we are committed to complying with our legal obligations as controller of your personal data, and to transparency about what we use your data for.

(3) Our legal obligations are set out in: the UK GDPR and DATA PROTECTION ACT 2018 (supplements the UK GDPR).

(4) As controller, we comply with the DATA PROTECTION PRINCIPLES when gathering and using personal information. We seek to ensure that our information collection and processing is always proportionate.

(5) We will inform you of any material changes to information we collect or to the purposes for which we collect and process it.

Must you provide data?

(1) We need you to provide the personal data, in order set up and perform any contract and non-disclosure agreement with you, and for the proper functioning and administration of our relationship with you.

(2) We may terminate your contract and cease any relationship if you do not provide the data reasonably required by us.

No automated decision-making

We do not use automated decision-making tools or processes.

Contracts

(1) When we refer to a contract in this privacy notice, we include the following.

(2) If you are a freelance worker, our contract with you and/pr your company, including any collateral agreements (such as side letters).

(3) If you are an agency worker, our contract with the employment business supplying you.

(4) If you are a consultant or other contractor, our contract with the consultancy or other contractor business under which you are supplied.

(5) In any case, any non-disclosure agreement with you or any person supplying your services to us.

Processor and Controller

This privacy notice sets out whether we, or any person we transfer your data to, are: (a) controller (ultimately responsible); (b) processor (handle data for someone else).


3. WHO IS THE CONTROLLER OR PROCESSOR OF YOUR DATA?

The controller (or where applicable, processor) of your data is ENSEK LTD, and our contact details are set out blow.

Our Company Name

ENSEK Ltd

Our Company Number

UK Companies House: 07167027

Our Country of Registration

England and Wales

Our Registered Office

(1) Hounds Gate, 30-34 Hounds Gate, Nottingham, England, NG1 7AB.

(2) This is also our postal address and head office.

Our Website

https://ensek.com/

Data Protection Email

dataprotection@ensek.co.uk

Our Data Protection Officer

Our Data Protection Officer can be contacted through the email address provided above


4. WHAT DATA DO WE HOLD ABOUT YOU?

This section lists what data we hold about you in connection with the contract and supply relationship with us. Some of this data will only be used after you have been engaged by us.

Business Information

(1) Company name.

(2) Trading Name.

(3) Registered and office addresses.

(4) Legal status and form.

(5) Country of registration.

(6) Creditworthiness.

(7) Registration number.

(8) VAT number.

(9) Date of incorporation.

(10) Website.

(11) Telephone and email.

(12) Contacts.

(13) Business activities.

(14) Business policies, procedures, and practices.

(15) Regulatory authorisations.

(16) Directors and shareholders.

(17) Information concerning security and security measures.

CCTV

(1) Directors, workers and other representatives of a contractor may be captured on CCTV in our offices.

(2) There is CCTV located in the main building reception and the car park. It is operated by the landlords of the building.

(3) There is CCTV located in our communications room, where our servers and other equipment are located. This is operated by ourselves.

Contact and Worker Information

(1) Information relating to workers, contacts, directors, shareholders, consultants, developers, project managers, account managers and other individuals performing the contract or acting as contacts, representatives, or signatories.

(2) Position or role.

(3) Whether a director or shareholder, and shareholding.

(4) Email address.

(5) Home or business postal address.

(6) Telephone.

(7) Background security check information if we carry out security checks, including credit information, criminal records information, electoral roll checks, global watch list checks, and 5 year address and employment history checks.

(8) Images, video, and voice, including where you participate in recorded conferences and meetings, and including CCTV at our offices.

(9) Training information, including training on ENSEK policies and procedures.

Contract Information

(1) Non-disclosure agreements and service contracts with you or your employer or your personal services contract.

(2) Terms of the service contract, including scope and timescales for the services, charges payable, and duration of services, and workers provided.

(3) Information concerning you that may appear in the contract.

(4) Side letters and collateral agreements signed in connection with the contract, including with you or other workers.

(5) Notices, variations, and other contract related documents, including termination letters and notices.

Incident Information

(1) Information relating to conduct, claims and disputes.

(2) Information relating to security incidents and breaches.

(3) Evidence of good or bad performance.

