Fair Processing Policy

Employee and Prospective Employee Data – Fair Processing Notice (Privacy Policy)

ClickThrough Marketing is committed to maintaining the accuracy, confidentiality and security of your personal information. This Employee Fair Processing Notice describes the personal information that ClickThrough collects from or about you, and how we use and to whom we disclose that information. This policy is used in the interests of transparency over how we use (“process”) the personal data that we collect from job applicants/employees (“you”). It does not form part of your contract of employment and may be amended from time to time.

What Personal Information Do We Collect?

For the purposes of this Privacy Policy, personal information is any information relating to an identified or identifiable person. Personal information does not include anonymous or non-personal information.

We collect, store and maintain different types of personal information in respect of those individuals who seek to be, are, or were employed by us, including the personal information contained in:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
  • Date of birth
  • Gender
  • Marital status and dependants
  • Next of kin and emergency contact information
  • Death in service beneficiaries contact information
  • National Insurance number
  • Bank account details, payroll records and tax status information
  • Salary, annual leave, pension and benefits information
  • Start date
  • Location of employment or workplace
  • Copy of driving licence/Passport
  • Recruitment information (including copies of right to work documentation, references and other information included in a CV, cover letter, application or any information used as part of the recruitment process).
  • Employment records (including job titles, work history, working hours, training records and professional memberships)
  • Letters of offer and acceptance of employment;
  • policy acknowledgement sign-off sheets;
  • Performance information
  • Disciplinary and grievance information
  • Call recordings used for training purposes
  • Archived email folders
  • Information about your use of our information and communications systems.
  • Photographs

In addition to the examples listed above, personal information may also be collected which is necessary to ClickThrough's business purposes, which is voluntarily disclosed in the course of an employee's application for and employment with ClickThrough.

‘Sensitive Personal Data’ means personal data consisting of information as to:

  • the racial or ethnic origin of the individual,
  • their political opinions,
  • their religious or philosophical beliefs,
  • their membership of a trade union,
  • their physical or mental health or condition and sickness records,
  • their sexual orientation
  • any criminal convictions and offences
  • any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings,
  • genetic data; and
  • biometric data where processed to uniquely identify a person (for example a photo in an electronic passport)

As a general rule, ClickThrough collects personal information directly from you. In most circumstances where the personal information that we collect about you is held by a third party, we will obtain your permission before we seek out this information from such sources (such permission may be given directly by you, or implied from your actions). One example is where we seek access to medical records for an employee who is off on long term sick.

From time to time, we may use the services of third parties and may also receive personal information collected by those third parties in the course of the performance of their services for us. In that case, we will take reasonable steps to ensure that such third parties have represented to us that they have the right to disclose your personal information to us.

Where permitted or required by applicable law or regulatory requirements, we may collect information about you without your knowledge or consent.

It is necessary for us to process personal data of both job applicants and employees without consent for the following reasons:

  • We will need the information in order to identify the individual for the purposes of recruitment;
  • We will need to maintain that information for the general purposes of the ongoing employment relationship including performing the employment contract and maintaining the health and safety of individuals on our premises.

Some examples of the specific situations in which we will use your personal data are making decisions about your recruitment or appointment determining the terms on which you work for us; checking you are legally entitled to work in the UK; paying you and, if you are an employee, deducting tax and National Insurance contributions; providing benefits to you; liaising with your pension provider; business management and planning, including accounting and auditing; conducting performance reviews, managing performance and determining performance requirements; making decisions about salary reviews and pay; assessing qualifications for a particular job or task, including decisions about promotions; gathering evidence for possible grievance or disciplinary hearings; making decisions about your continued employment or engagement; making arrangements for the termination of our working relationship; education, training and development requirements; dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work; ascertaining your fitness to work; managing sickness absence; complying with health and safety obligations; to prevent fraud; to ensure compliance with our IT policies; to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution; and equal opportunities monitoring.

We rely upon the accuracy of information contained in the employment application and the accuracy of other data presented throughout the hiring process and employment. Any misrepresentations, falsifications, or material omissions in any of this information or data may result in exclusion of the individual from further consideration for employment or, if the person has been hired, termination of employment.

Our legal basis for processing personal data of applicants and staff is that:

  1. Processing the personal data is necessary for the purpose of carrying out the employment contract or to take steps to enter into an employment contract;
  2. Processing is necessary to comply with a legal obligation (for example we are obliged under employment law to include in a written statement of employment terms the identity of the parties to the employment contract; and to ensure your health and safety); and/or
  3. Processing the data is necessary for the purposes of our “legitimate interests” as the data controller (except where such interests are overridden by the interests, rights or freedoms of the individual).

Our “legitimate interests” for these purposes are:

  1. the need to process data on applicants and staff for the purposes of assessing suitability for employment and then carrying out the employment contract;
  2. the need to gather data for the purposes safeguarding the health and safety of job applicants and employees;
  3. the need to transfer employee data intra-group for administrative purposes; and
  4. the need to process employee data for the purposes of ensuring network and information security.

