Purpose of the processing and the lawful basis for the processing
Categories of individuals
Categories of personal data
Recipients of the personal data
Transfers to third country and safeguards
Data retention period
WPM is the data controller for data relating to current, prospective and past employees as defined by Data Protection legislation.
In acting as an employer, WPM’s lawful bases for processing are consent and contract.
This Privacy Notice is provided with job advertisements from 25th May 2018 onwards. Individuals can chose to apply or not. Job applicants initiate contact with us and those submitting an application are providing consent for us to process their data in accordance with this Notice. If an applicant submits an application and then decides to withdraw consent, there are details of how to on the job application site and on our Application Form.
When an individual accepts an offer of employment, WPM issue a contract of employment which notes an individual’s consent to hold and process their data. We use employee details to manage contracts of employment and to pay employees in accordance with such contracts. WPM will also periodically remind employees of the data which we hold to enable them to check that the data is accurate, up-to-date and to refresh consent.
As an employer we receive, process and hold personal information about our current, prospective and past employees.
As an employer we receive, process and hold data about job applicants and employees, which includes: name, contact details, date of birth, gender, employment status, job title, pay, bank details, next-of-kin name and contact details, attendance records, performance data, and any documents relating to the provisions of our Staff Handbook or contract of employment. We hold pictures of some employees for use on our public website.
We also arrange for background checks to be undertaken on individuals to whom we offer employment and periodically on current employees. This involves the individual submitting their details to the back-check firm. The reports which we receive back includes: name, any other known names, date of birth, maiden name where applicable, current address, and the result of the check on right to work, basic criminal disclosure, credit history, and any sanctions.
In order to comply with the Fair Employment & Treatment (Northern Ireland) Order 1998 and the Fair Employment (Monitoring) Regulations (Northern Ireland) 1999, we collect information on religious belief, political opinion, sex, gender, race, age, sexual orientation, marital or partnership status, and community background of job applicants and employees. This information is anonymised and does not contain the individual’s name.
WPM share data about job applicants and employees with the following parties:
- Job Centre /Recruitment firms – information about interview attendance by job applicants, dates of employment for unemployment benefit claims.
- HMRC – for income tax purposes. For new employees: name, address, date of birth, gender, national insurance number, start date, tax code. Monthly updates include leaving dates.
- WPM’s I.T. system supplier – employee name to enable creation of system user account.
- WPM’s clients – in the course of representing WPM to provide a service to our clients, they will receive details of your name, job title and work contact details. Clients also conduct regular audits of WPM which may involve evidencing the existence of pre-employment screening reports, employment contracts and training records.
- Insolvency Practitioners (and other firms in the industry) – in the course of representing WPM to provide our service, firms which we interact with will receive details of your name, job title and work contact details.
- Online task management system providers (eg Trello) and online training platform providers (eg Bob’s Business) – for current employees: name and job title.
- Pension provider – data about employees sufficient to arrange our workplace pension: name, address, age, salary, national insurance number.
- Insurance providers (the provider of WPM’s Critical Illness insurance, Death In Service insurance, and Private Medical Insurance) – for permanent employees: name, address, age, salary, job title.
- Accountants /Auditors – to complete financial audit, data submitted monthly and annually includes employee data: name, salary, national insurance number, PAYE, NI contributions, pension contributions.
- Website creator – our website contains photos and brief biographies of some employees.
- Invest NI – in the event of applications for funding assistance, which may include details of employees involved in project: name, salary, job title, national insurance number.
- HR consultants – in the event that WPM wish to have counsel or assistance on personnel/HR matters, which may relate to a particular individual.
- Fair Employment Commission for Northern Ireland – WPM only provide anonymised statistical data as required to comply with the Fair Employment & Treatment (Northern Ireland) Order 1998 and the Fair Employment (Monitoring) Regulations (Northern Ireland) 1999.
The UK left the EU on 31 January 2020 and entered a transition period, which ended on 31 December 2020.
