1 About this policy

Azets is committed to respecting and protecting your privacy. This policy is a statement of how we process your personal data in compliance with data protection legislation. When we process personal data in the United Kingdom we do so in compliance with the Data Protection Act 2018 and the UK GDPR. When we process personal data in the European Economic Area we do so in compliance with the EU GDPR. It is important to note that some countries impose different legal obligations on employers in employment legislation and wherever possible these variations are shown as footnotes.

Where we refer to “you” or “your”, we are referring to you as an employee (current or former) or an consultant of Azets.

Where we refer to “we”, “our” or “us”, we are referring to the Azets company that employs you. The company that employs you is the controller of your personal data. A list of employing companies in the Azets group is contained here. It provides the postal address and Data Protection Officer/Manager contact details to use if you have any questions about this policy or how we process your personal data.

This privacy policy applies to personal data we have already collected or will collect about our employees, workers and consultants. This privacy policy does not form part of any contract of employment or other contract to provide services and we may update this privacy policy at any time and we will inform you of any significant update. Nothing in this notice is intended to create an employment relationship between us and any non-employee providing services to us.

This policy describes:

who to contact if you have any queries relating to your personal data;
what personal data we process about you, where we collect it from, how we collect it and why we collect it;
where your personal data is held;
who has access to your personal data and who we may share it with;
the extent to which we may transfer personal data outside the country in which you work;
the extent to which we may use personal data to carry out any automated decision making with a legal or similarly significant effect upon you; and
what rights you have in relation to your personal data and how to exercise them.

It is important that you read this policy, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such information.

2 Contacting us

Our Data Protection Officers and Data Protection Managers oversee our compliance with data protection legislation. If you have any queries relating to your personal data, please contact the relevant Data Protection Officer or Data Protection Manager here.

You can either send an email to the relevant email address or write for the attention of the Data Protection Officer or Data Protection Manager at the relevant postal address.

3 What personal data we process and why

(The lawful basis for this processing is described in Appendix B)

Information related to your employment

We use the following personal data to carry out the contract we have (or had) with you, provide you access to business services required for your role and manage our human resources processes:

Employee or candidate ID;
Contact details including your name, address, telephone numbers (landline and mobile) and personal email address;
Job title;
date and place of birth,
gender;
marital status;
national identification number or any other identifier of general application;
copy of your passport or similar photographic identification and/or proof of address;
visa details, visa sponsorship details and “right to work” documents for foreign nationals, if required by national legislation. These may include biometric residence permits if required by national legislation;
next of kin, emergency contacts and their contact information;
current and previous employment details;
education history including university degrees, academic records, professional licenses, memberships and certifications, awards and achievements;
other personal data that you choose to provide to us and is pertinent to your application for employment in a particular role (we do not retain information you provide that is not pertinent);
you may (optionally) declare your fluency in foreign languages by recording such skills in the Learning and Development system (Azets Reach). If you choose to do so it will be visible to all your colleagues and it may result in you being approached for assistance with foreign language matters;
employment references;
right to work information (as appropriate for the country in which you work);
conflict of interest declarations;
details of any criminal convictions (only if we have a legal or regulatory obligation to verify this for certain roles);
your responses to internal surveys related to work as provided by you at your choice, if this data is not anonymised;
information connected with anything that may affect your continuing employment or the terms on which you work, including any proposal to promote you, to change your pay or benefits, to change your working arrangements or to end your employment;
correspondence with us.

Information related to your salary, pension and loans

We process this information for the payment of your salary, income tax, pension and other employment related benefits. We also process it for the administration of statutory and contractual leave entitlements such as holiday or maternity/paternity leave:

your carried forward income, tax deductions and student loan deductions (if applicable), tax reference and tax code that you provide to us concerning previous employment, when you first become an employee[1];
Salary (including grade and salary band) and (if applicable) bonus levels;
information about your job role and your employment contract including: your start and leave dates, any changes to your employment contract, working pattern (including any requests for flexible working);
details of your time spent working and any overtime, expenses or other payments claimed including details of any loans such as for travel season tickets;
bank account information, payroll records and tax status information;
pension details including membership of both state and occupational pension schemes (current and previous);
information on any leave, number of days on vacation, sick absence (including some limited special category data regarding your physical and/or mental health included in different documents that you provide to us to gain access to medical services and to benefit from payment during the time period you could not work, e.g. a sick leave) or sabbaticals, and the reason for the leave;
details relating to maternity, paternity, shared parental and adoption leave and pay. This includes forms applying for the relevant leave, copies of government mandated forms and matching certificates^[2] and any other relevant documentation relating to the nature of the leave you will be taking;
details in references and mortgage applications about you that we receive from you and give to others at your express request;
trade union membership for the purpose of the deduction of subscriptions directly from salary;
if you are provided with a company vehicle: a copy of your driving licence showing driving offence convictions and disqualifications, vehicle registration documents, vehicle roadworthiness certificates[3], reported accidents, reported damage or mechanical problems, records of servicing, mileage and repairs, records of road fund renewal schedule, completed driving licence summaries[4] and Insurance certificates;
In some countries, employees are allowed to use their own car for company business, in some countries this is not allowed. If it is allowed and you use your own car for company business we have a legal obligation to verify documents that you provide to ensure that you have a valid driving licence and a valid certificate of insurance with cover for business journeys.