We may from time to time need to process sensitive personal data of the kind described above. In that case, we will either obtain the explicit consent of the individual to the processing of such data or we may consider the processing of that data as being necessary for carrying out our obligations as an employer. That will be assessed on a case by case basis.

There is no strict statutory or contractual requirement for you to provide data to us but if you do not provide at least that data that is necessary for us to assess suitability for employment and then to conduct the employment relationship then it will not practically be possible for us to employ you.

WHY DO WE COLLECT PERSONAL INFORMATION?

The personal information collected is used and disclosed for our business purposes, including establishing, managing or terminating your employment relationship with ClickThrough.

Such uses include:

  • determining eligibility for initial employment, including the verification of references and qualifications;
  • administering pay and benefits;
  • processing employee work-related claims (e.g. worker compensation, insurance claims, etc.)
  • establishing training and/or development requirements;
  • conducting performance reviews and determining performance requirements;
  • assessing qualifications for a particular job or task;
  • gathering evidence for disciplinary action, or termination;
  • establishing a contact point in the event of an emergency (such as next of kin);
  • complying with applicable labour or employment statutes;
  • compiling directories;
  • ensuring the security of company-held information; and
  • such other purposes as are reasonably required by ClickThrough.

Monitoring

The work output of ClickThrough's employees, whether in paper record, computer files, or in any other storage format belongs to us, and that work output, and the tools used to generate that work output, are always subject to review and monitoring by ClickThrough.

In the course of conducting our business, we may monitor employee activities. For example, calls are recorded. Calls are recorded for training purposes. Generally, recorded calls are routinely destroyed and not shared with third parties unless there is suspicion of a crime, in which case they may be turned over to the police or other appropriate government agency or authority. Through ClickThrough’s IT Policy, we have the capability to monitor all employees' computer and e-mail use.

This section is not meant to suggest that all employees will in fact be monitored or their actions subject to constant surveillance. It is meant to bring to your attention the fact that such monitoring may occur and may result in the collection of personal information from employees (e.g. through their use of our resources). When using ClickThrough equipment or resources employees should not have any expectation of privacy with respect to their use of such equipment or resources.

HOW DO WE USE YOUR PERSONAL INFORMATION?

We may use your personal information for the purposes described in this Policy, or for any additional purposes that we advise you of and where your consent is required by law we have obtained your consent in respect of the use or disclosure of your personal information. We may use your personal information without your knowledge or consent where we are permitted or required by applicable law or regulatory requirements to do so.

WHEN DO WE DISCLOSE YOUR PERSONAL INFORMATION?

We may share your personal information with our employees, contractors, consultants and other parties who require such information to assist us with establishing, managing or terminating our employment relationship with you, including: parties that provide products or services to us or on our behalf and parties that collaborate with us in the provision of products or services to you.

Also, your personal information may be disclosed:

  • as permitted or required by applicable law or regulatory requirements. In such a case, we will try to not disclose more personal information than is required under the circumstances;
  • to comply with valid legal processes such as search warrants, subpoenas or court orders;
  • to protect the rights and property of ClickThrough;
  • during emergency situations or where necessary to protect the safety of a person or group of persons;
  • where the personal information is publicly available; or
  • with your consent where such consent is required by law.

NOTIFICATION AND CONSENT

Privacy laws do not generally require ClickThrough to obtain your consent for the collection, use or disclosure of personal information for the purpose of establishing, managing or terminating your employment relationship. In addition, we may collect, use or disclose your personal information without your knowledge or consent where we are permitted or required by applicable law or regulatory requirements to do so.

To the extent that your consent is required, we will assume, unless you advise us otherwise, that you have consented to ClickThrough collecting, using and disclosing your personal information for the purposes stated above. Where your consent was required for our collection, use or disclosure of your personal information, you may, at any time, subject to legal or contractual restrictions and reasonable notice, withdraw your consent. All communications with respect to such withdrawal or variation of consent should be in writing and addressed to HR.

Data Controller

For data protection purposes the “data controller” means the person or organisation who determines the purposes for which and the manner in which any personal data are processed. The data controller is ClickThrough Marketing, Charter House, 28 Sandford Street, Lichfield, WS136QA. If you have any questions about this policy please speak to HR.

RECIPIENTS OF PERSONAL DATA

Your personal data may be received by the following categories of people:

  • Our HR department
  • Our Finance department
  • In the case of job applicants, the interviewer and prospective manager
  • Any individual authorised by us to maintain personnel files
  • Our professional advisers
  • Appropriate external regulators and authorities (such as HMRC and HSE)

We do not envisage that your data would be transferred to a third country. If we perceive the need to do that we would discuss that with you and explain the legal basis for the transfer of the data at that stage.

HOW IS YOUR PERSONAL INFORMATION PROTECTED?

