Insights
About
About

UK Employee Privacy Notice

202310October 26, 2023

Data protection information for employees, workers and contractors (pursuant to Articles 13and 14 UK GDPR)

  1. Introduction

    The protection of your personal data that is processed throughout the course of your employment or engagement (whether as a worker or contractor) and thereafter, is of great importance to us. The processing of your data, including your name, address or other contact- and personal details, that we learn about you during your employment, will always be carried out in compliance with the law (European General Data Protection Regulation as retained in UK domestic law as the UK GDPR and the UK Data Protection Act 2018).

    The purpose of this note is to inform you about the processing of personal data and to make you aware of your rights. “Personal data” refers to information which relates to an identified or identifiable individual, such as for example name, address and e-mail address. “Processing” of personal data means dealing with the data in any way, such as using, retaining, destroying or disclosing it.

    We will use your data in order to:

    • enter into an employment relationship with you or otherwise engage you;
    • implement our contract with you and, if necessary, deal with its termination;
    • fulfil our contractual and legal obligations; and
    • where it is necessary for our legitimate interests or those of a third party, and your interests and fundamental rights do not override those interests.

    We may also use your data in the following circumstances, which are likely to be rare:

    • where we need to protect your vital interests (or someone else’s interests); or
    • where it is necessary in the public interest.
  2. Data Controller

    Our company is responsible for the processing of your personal data:

    Forge Europe UK Limited
    10 York RoadLondon SE1 7ND

    Head of Europe (Managing Director): Thomas Davies

    Contact:
    [email protected]

  3. Categories and sources of data

    We receive some of your personal data directly from you, either by filling in the appropriate forms or by contacting us, either by telephone, in direct personal contact or by e-mail. This is done in particular as part of the application procedure during the recruitment process, but also as part of the day-to-day running of the business. We may also create or collect personal data during your employment or engagement with you.

    The personal data are in particular:

    • your personal details, for example your name, date of birth, gender, marital status, personal contact details (including addresses, phone numbers and personal email addresses), copy of driving licence;
    • dependents, next of kin and emergency contact information;
    • professional qualifications and memberships and any personal data contained in your CV, cover letter, application form and references, information about criminal convictions and offences, right to work documentation;
    • work-related details, for example work contact details (corporate email address and telephone numbers), staff number, photograph, job title, job description,reporting lines, work history, working hours, disciplinary and grievenance information, primary work location and other terms and conditions of your employment or engagement, start date and, if different, the date of your continuous employment, leaving date and your reasons for leaving;
    • remuneration, pension and benefits data, for example, details of your pay and benefits package, compensation history, bank account details, national insurance number, payroll records and tax status information and third party benefit recipient information;
    • leave data, for example, your holiday, sickness and family related leave records and details of other absences;
    • information about your health and any work incapacity data, for example, any personal data contained in your absence records, medical forms, reports or certificates, records relating to adjustments of your work place; where you leave employment and under any share plan operated by a group company the reason for leaving is determined to be ill health, injury or disability, the records relating to that decision; any health information in relation to a claim made under the permanent health insurance scheme; or where you leave employment and the reason for leaving is related to your health, information about that condition which is needed for pension and permanent health insurance purposes;
    • health and workplace safety data, for example from audits, risk assessments and accident reports;
    • training and development data, performance appraisals, training carried out and training needs;
    • monitoring data, for example identifiable images contained in CCTV footage, system and building login and access records;
    • information on the use of business applications or equipment, for example login data, itemized bills for company phones;
    • results of HMRC employment status check, details of your interest in and connection with the intermediary through which your services are supplied (for example if you work for a consultancy); and
    • information about your race or ethnicity, religious beliefs, sexual orientation, political opinions, trade union membership.

    Moreover, we receive information about you that might contain personal data from your managers (for example related to performance evaluations) or from time to time from your colleagues (for example within the course of an internal investigation). It is also possible that we receive personal data from a third party, for example from clients through a feedback program, training providers and trainers about your participation in training, travel service providers in the context of creating travel plans, former employers and credit reference agencies or other background check agencies. We may also collect your personal data from publicly accessible sources such as LinkedIn.

  4. Purposes of data processing

    We process your personal data for recruitment decisions, the performance of our contract with you and the termination of our contract. This will include the following purposes:

    • determining whether your engagement is deemed employment for the purposes of Chapter 10 of Part 2 of the Income Tax (Earnings and Pensions) Act 2003 (ITEPA 2003) and providing you with a status determination statement in accordance with the applicable provisions of ITEPA 2003;
    • checking you are legally entitled to work in the UK;
    • payment of your salary and provision of benefits such as bonuses;
    • identification of training and development needs;
    • performance evaluations and talent development;
    • granting access to IT systems and buildings;
    • documentation of working hours;
    • ensuring health and safety at work and report on incidents;
    • responding to any concerns that may arise in the course of your employment;
    • termination of employment; and
    • enforcement of and defense against legal claims.
  5. Legal basis for processing

    1. Performance of our contract with you:
      The legal basis to process your personal data is Article 6 (1) (b) UK GDPR, because the processing is necessary for the performance of our contract with you.