Restricted transfers from the UK to other countries, including to the EEA, are now subject to transfer rules under the UK regime. These UK transfer rules broadly mirror the EU GDPR rules, but the UK has the independence to keep the framework under review.
There are transitional arrangements which aim to smooth the transition to the new UK regime.
First, there are provisions which permit the transfer of personal data from UK to the EEA and to any countries which, as at 31 December 2020, were covered by a European Commission ‘adequacy decision’. This is to be kept under review by the UK Government.
The UK government has the power to make its own ‘adequacy decisions’ in relation to third countries and international organisations. In the UK regime these are now known as ‘adequacy regulations’.
The EEA consists of the following countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
As the Financial Conduct Authority (FCA) requires us to keep most records for at least 5 years, we will retain employee data (see ‘Categories of personal data’ above) for 6 years after the termination of the employment. For job applicants who we do not employ, we will retain their data for 6 months.
The right to be informed – you have the right to be informed and we have provided this Privacy Notice to provide you with the relevant information.
The right of access – Individuals have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information (most of which is contained in this Privacy Notice).
If you would like a permanent copy of the data which you believe that we hold on you, then a Subject Access Request (SAR) can be made in writing either by hardcopy or email. If we refuse your request, we will tell you why and you will have the right to complain to the Information Commissioner’s Office and to take court action if deemed necessary.
The right to rectification – You have the right to obtain from us, without undue delay, the rectification of inaccurate or incomplete personal data we hold concerning you. It is the responsibility of you (the employee /job applicant), to provide us (the employer and data controller) with details of any changes to the details which we hold for you, eg change of address. We shall communicate any rectification of data as described above to each recipient of whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort.
The right to erasure (also known as the ‘right to be forgotten’) – You have the right to request the deletion or removal of personal data without undue delay, where there is no compelling reason for its continued processing. This does not provide an absolute ‘right to be forgotten’. We only process and hold data in line with the legal bases noted above, and in order to comply with the Financial Conduct Authority’s Record Keeping requirements we retain the data for a minimum of 5 years following the termination of employment. To exercise this right (eg where we have held your data for over 5 years, but have not yet deleted it at 6+ years – see ‘Data retention period’ above), you can request that we delete your personal data.
The right to restrict processing – Individuals have the right to ‘block’ or suppress processing of personal data. Subject to exemptions, you have the right to obtain from us restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by you and is restricted until the accuracy of the data has been verified;
- the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction in its use;
- we no longer need the personal data for the purposes of processing, but it is required by you for the establishment, exercise or defence of legal claims;
- you have objected to the processing of your personal data pending the verification of whether there are legitimate grounds for us to override these objections.
If processing is restricted, we are permitted to store the personal data, but not further process it. If you chose to request that we restrict processing, you should be aware that this may make it difficult to process pay. We shall communicate any restriction of processing as described above to each recipient of whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort.
The right to data portability – The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
The data that we hold can be made available in portable form if requested.
The right to object – You have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
WPM process data based on contract and consent, and do not perform the activities listed above.
The rights related to automated decision making including profiling – Individuals have the right not to be subject to a decision when:
- it is based on automated processing; and
- it produces a legal effect or a similarly significant effect on the individual.
WPM do not currently conduct any automated decision making.
Invoking your rights
If you would like to invoke any of the above data subject rights, please contact our Practice Manager, at Watch Portfolio Management, Units 3 & 4, Lagan House, Sackville Street, Lisburn, BT27 4AB. Job applicants can email firstname.lastname@example.org. Employees can email our Practice Manager directly.
Questions and Queries
If you have any questions or queries which are not answered by this Privacy Notice, or have any concerns about how we may use your personal data, please write to our Head of Operations & Compliance, at Watch Portfolio Management, Units 3 & 4, Lagan House, Sackville Street, Lisburn, BT27 4AB, or phone 028 9260 0700, or by email.
Further information on your data privacy rights is available on the website of the Information Commissioner’s Office https://ico.org.uk