Payments

(1) Lump sum payments, charges, fees, commissions, and rates for the services, including labour rates, whether to you, your business, your employer, or an employment business that supplies you.

(2) Timesheets.

(3) Bank details for payment (including account name, number, and sort code).

(4) Invoices and payment information, including payment and credit terms, and payments made by us.

(5) Debt information.

Performance Information

(1) Company equipment (including laptops) loaned to you or your employer.

(2) Access cards to our offices.

(3) Access rights and credentials to our networks and systems, and use of our networks and systems (including access and audit trails of what was done in our systems).

(4) Your work outputs and the work outputs of your employer and their other workers, including software, emails, documents, reports, analysis, plans and designs.

(5) Your work communications and work communications of your employer.

(6) Monitoring and management information relating to the performance of you and your employer.

Phishing and Security Tests

Phishing and other security awareness tests we carry out on our contractors who are given ENSEK email addresses or access to ENSEK systems, the results of these tests, your history of performance against these tests including history of reporting phishing attacks, and records of any associated follow-up advice and training.

Procurement Information

(1) Details relating to our procurement of your services and those of your employer.

(2) Tenders, bids, and proposals.

(3) Evidence of competence and capability and references.

(4) Due diligence information, including information and accounts filed with companies house, validity of VAT number, review of contractor website, and financial information.

(5) Negotiation and contract preparation information and communications.

(6) Any recruitment agency that referred you or your business to us, restrictions applicable to you, and introduction fees or commission payable in respect of you.

Signatory Information

(1) Name of contract signatory.

(2) Title and position of contract signatory.

(3) Date of signature.

(4) Signature.

(5) Signature evidence captured by DocuSign or other online signing-service including history of views and opening of documents, IP address, and signing device.

System Use

(1) Access rights and log-in information to our equipment and systems, and to any third party systems we use.

(2) Information concerning representatives use of our offices, networks, systems, and software, including access logs, what was viewed or done, use of email and other messaging software, files stored, accessed, and downloaded, software installed, and websites visited.

(3) Recordings of meetings or events representatives participate in, including video, audio and screen sharing recordings and captures.

(4) PLEASE NOTE THAT THIS IS THIS NOT FOR THE PURPOSES OF MONITORING OF YOU, BUT TO CAPTURE WORK OUTPUT AND MAINTAIN AUDIT RECORDS RELATING TO OUR BUSINESS, BUT WE MAY MONITOR IF WE HAVE A LEGITIMATE CONCERN AND MONITORING IS PROPORTIONATE TO THAT CONCERN.

User Interface Analysis Data

(1) We capture usage information concerning your visits to any live or test websites and user interfaces of our software products, including: (a) where you use our Ignition user interfaces; (b) and where you are selected to take part in surveys using third party user interface testing software.

(2) This may include: (a) mouse movements; (b) clicks; (c) features and pages visited and used, surveys.

(3) This may also include audio and video recording only where users have selected to respond using one of these methods.

(4) PLEASE NOTE THAT THIS IS NOT FOR THE PURPOSES OF MONITORING YOU, BUT RATHER TO IMPROVE OUR SOFTWARE PRODUCTS.


5. HOW DO WE OBTAIN YOUR DATA?

This section sets out how we obtain your data.

From Forms and Contracts

(1) We obtain it from forms you complete or your employer or company completes, including any contractor information forms we request are completed.

(2) From any contract information in any contract document completed by you or your employer or company.

(3) From surveys, eNPS and other questionnaires we issue, if you choose to identify yourself.

From Messages and Documents

From emails and other messages sent by you or your employer or company, and from anu files and documents provided to us by you, your employer or company.

From A Recruitment Professional

From a recruitment professional that was involved in introducing you or your company to us.

From Our Own Staff

We may obtain information about you or your own employer where our own staff provide us with introductions or other details, or are making assessments and decisions relating to the engagement of you or your employer, or are managing your performance or that of your employer.

From Our Systems

(1) We may obtain data about you or your employer from our systems.

(2) From your ENSEK issued computer and phone (if it is owned or managed by us).

(3) From your personal computer and phone (if it is used to access any of our systems or is used under our bring your own device policy).

(4) From our door entry systems and CCTV systems.