Information relating to day-to-day business operations including client relations and travel on our behalf

We use the following to manage our relationships with clients and the interaction you have with them:

Information relating to the work you do for us, your role and contact details including relations with current or potential clients;
information regarding your travel arrangements and location. Such records will include hotel, train, flight and other reservations and records of travel expenses reclaimed;
We may wish to display your name and photograph on our web site(s). However, we will only do this with your consent for copyright purposes and to satisfy any concerns should you be in a witness protection programme or under the protection of an exclusion order.

Information related to your performance and training

We use this information to assess your performance, conduct pay and grading reviews and to deal with any employer/employee related disputes. We also use it to meet the talent development needs required for your role:

Information relating to your performance at work including probation reviews, appraisals, performance reviews and ratings, performance improvement plans and related correspondence including 90-day reviews, 1-1s, and learning plans;
The results of any psychometric tests you undertake. Such tests are used in the recruitment process and as part of subsequent career development to evaluate performance. Such tests reveal: skills, knowledge, abilities, personality traits, attitudes and job potential;
management information regarding you, including notes of meetings or appraisal records, including information you or our managers enter onto our training or appraisal platforms;
information relating to your compliance with our policies;
information relating to your compliance with our regulatory obligations;
information in applications you make for other positions within the Azets group of companies or in relation to succession planning and promotion;
grievance and dignity at work matters and investigations to which you may be a party or a witness;
disciplinary records and documentation relating to any investigations, hearings and warnings/penalties issued;
information relating to your training history and development needs (Continuous Professional Development).

Information relating to monitoring

All of our IT systems and building access systems create auditable logs which can be reviewed, although we don’t do so routinely. We are committed to respecting your reasonable expectations of privacy concerning the use of our buildings, IT systems and equipment. However, we reserve the right to log and monitor such use in line with our Acceptable Use Policy. We use this information to assess your compliance with company policies and procedures and to ensure the security of our client’s data, our premises, our IT systems and our employees. Such data includes:

Your IT account and directory information;
records of your access and egress of our premises collected by manual forms, swipe cards or similar business access control systems;
records of your usage of our systems including computers, telephones and other devices (we never record the content of telephone conversations, only usage patterns of the equipment);
usage information gathered by systems that help prevent security incidents;
information derived from monitoring our IT acceptable use standards;
photographs and CCTV images;
details of your use of Azets business-related social media accounts and pages used for promoting Azets, such as LinkedIn®, Facebook®, Twitter® or other apps;
if a security incident occurs, we will investigate the incident. The information gathered can be used within the context of a disciplinary procedure.

Information relating to your health and wellbeing

We use the following information to comply with our legal obligations. We also use it to ensure the health, safety and wellbeing of our employees:

Health and wellbeing information provided by you or included in different documents that you provide to us to gain access to medical services and to benefit from payment during the time you could not work, e.g. a sick leave;
accident records if you have an accident at work;
details of any desk audits, access needs or reasonable adjustments.

Information relating to monitoring of diversity and equal opportunities

In some countries, but not all, we have a legal obligation to monitor diversity in the workplace and to provide equality of opportunity. If - and only if - such a legal obligation applies we will process:

Information you have provided to us regarding racial and ethnic origin, religious beliefs, disability status, age and gender identification. Such data will be aggregated and used only for monitoring equality of opportunity and diversity in the workplace.

Information relating to disputes and legal proceedings

We use the following to protect our business in the event of disputes or legal proceedings:

Any information relevant or potentially relevant to a dispute or legal proceeding affecting us.

Information relating to trade union check off arrangements and Works Council administration

We use the following information to regulate our relationship with trades unions and workers councils (if applicable):

Details of trade union membership and deductions of contributions made at source;
information relating to workers council participation, including any communication you send to us if acting for the workers council (if applicable).

