Employee, Worker & Contractor Privacy Notice
Xcede Group Ltd (“Xcede Group”, “we”, “us”, “our”) is committed to protecting the privacy and security of the personal data we collect from employees, workers, and contractors (“you/your”). We are further committed to ensuring we meet our legal obligations when processing your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
The purpose of this privacy notice is to explain what personal data we collect about you and how we use it during and after your working relationship with us. We are a company registered in England and Wales under registration number 11996176 and we have our registered office at First Floor, 3-8 Carburton Street, London, England, W1W 5AJ. We are the controller of the personal data we collect, and we are registered with the Information Commissioner’s Office (ICO) under registration number ZB302951.
This privacy notice applies to all current and former Xcede Group employees, workers and contractors employed or engaged by Xcede Group. This notice does not form part of any contract of employment or other contract to provide services.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions, when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
We update this privacy notice from time to time in response to changes in applicable laws and regulations and to our processing practices. When changes are made, we will amend the date at the top of this document.
Personal data means any information relating to an identified or identifiable individual. It does not include data where all identifiable information has been removed (anonymous data). There is also another type of personal data called ‘special category personal data’ which is a more sensitive type of personal data and requires a higher level of protection. (See section below for more details).
We collect personal data from you and process it because we need to do this for the purposes of our employment relationship. Some of the information will be collected during the recruitment process. We may also collect your personal data from third parties including former employers (for reference purposes) and background screening providers. We also collect and generate additional personal data throughout the period you work for us. We do not collect anything you would not expect us to collect, and we will not collect any personal data we do not need.
The categories of personal data we may collect and process about you include:
Your personal contact details, next of kin and emergency contact information
Date of birth, gender, marital status and number of dependents
National insurance number, bank account details, payroll records and tax status information
Start date, salary, place of work, annual leave, pension, and benefits information
Copies of your passport and/or other identity card / photographs
Employment record including qualifications, skills, experience, job titles, work history, working hours, attendance, training records and professional memberships
Compensation history, including entitlement to benefits such as pensions or insurance cover
Performance information, disciplinary and grievance information
Information about your use of our information systems and IT
Images recorded using security CCTV
Health information (if required, please see Special Category personal data below)
We may also collect, store, and use special category personal information which is a more sensitive type of personal data. The special category personal data we may collect includes information about your physical or mental health, or disability status. For example, we may collect information about your health and medical conditions for health and safety purposes, in order to make necessary adjustments to your work environment. We may also ask you for equal opportunities and diversity monitoring information, but you do not need to provide this if you do not wish to do so. It is not mandatory.
How we collect your personal data
Xcede Group collects your personal information in a variety of ways. For example, we would have collected your personal information directly from you as part of the recruitment process and you would have provided this to us via your CV, application form and correspondence and through interviews, meetings or other assessments. We will also continue to collect personal information about you during the course of your employment.
Xcede Group may have also collected personal data about you from third parties, such as references supplied by your former employers and pre-employment screening checks, but this is only carried out with your consent.
We will only use your personal data when the law allows. Most commonly, we will use your personal information in the following circumstances:
Where it is necessary for the purposes of the employment contract in which we have entered
Where we need to comply with a legal obligation
Where it is in our legitimate interests (or those of a third party) to do so
We may also use your data in the following situations, which are likely to be rare:
o With your consent
o Where we need to protect your vital interests (or someone else’s)
o Where it is needed in the public interest
During and after the end of the employment relationship, we may use your personal data for the following purposes and on the following lawful bases:
Lawful Basis for Processing
To manage, administer and maintain our employment relationship, which includes;
We process this personal data in the performance of the contract of employment between us and to fulfil our legal obligations.
It is in our legitimate interests to manage your performance at work and provide personal development and training opportunities.
When processing your special category data, we do so under our obligations and responsibilities as your employer. In some circumstances we may also process this data with your explicit consent or in your vital interests if unable to give consent.