(5) From our business and cloud networks and systems that you or your employer accesses and uses, including all files and information you send, receive, create, edit, upload or access, and all APIs that you call or use, in our networks and systems.

From Third Parties

We may obtain information about you or your employer or company from the following third parties:

(1) Recruitment professionals.

(2) HMRC

(3) Home Office

(4) Referees.

(5) VAT checking services and other business registries.

(6) Background check providers and associated databases.


6. WHAT IS OUR LAWFUL BASIS FOR PROCESSING YOUR DATA??

To be able to process your data we need to have a lawful basis for doing so under the law.

Contract

To enter into or perform a contract with you or your employer or company.

Criminal Records

(1) We may carryout out background checks on individuals working for us, covering criminal convictions, credit check, global watch list , electoral roll, and 5 years address and employment history.

(2) This is because our business handles a lot of security sensitive data, and can access smart meters.

Legal Obligation

We need to do so to comply with a legal obligation or exercise a legal right. This could be a statute.

Our Legitimate Interest

(1) We do so for our "legitimate interests".

(2) This is flexible ground which we must prove.

(3) It requires a judgement on our part, but is typically doing something you would normally expect, or there is a compelling justification.

(4) You have a right to object if you don't agree with our judgement (see later in this notice), and we must stop if it is clear you have overriding reasons for asking us to stop.

(5) Most of our processing would fall within legitimate interests or contract performance, such as: (a) operating a proper and secure procurement process; (b) verification of identity; (c) assessment of suitability; (d) security checks; (e) making informed decisions; (f) negotiating contracts; (g) managing the supply of services to us and monitoring that it is in accordance with the contract; (h) monitoring use of our networks, systems, and offices; (i) performing our contractual commitments with our clients; (j) securing work and services outputs; (k) financing and insuring our business; (l) to develop and improve our software and services.

Sensitive Data

We do not process any data concerning your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, or sex life or sexual orientation.

Your Consent

(1) If the above do not apply, we would need to get your consent to the specific use.

(2) This could be an explicit documented consent, or it could be implicit because you have requested some action to be taken involving your data.

Your Interests

(1) We need to do so, to protect you vital interests.

(2) This could include care for your health and safety.


7. WHAT PURPOSES DO WE PROCESS YOUR DATA FOR?

This part sets out the key purposes we use your data for.

Business Management

PURPOSE | To manage our business.

EXAMPLES | (1) Insuring our business. (2) Looking after all our workers. (3) Complying with our legal and contractual obligations, including under any client contracts sub-contracted to you. (4) Managing our business systems, granting, and revoking access, and monitoring proper access and use. (5) Maintaining the security of our business, data, and finances, and implementing and monitoring security controls and measures. (6) Carry out audits of our business and enabling third party audit companies to audit our business. (7) Providing evidence (which may include your personal data) to demonstrate the operation of our policies and controls in the business (such as performance reviews, access logs).

LAWFUL BASIS | Legitimate Interest- To operate our business to a high standard and comply with our contractual and legal obligations.

Contract Management

PURPOSE | To manage our contract for services with you or your employer / company.

EXAMPLES | (1) Maintaining a record of the procurement process. (2) Maintaining a record of the contract and all changes to it. (3) Maintaining a record of our due diligence and verification activities. (4) Managing variation and termination of the contract. (5) Communicating the agreed terms to necessary people in the business (e.g., charges communicated to finance team). (6) Maintaining a record of termination dates. (7) Maintaining a record for audit purposes.

LAWFUL BASIS | (1) Legitimate Interest- Maintaining evidence of the contract. (2) Contract Compliance- Performing the contract. (3) Legal Compliance- Having audit information available.

Incident Management

PURPOSE | To deal with incidents affecting the contract, including breach, competence, progress, and security matters.

EXAMPLES | (1) Gathering and storing facts and evidence. (2) Making claims and exchanging position statements and offers. (3) Following our security breach procedures. (4) Reporting information to government bodies.

LAWFUL BASIS | (1) Legitimate Interests- Having our suppliers perform their contracts, and defending claims. (2) Contract- Enforcing and performing the contract.

Intellectual Property

PURPOSE | To identify, prove, capture, maintain and protect the intellectual property, trade secrets, confidential information and know-how of ENSEK and its clients.