[1] Known as P45 details in the UK.

[2] Form MATB1 in the UK.

[3] MOT certificates in the UK.

[4] Form D906 in the UK.

4 Where we collect your information from

We initially collect personal data about employees, workers and consultants through the application and recruitment process, either directly from candidates or sometimes from an employment agency. We will also collect additional personal data in the course of your application for employment and, should you be successful, from job-related activities throughout the period of your employment.

5 How we collect the information

We collect information about you in a variety of ways, including from:

Personal data you have provided in our online job application systems (such as TalentLink, EasyCruit or similar systems);
employment application forms and Curriculum Vitae (CV);
passports and other identity documents;
references supplied by former employers;
information from employment background check providers used to check the veracity of your declared educational and professional qualifications;
information from criminal records checks permitted by law (but only when we have a legal or regulatory obligation to perform such checks for certain roles);
forms completed by you at the start of, or during, your employment;
forms completed in the course of registering you with relevant regulatory bodies;
central government departments;
pension administrators;
insurance administrators;
your doctors and from medical and occupational health professionals if permitted by law;
our benefits providers;
our training providers;
your trade union (if applicable);
other professionals we may engage e.g. solicitors who advise us generally and/or in relation to any grievance, for example in relation to performance related matters;
automated monitoring of your usage of our websites and other technical systems, such as our computer networks and connections, communications systems, remote access systems, email and instant messaging systems, intranet and Internet facilities, data loss prevention systems and firewalls;
CCTV recording systems (our own or our landlords’).

6 Why we collect the information and how we use it

We collect and use this information for the following purposes:

for the performance of a contract with you, or to take steps to enter into a contract;
ensuring that we comply with ethical standards[1];
ensuring that we comply with the requirements of our regulators;
for compliance with a legal obligation, for example, our obligations to you as your employer under employment protection and health and safety legislation, unlawful discrimination legislation and under statutory codes of practice[2];
for compliance with our legal obligation to maintain records that you have a right to work in the country of your employment;
to further our legitimate interests. We have a legitimate interest in processing your personal data during our employment relationship. Processing employee data allows us to:
run recruitment and promotion processes;
ensure effective Human Resource and business administration;
maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employees’ contractual and statutory rights;
operate and keep a record of disciplinary and grievance processes;
ensure acceptable conduct within the workplace;
operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
obtain advice to ensure that we comply with our legal obligations of protecting individuals and respecting their rights, such as occupational health advice;
provide references at your request or with your consent;
keep you informed, for example we may on occasions send company information, business correspondence, training materials or documents concerning your employment or benefits to your home address;
provide you with equipment, for example we may on occasions send office furniture, telephones or IT equipment to your home address;
provide you with a gift sent to your home address, this may be something you have earned under a company reward scheme or may be gratuitous, such as a Christmas present;
respond to and defend against legal claims.

In general, processing of your personal data in connection with employment is not conditional on your consent. To the extent that we are interested in processing other personal data for which we need your consent, we will ask it from you directly and will inform you about this processing. If you have given your consent to processing of personal data, you have the right to withdraw your consent at any time, without affecting in any way our employment relationship or the lawfulness of the processing carried out on the basis of your consent given before your withdrawal. You can change or withdraw your consent at any time by sending an email to your local Data Protection Officer or Data Protection Manager (as shown in the list here). We will act immediately accordingly, unless there is a legal basis for not doing so.

We seek to ensure that our information collection and processing is always proportionate. We will notify you of any substantial changes to information we collect or to the purposes for which we collect and process it.

For some of your personal data you will have a legal, contractual or regulatory obligation to provide us with your personal data.

7 Who has access to your data?

Your personal data will be processed by managers, HR staff and administrative staff in the Azets group of companies. Those staff, including your line manager, may not be employed by the same company as you, but may be employed by another company in the Azets group.

In general, access to your personal data is restricted to those who need to access it to carry out their duties for example, but not limited to, your management, HR (including local HR teams), Payroll, Talent Development, Compliance and the senior management team.

All companies in the Azets group of companies are bound by a Data Sharing Agreement which commits them to share personal data, when it is necessary, in a secure and lawful manner that respects the rights and freedoms of data subjects.

We have a legitimate interest to operate efficient administration systems and some of these systems are provided by other group companies, so for example:

Your payroll may be processed by a different Azets company to the one that employs you;
Your email platform may be administered by a different Azets company to the one that employs you;
Provision of IT services may be administered by a different Azets company to the one that employs you.