Emergency health and welfare reporting to emergency services, next of kin and other interested parties,
We may also process health and welfare data for our own internal purposes such as ensuring your health and safety in the workplace including the monitoring of the health of our employees for the purpose of ensuring our offices are a safe environment to work in
It is necessary to meet our legal obligations (to make reasonable adjustments to your workplace) and to protect your vital interest that we process the personal information of both you and your next of kin, in case of emergency.
When processing your special category data, we do so under our obligations and responsibilities as your employer.
We may also process your special category data for the purposes of public health. When we do so we ensure that any individual handling this data is bound by a duty of confidentiality.
For the purposes of business management and planning, which includes but is not limited to;
It is in our legitimate interests that we process this personal data to identify areas for improving staff retention, develop new products and services and manage the business.
To manage, administer and maintain our employment relationship, which includes;
It is in our legitimate interests before, during, and after the end of the employment relationship, to process this employee data.
We may also process this personal data in the performance of the contract of employment between us and to fulfil our legal obligations.
When processing your special category data, we do so we do so under our obligations and responsibilities as your employer.
Conditions for processing special category personal data
We will only process the “special categories” of more sensitive personal data where we meet one of the conditions required by law for doing so. This includes complying with legal obligations or exercising specific rights in the field of employment law. We may also ask for your explicit consent to process some special categories of personal data, but this is extremely rare.
We process special categories of personal data when we collect or process information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
Your data will be shared internally with members of the HR and payroll teams, your line manager other managers of the business and IT staff. Only that information which is necessary to enable us to fulfil our duties is shared.
Third parties with whom we might share your personal data
We share your personal data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. This may include our third-party service providers for reasons including HR management, payroll, auditing, and IT services support.
Obligations on third parties with whom we share your personal data
All Xcede Group third-party service providers with whom we share your personal data are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Your personal data may be shared within the Xcede Group. This may include transferring your personal data to South Africa.
We may also share your personal data with third party service providers located in a third country outside the UK where the data protection laws are not equivalent to those within the UK. If we do so, we will use Standard Contractual Clauses and supplementary measures, approved by the UK ICO or European Commission, which contractually oblige the entities in those countries to operate to the data protection standards expected within the UK.
In such cases, our service providers and suppliers are data processors and may only use the data in line with our instructions and not for any other purpose. This and other obligations are agreed in the data processing contract between us.
Xcede Group takes the security of your data seriously. We have implemented appropriate technical and organisational measures to safeguard your personal data and protect it from accidental or unlawful destruction, loss or alteration and from unauthorised disclosure or access.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of the data.
We only retain your personal data for as long as is necessary to fulfil the purposes for which we collected it, including satisfying any legal, accounting, or reporting requirements. Details of retention periods applicable to employee, consultant and contractor personal data are set out in our Data Retention & Destruction Policy and Schedule.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company, we will retain and securely destroy your personal information in accordance with our Data Retention & Destruction Policy and Schedule.
You have certain rights in relation to the processing of your personal data, including to:
Request access to your personal data (commonly known as a “Subject Access Request”). This enables you to receive a copy of the personal data we hold about you and to check we are lawfully processing it.
Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for to continue processing it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal data to another party (data portability).
Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis or legal requirement for doing so.
How to exercise your rights
If you wish to exercise your rights, please email email@example.com
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity before we can process a request from you to exercise any of the above rights. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
How to complain
As an employee in the UK you have the right to lodge a complaint with the relevant supervisory authority, if you believe we are infringing the data protection laws or you are concerned about the way in which we are handling your personal data.
The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at: Contact us | ICO or by telephone on 0303 123 1113.
It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your working relationship with us.
You have obligations under your employment contract to provide us with your personal data. You are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide us with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, may be required to enable Xcede Group to enter into a contract of employment with you and pay you. If you do not provide the required information this will hinder or prevent us from administering the rights and obligations arising as a result of the employment relationship.
We do not make employment decisions based solely on automated decision making.
You can contact us in relation to this privacy notice by emailing firstname.lastname@example.org