EXAMPLES | Capturing and storing code, files and documents you create and evidence of who created or change to code, files or documents.

LAWFUL BASIS | (1) Contract - To enforce legal and contract rules on IPR ownership and confidentiality. (2) Legitimate Interest - To protect and secure our business, software and services.

Payment Management

PURPOSE | To manage payment to you or your employer / company for services provided.

EXAMPLES | (1) Storing and approving timesheets. (2) Receiving and checking invoices for work done. (3) Making bank transfers.

LAWFUL BASIS | Contract- Performing the contract.

Performance Management

PURPOSE | To manage the provision of the services and performance of the contract with us.

EXAMPLES | (1) Giving instructions and managing the receipt and use of the services. (2) Monitoring progress and compliance. (3) Monitoring and capturing outputs, including deliverables such as code, advice, reports, analysis, and plans. (4) Assessing the quality of outputs.

LAWFUL BASIS | (1) Legitimate Interest- That our suppliers comply with their contracted obligations. (2) Contract Compliance- Performing the contract. (3) Legal Compliance- Complying with security standards and information and data protection laws.

Procurement Management

PURPOSE | To operate a reasonable procurement process for procuring your services or those of your employer or company.

EXAMPLES | (1) Entering into non-disclosure agreements. (2) Verifying identity, authenticity, and financial standing. (3) Assessing bids and tenders. (4) Carrying our due diligence and security checks, and taking up references. (5) Validating that you are not being engaged as an employee by us. (6) Making decisions on procurement. (7) Preparing, negotiating, and entering into contracts. (8) Setting up you or your employer / company in our systems for payment; applying our joiner-mover-leaver process.

LAWFUL BASIS | (1) Legitimate Interest- To operate a professional procurement of services, and to know who we are dealing with, their trustworthiness, and competence. (2) Contract- To enter into a contract. (3) Legal Compliance- To comply with regulations that govern procurement of services (including ant-bribery and financial conduct).

References

PURPOSE | (1) PURPOSE | To capture reference details Assessing your suitability for the role you applied for. (2) EXAMPLES | Obtaining references from your referees. (3) Sharing those references with managers responsible for interviewing you and making decisions. (4) Reviewing those references to assess your suitability and prepare for interviews with you LAWFUL BASIS | Contract- To prepare for entering into a contract with you. (5) Legitimate Interest- To be able to fairly judge your suitability for the role, and against other candidates.

System Improvement

PURPOSE | To improve our software and services.

EXAMPLES | (1) Capturing data about your use of our software user interfaces and their features (currently through PENDO) to assess the effectiveness of our designs and features. (2) Capturing testing data where you are invited to participate in a test of a new use interface feature or a user interface survey through USEBERRY.

LAWFUL BASIS | Legitimate Interest - Developing and improving our products and services.

Worker Management

PURPOSE | To manage the interactions and interface points between us and you or other workers provided by your employer / company, and manage the skills, training, and knowledge of workers.

EXAMPLES | (1) Carrying our background checks with third parties to assess your reliability and security risk status. (2) Issuing equipment. (3) Issuing access cards. (4) Issuing access accounts and credentials to our systems and setting up roles and permissions. (5) Providing training on our policies and procedures, security and data protection, and other requirements for working with us. (6) Monitoring your access to and use of our equipment, networks, and systems. (7) Recovering and terminating any of the above.

LAWFUL BASIS | (1) Legitimate Interest- Maintaining control and security over our equipment, networks, systems and data. (2) Ensuring that all workers are interfacing correctly with our business. (3) Contract Compliance- Performing the contract. (4) Legal Compliance- Complying with security standards and information and data protection laws.


8. WHO DO WE SHARE YOUR DATA WITH?

This section details who we may share your information with. We will normally share in confidence unless the law requires otherwise

Auditors

PURPOSE | (1) We may share your personal data with any third party that is auditing our business and controls, including our security measures and operational controls, for the purposes of evidence, but only to the extent reasonably required for such evidence. (2) It will be shared securely, and under a non-disclosure agreement; and is shared normally to the auditors secure evidence repository.

RECEIVED AS | They use it as our sub-processor, to provide audit services to us.