    2. Compliance with legal obligations:
      In addition, the processing of certain data will be necessary to fulfil legal obligations (Article 6 (1) (c) UK GDPR). For example, we are obliged to transmit your tax data to the tax authorities.

    3. Data processing based on our legitimate interests:
      The processing may also be necessary for our legitimate interests as a company, unless your interests or fundamental rights and freedoms prevail and override our interests (Article 6 (1) (f) GDPR).

  6. Processing of special categories of personal data and information about criminal convictions

    In addition, where we process special categories of personal data pursuant to Article 9 (1) UK GDPR (including data relating to health, sexual life, sexual orientation, racial or ethnic origin, trade union membership, political opinions or religious or philosophical beliefs), this will always be justified on the basis of an additional lawful condition.

    Such lawful conditions are fulfilled when the processing is necessary for the purposes of carrying out obligations under employment law, social security law and social protection law (Article 9 (2) (b) UK GDPR and Schedule 1 of the UK Data Protection Act 2018), for example for compliance with health and safety regulations, such as payment of statutory sick pay.

    On rare occasions, there may be other reasons for processing, such as it is necessary for reasons of substantial public interest (Article 9 (2) (g) UK GDPR and Schedule 1 of the UK Data Protection Act 2018).

    In limited circumstances, we may ask you for your written consent (Article 9 (2) (a) UK GDPR) to allow us to process particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. Please note that it is not a condition of your contract with us that you agree to any request for consent. We do not need your consent where the purpose of the processing is to protect you or another person from harm and you are unable to give consent; or to protect your well-being and if we reasonably believe that you need care and support, are at risk of harm and are unable to protect yourself (Article 9 (2) (c) UK GDPR and Schedule 1 of the UK Data Protection Act 2018). If we rely on your consent to process your data, you have the right to revoke this consent at any time. The revocation of consent does not affect the lawfulness of processing carried out on the basis of the consent before the revocation. Even if yourevoke your consent, we may still process your data on another legal basis, such as those stated above.

    We only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so (Article 10 UK GDPR and Section 10 and Schedule 1 of the UK Data Protection Act 2018). Where appropriate, we will collect information about criminal convictions as part of the recruitment process. We we may also be notified of such information while you are working for us.

    As further protection for special category data and data about crimincal convictions, we have an appropriate policy and other safeguards, as required by law.

  7. Automated decision making

    Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

    • Where we have notified you of the decision and given you one month to request a reconsideration.
    • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
    • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

    If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

    You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

    We do not envisage that any decisions will be taken about you using automated means. However, we will notify you in writing if this position changes.

  8. Data sharing

    We will share your personal data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

    Third parties include service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers or another entity within our group: payroll, pension administration, benefits provision and administration, and IT services.

    We will share personal data relevant to your participation in any pension scheme with the relevant pension provider.

    All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

    We will share your personal data with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.

    We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of, or investment in the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.

    We may also need to share your personal data with a regulator or to otherwise comply with the law. This may include making returns to HMRC and disclosures to shareholders such as directors' remuneration reporting requirements.

  9. Duration of storage

    We will only store your personal data to the extent and for as long as this is necessary for the purpose for which it was collected by us or made available to us by you.We therefore generally store your personal data for the duration of the employment relationship or engagement with us. Details of retention periods for different categories of your personal data are available in our Data Retention Policy.

    After termination of employment or your engagement with us, we will retain some of your personal data for a period of at least six years after the end of the calendar year in which your employment or engagement ends, as this period corresponds to the statutory limitation period and we may need the data to resolve or clarify inquiries or disputes.

    After cessation of the storage purpose or expiry of a statutory storage period, we will delete your personal data.

  10. Your rights

    Pursuant to the UK GDPR you have the following rights:

    • According to Article 15 UK GDPR you can request information about the processing of your personal data.
    • If the personal data processed by us is incorrect or incomplete, you can request that it be corrected in accordance with Article 16 UK GDPR.
    • Under the conditions of Articles 17 and 18 UK GDPR, you can request the deletion and restriction of the processing of your personal data.
    • According to Article 20 UK GDPR, you have the right to data portability in the cases mentioned therein. This means that you can receive the data in a structured, common and machine-readable format and you can also request that the data be transferred to a third party if this is technically feasible.
    • In addition, pursuant to Article 21 UK GDPR you have the right to object to the processing of personal data in cases in which we justify the processing with our legitimate interests.

    If you wish to exercise your rights, please contact the person responsible indicated above under B. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is to ensure that personal data is not disclosed to any person who has no right to receive it.

    You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO) with respect to data protection issues.

  11. Transferring information outside the UK

    The personal data we collect from or about you may be transferred to and processed and stored at destinations outside the UK (for example, the US or the EEA).

    Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring that one of the following safeguards is implemented:

    • We will only transfer your personal data to countries that have been deemed to provide adequate level of protection for personal data.
    • We may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

    If you have any questions or concerns, please contact the person responsible indicated in section B of this privacy notice.

  12. Changes to this privacy notice

    We may update this privacy notice at any time. We will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.