ClickThrough tries to maintain physical, technical and procedural safeguards that are appropriate to the sensitivity of the personal information in question. These safeguards are designed to protect your personal information from loss and unauthorized access, copying, use, modification or disclosure.

HOW LONG IS YOUR PERSONAL INFORMATION RETAINED?

We will keep personal data for no longer than is strictly necessary, having regard to the original purpose for which the data was processed. In some cases we will be legally obliged to keep your data for a set period.

Examples are below:

  • Income tax and NI returns, income tax records and correspondence with HMRC: We are obliged to keep these records for not less than 3 years after the end of the financial year to which they relate.
  • Wage and salary records: We are obliged to keep these records for 6 years.
  • For recruitment purposes we will keep candidate information for two years. After this time, we will contact the candidates to ask them to re-opt back into our database.

UPDATING YOUR PERSONAL INFORMATION

It is important that the information contained in our records is both accurate and current. If your personal information happens to change during the course of your employment, please keep us informed of such changes. In some circumstances we may not agree with your request to change your personal information and will instead append an alternative text to the record in question.

ACCESS TO YOUR PERSONAL INFORMATION

You can ask to see the personal information that we hold about you. If you want to review, verify or correct your personal information, please contact HR. Please note that any such communication must be in writing.

When requesting access to your personal information, please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal information that we hold about you. If you require assistance in preparing your request, please contact HR.

Your right to access the personal information that we hold about you is not absolute. There are instances where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal information that we hold about you. In addition, the personal information may have been destroyed, erased or made anonymous in accordance with our record retention obligations and practices.

If we cannot provide you with access to your personal information, we will try to inform you of the reasons why, subject to any legal or regulatory restrictions.

YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA

  • The right to be forgotten

You have the right to request that your personal data is deleted if:

  • it is no longer necessary for us to store that data having regard to the purposes for which it was originally collected; or
  • in circumstances where we rely solely on your consent to process the data (and have no other legal basis for processing the data), you withdraw your consent to the data being processed; or
  • you object to the processing of the data for good reasons which are not overridden by another compelling reason for us to retain the data; or
  • the data was unlawfully processed; or
  • the data needs to be deleted to comply with a legal obligation.

However, we can refuse to comply with a request to delete your personal data where we process that data:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation or the performance of a public interest task or exercise of official authority;
  • for public health purposes in the public interest;
  • for archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
  • the exercise or defence of legal claims.
  • The right to data portability

You have the right to receive the personal data which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (us) where:

  • the processing is based on consent or on a contract; and
  • the processing is carried out by automated means.

Note that this right only applies if the processing is carried out by “automated means” which means it will not apply to most paper based data.

  • The right to withdraw consent

Where we process your personal data in reliance on your consent to that processing, you have the right to withdraw that consent at any time. You may do this in writing to HR or to your Line Manager.

  • The right to object to processing

Where we process your personal data for the performance of a legal task or in view of our legitimate interests you have the right to object on “grounds relating to your particular situation”. If you wish to object to the processing of your personal data you should do so in writing to HR or to your Line Manager stating the reasons for your objection.

Where you exercise your right to object we must stop processing the personal data unless:

  • we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
  • the processing is for the establishment, exercise or defence of legal claims.
  • The right of “subject access request”.

So that you are aware of the personal data we hold on you, you have the right to request access to that data. This is sometimes referred to as making a “subject access request”.

  • The right to rectification

If any of the personal data we hold on you is inaccurate or incomplete, you have the right to have any errors rectified. Where we do not take action in response to a request for rectification you have the right to complain about that to the Information Commissioner’s Office.

  • The right to restrict processing

In certain prescribed circumstances, such as where you have contested the accuracy of the personal data we hold on you, you have the right to block or suppress the further processing of your personal data.

  • Rights related to automated decision making and profiling

The GDPR defines “profiling” as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict:

  • performance at work;
  • economic situation;
  • health;
  • personal preferences;
  • reliability;
  • behaviour;
  • location; or
  • movement

You have the right not to be subject to a decision when it is based on automated processing; and it produces a legal effect or a similarly significant effect on you. However, that right does not apply where the decision is necessary for purposes of the performance of a contract between you and ClickThrough. We may use data related to your performance or attendance record to make a decision as to whether to take disciplinary action. We consider that to be necessary for the purposes of conducting the employment contract. In any event that is unlikely to be an automated decision in that action will not normally be taken without an appropriate manager discussing the matter with you first and then deciding whether the data reveals information such that formal action needs to be taken. In other words there will be “human intervention” for the purposes of the GDPR and you will have the chance to express your point of view, have the decision explained to you and an opportunity to challenge it.

Complaints

Where you take the view that your personal data are processed in a way that does not comply with the GDPR, please speak to HR. You also have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then inform you of the progress and outcome of your complaint. The supervisory authority in the UK is the ICO.