Background Check Providers

PURPOSE | We will share your information with background check providers (currently Experian) to the extend necessary for them to carry out background checks such as: (a) criminal records; (b) credit; (c) electoral roll, world watch list, and address and employment history.

RECEIVED AS | (1) They use it as our sub-processor, or provide the background check information to ourselves. (2) A credit search may also go on your credit record and they will do this as controller.

Other Staff

PURPOSE | (1) We may share your information where relevant with other staff who are to be involved in engaging you. (2) If you are successful we may share your information with our HR staff to commence your joining process with us.

RECEIVED AS | They will receive it in their capacity as our staff.

Invoice Support

PURPOSE | To an invoice scanning service, to scan and analyse your invoices to make input into our finance systems and payment more efficient.

RECEIVED AS | They will receive it your invoices as our processor.

Recruitment Agents

PURPOSE | To recruitment agents who introduced you, to let them know the outcome and pay them any commission due.

RECEIVED AS | They will receive it as data controller, and will let you have a privacy notice if legally required.

Training Providers

PURPOSE | (1) We share your data with our training providers to record and manage training, such as the mandatory on-line cyber security, discrimination, equality, and data protection training that you are required to undertake. (2) This will normally include what training, and deadlines you need to observe.

RECEIVED AS | They will receive it as our sub-processor.


9. WHERE DO WE KEEP YOUR DATA?

Your data is kept in the systems referred to below. We no longer keep any paper records and all of your data is created, stored, and retained electronically.

Core HR System - Cezanne HR

(1) We use the HR cloud service Cezanne to store and manage contractor records for contractors that are personal services companies.

(2) They are stored under an ID prefixed with "CON".

(3) The records are: (a) name and contact details; (b) policy acknowledgements; (c) and timesheets.

(4) It is hosted in the European Economic Area.

Expenses Management - Expensify

(1) We use the expense management cloud service and phone app Expensify to manage your expenses claims.

(2) It may send you notifications.

(3) It captures images of receipts for your expenses, and dates, times, and other details of those expenses.

(4) It supports ENSEK approval of those expenses, and records this.

(5) Expensify data is hosted in the USA.

Finance System - Sage

(1) We currently use SAFE for our main finance system, which may contain or our main finance system, which will contain legal entity and payment related information concerning you (as a worker) and/or your employer / company, including rates, charges, and timesheet information.

(2) This replaced XERO in March 2023, but we may retain archive data in Zero for a further 5 years.

Training System - Illuminate

(1) Some training related records relating to you or your workers will be stored in Illuminate our training system.

(2) Illuminate is provided by Thrive Learning, who are the cloud service provider hosting your data.

Training System - Omniplex

(1) From October 2022 our investors, Lloyds, required all our staff and workers to undertake security training in their Omniplex training system.

(2) This involves us providing staff information into that system for the training to be administered and provided.

(3) Other training may be added to this in the future.

Access Rights Management - Air Table

(1) We use Air Table to host and record our access control records for Ignition and other systems.

(2) Your name, work contact details, and access rights may appear in that system.

Microsoft 365 and SharePoint

(1) ENSEK uses Microsoft 365, Exchange, Teams, SharePoint, and other apps for its general email, messaging, document creation, document storage and document sharing and its social and collaborative features such as Yammer and Engage.

(2) Your personal data may appear there in an ad-hoc form for a specific use connected with our business.

(3) There is also an old set of employment records for employees pre-dating Cezanne stored in a private employment Team Site accessed only by HR. These are being moved over time into Cezanne.

(4) We select the UK servers.

ENSEK Business Systems

(1) Elements of your personal data may appear in ENSEK business systems, such as Ignition, Azure DevOps, Outlook, Teams, ServiceNow etc.

(2) This will be incidental according to your use of those systems, and amount to an association between you and your use of those systems, and messages, chats, documents involving you.


10. HOW LONG DO WE KEEP YOUR DATA FOR?

This section covers our retention policy.

General Principle

We will only use your data for as long as it is required for the purposes for which it is processed.

Archiving Period

(1) However, we will retain a copy of your data for evidential purposes during the term of your employment contract and for 7 years after your employment contract has ended.

(2) This is to enable evidence to be provided for tax and legal claims purposes within the general legal claims limit of 6 years : see Limitation Act 1980.

(3) If you signed a contract as a deed, then that 7 years may be extended to 12 years.

(4) Logging data relating to your use of our systems (such as SharePoint logs) may be deleted sooner than this, depending on the logging configuration, typically after 12 months.

(5) Data consisting of or relating your work output and work tasks and activities may be retained indefinitely, such as code or documents created, or tasks and other activities in our systems and databases.

Archiving Period | CCTV

CCTV recordings are held for 30 days, unless a recording is needed for evidence in relation to an incident that has happened, in which case we may hold the data for as long as may be reasonably required for that incident.


11. HOW DO WE KEEP YOUR DATA SECURE?

This section covers our security measures.

General Principle

(1) We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.

(2) In particular we have the following measures to keep your data secure.

ISO 27001

We are certified to and aim to keep certified to ISO 27001, which requires us to have a security management system, and to maintain a wide range of security controls. See ISO 27001

ISO 27701

We are also certified to and aim to keep certified to ISO 277001, which is an extension to ISO 27701 for privacy information management. See ISO 27701

Other Audits

We have our security controls audited independently by an auditor under the SOC (service organisation controls) audit standards, as well as under the smart energy code, the retail energy code, and other standards.

Data Breach

(1) We have procedures in place to deal with any suspected data security breach affecting your data.

(2) We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Other Measures and Controls

(1) The above standards and audits require and examine all our security and privacy measures and controls, which we have in place to protect against unauthorised use, access to, change to, or disclosure of your data, against viruses and other malicious software, and against unauthorised access to our equipment, offices, networks, cloud systems, and databases.

(2) These measures and controls cover areas such as office access controls, equipment log-in, cloud system log-in and associated roles and permissions, network and access monitoring, staff training, management, staff background checks, usage monitoring, anti-virus and other protective software and devices, and data segregation and encryption.

System Providers

Individual system providers listed in this document have their own separate security and controls with respect to your data in their systems, and we consider these prior to using those systems.

Cloud First

We operate on a "cloud first" basis, which means that your data is stored in secure and reputable cloud systems, rather than at any offices of ours.

Access Controls

We limit access to your personal information to those who have a genuine business need to know it.

Proportionate and Confidentially

Those processing your information will do so only in an authorised and proportionate manner and are subject to a duty of confidentiality.


12. WHAT ARE YOUR RIGHTS?

This section covers your rights in relation to our processing of your data.

Introduction

(1) You have the following rights in relation to our processing of your personal data, but please note that these rights may be subject to conditions and exceptions set out in the law.

(2) If you would like to exercise these rights, please contact the head of human resources or our data protection officer.

(3) If you are not sure, just email us using our contact details in this document.

Our Service Providers

If you ask for the following, we are obliged to pass this request down to the providers of the systems we use and anyone else we use to process your data, as needed. See Article 19 of the UK GDPR.

Right to be informed

(1) You have the right to be informed if your data is being used.

(2) This document is how we are informing you.

(3) See Article 13 and Article 14 of the UK GDPR.

Right to withdraw consent

If any processing is based on your consent, you have the right to withdraw it at any time. Just email using our contact details in this document.

Right to stop direct marketing

You have the right to stop direct marketing at any time.

Right to a copy

(1) You have a right to an update of the information in this document.

(2) You also have a right to a copy of the personal data we hold about you.

(3) See Article 15 - Paragraph 3 of the UK GDPR.

(4) You have the right to ask for your data in a computer readable for, so that you can use it elsewhere.

(5) See Article 20 of the UK GDPR.

Right to a correction

(1) You have the right to request correction of your data (a right to rectification).

(2) See Article 16 of the UK GDPR.

Right to erasure

(1) You have the right to request erasure of your data (also known as the right to be forgotten).

(2) However, there are a range of exceptions to this, which mean that we do not have to erase your data if there are good reasons for retaining a copy of it.

(3) See Article 17 of the UK GDPR.

Right to restriction

(1) You have the right to request that we stop using your data for some purposes.

(2) There are conditions that apply.

(3) This means that we might still hold your data, but we would be stopped from using it for certain purposes.

(4) See Article 18 of the UK GDPR.

Right to object to legitimate interests

(1) If the legal basis for our using your personal data is a "legitimate interest", or we are using your data to market to you, then you can object to the processing.

(2) See Article 21 of the UK GDPR.

(3) We must stop the processing, unless we can show that our interests should take precedence over yours.

Automated Decision Making

(1) If we are making important decisions about using a compute, without any human involvement, then you can ask us to stop, subject to conditions.

(2) See Article 22 of the UK GDPR.

Right to complain

(1) We hope that our head of human resources and data protection officer can resolve any quey or concern you have about our use of your personal data or your rights.

(2) In any case, you have the right to complain to the Information Commissioner at any time.

(3) Their details are: (a) Address - Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; (b) Helpline number - 0303 123 1113; (c) ICO website - https://ico.org.uk/make-a-complaint/


13. USEFUL LINKS

Air Table

An online database system we use to manage staff system access rights records.

https://www.airtable.com/product

Cezanne HR

Our employee management system.

https://cezannehr.com/

Cezanne HR Hosting

Hosting information.

https://cezannehr.com/hr-systems/hosting-updates/

Data Protection Act 2018

Contains additional rules to support the UK GDPR.

https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

ENSEK Ltd

The processor of your data.

https://ensek.com/

Expensify

Our staff expenses management system.

https://www.expensify.com/

Expensify - Hosting

Expensify hosting information.

https://community.expensify.com/discussion/4066/hosting-country-for-expensify-software-and-data

Expensify - Privacy

Expensify privacy information.

https://use.expensify.com/privacy

Expensify - Processors

Sub-processors used by expensify.

https://use.expensify.com/subprocessors

ICO - Complaints Page

Page for making a complaint to the ICO.

https://ico.org.uk/make-a-complaint/

ICO - Your Rights

ICO page on your rights.

https://ico.org.uk/your-data-matters/

Information Commissioners Office (ICO)

The UK regulator of privacy laws.

https://ico.org.uk/for-organisations/sme-web-hub/make-your-own-privacy-notice/

ISO 27001

International security controls standard.

https://www.iso.org/isoiec-27001-information-security.html

ISO 27701

International personal data management controls standard.

https://www.iso.org/isoiec-27001-information-security.html

Limitation Act 1980

Legal limitation periods for bringing a claim in court.

https://www.legislation.gov.uk/ukpga/1980/58/contents

Microsoft 365

Our back office business tools for email, messaging, calling, and file creation, storage and editing.

https://docs.microsoft.com/en-us/microsoft-365/enterprise/o365-data-locations?view=o365-worldwide

Omniplex Learning

A training system of the Lloyds group for security and any other training that our investors require our employees to take.

https://omniplexlearning.docebosaas.com/learn

Pendo

A system used to generate user interface usage analytics, used by us to improve our software user interfaces.

https://www.pendo.io/

Sage

Our new finance system, from March 2023.

https://www.sage.com/en-gb/

SOC (Service Organisation Controls)

Auditing standard for auditing of security and operational controls.

https://en.wikipedia.org/wiki/ISAE_3402

Thrive Learning

Providers of our employee training system from 1st January 2023.

https://www.thrivelearning.com/

Tipalti

An accounts payable invoice scanning system.

https://tipalti.com/

UK GDPR

The UK's copy of the GDPR following BREXIT.

https://www.legislation.gov.uk/eur/2016/679/contents

UK GDPR - Article 13

The provision of the GDPR requiring this notice.

https://www.legislation.gov.uk/eur/2016/679/article/13

UK GDPR - Article 14

The provision of the GDPR requiring this notice.

https://www.legislation.gov.uk/eur/2016/679/article/14

UK GDPR - Data Protection Principles

The fundamental rules we have to follow when processing your data.

https://www.legislation.gov.uk/eur/2016/679/article/5

UK GDPR - Lawful Basis

We must satisfy one of the grounds in this article to be able to process your data.

https://www.legislation.gov.uk/eur/2016/679/article/6

Useberry

A third party system use to test user interface designs with users and to obtain user surveys and feedback, used by us to improve and develop our user interface designs.

https://www.useberry.com/

XERO

Our old finance system, replaced in March 2023.

https://www.xero.com/uk/


END OF DOCUMENT