8 Persons with whom we may share your data or disclose information to

We will only disclose your personal data outside the Azets group of companies and our ultimate parent company if disclosure is consistent with a lawful basis for processing upon which we rely, doing so complies with data protection legislation and is fair to you.

We will disclose your personal data if it is necessary for our legitimate interests as an organisation or the interests of a third party (but we will not do this if these interests are overridden by your interests and rights). Where necessary we will also disclose your personal data:

if you consent;
where we are required to do so by law;
if we reasonably believe we have a duty to report professional misconduct to a regulator[1]; or
in connection with criminal or regulatory investigations.

Specific circumstances in which your personal data may be disclosed include to:

other companies in the Azets group of companies or our ultimate parent company;
any party approved by you;
law enforcement agencies or where required by applicable laws, pursuant to court orders, or arbitral or tribunal orders or rules of procedure, or to government regulations departments or agencies or regulatory bodies (including disclosure to tax and employment authorities), employment and any other regulatory bodies;
the relevant Supervisory Authority responsible for regulating data protection legislation;
any of the accountancy profession and financial services regulators by whom we are regulated;
our professional advisers, for example to our lawyers, for the purpose of seeking legal advice or to further our interests in legal proceedings;
our accountants for auditing purposes;
our insurers, legal advisers or other third parties who need access to personal data in the context of managing, investigating or defending claims or complaints;
in the UK only and if you are a foreign national, we have a legal obligation to inform the UK Border Agency (UKBA) and provide your contact details if we have suspicions that you are in breach of your right to work in the UK. This includes: if you do not arrive for your first day at work, if you are absent without permission for more than ten days, or we have suspicions that you are involved in terrorism or any other criminal activity;
external organisations (processors) that process your data on our behalf. Where we engage external organisations, or other entities in the Azets group of companies, to process personal data on our behalf they do so on the basis of written instructions in a legally binding contract and are obliged to implement appropriate technical and organisation measures to ensure the confidentiality and security of your data in compliance with data protection legislation;
any potential purchaser of Azets or one of its subsidiaries or parent companies for which you work, or partially work – but only if we were to contemplate selling. If this were to occur, such sharing of personal data would be governed by a legally binding contract in full compliance with data protection legislation.

All recipients of shared personal data are bound by contract to process personal data in compliance with data protection legislation, particularly with respect to security and confidentiality.

9 Where your personal data is held

Personal data about you may be held at our offices, on our systems and servers and those of our service providers and partners where information has been shared as described above. Personal data is securely stored and managed in compliance with data protection legislation, particularly with respect to security and confidentiality.

10 Transferring your personal data internationally

We will neither transfer nor process personal data outside the country in which your employer is based, nor will we permit personal data to be so transferred or processed by a processor or controller, unless it is under one or more of the following conditions:

the territory into which the data are being transferred has an adequacy decision issued by the European Commission (under EU GDPR) or an adequacy regulation made under DPA2018 section 17A by the Secretary of State (under UK GDPR);
the transfer is made under the unaltered terms of the standard contractual clauses issued by the European Commission (under EU GDPR) or the Secretary of State (under UK GDPR);
the transfer is made under the provision of binding corporate rules which have been approved and certified by the European Commission (under EU GDPR) or the Information Commissioner (under UK GDPR);
the transfer is made in accordance with one of the exemptions set out in GDPR Article 49.

11 How long we keep your personal data for

We keep your personal data during and after your employment, for no longer than is necessary for the purposes for which the personal data is processed. After employment ceases we retain only the information necessary to satisfy legal obligations and to administer any pension commitments we may have. Please see Appendix A of this policy for how long we retain your data.

The duration for which we retain your personal data will differ depending on the type of information and the reason why we collected it from you. It also differs depending upon the national employment legislation of certain countries. However, in some cases personal data may be retained on a long-term basis, for example, personal data that we need to retain because of a legal or regulatory obligation. Such exceptions include:

information that may be relevant to personal injury claims or employment claims. Discrimination claims may be retained until the limitation period for those types of claims has expired. For personal injury or discrimination claims this can be an extended period as the limitation period might not start to run until a long time after you have worked for us;
information that may be required by a pension provider or benefit provider which we may retain for the period that your pension or benefit is payable.

If we reasonably anticipate litigation, we may issue a “Litigation Hold” (also known as a legal hold, document hold, hold order, or preservation order) which affects your personal data[2]. This is an instruction directing employees to preserve, and refrain from destroying or modifying, certain records and information (both paper and electronic) that may be relevant to the subject matter of a pending or anticipated litigation or government or regulatory investigation. If we reasonably expect litigation or a government investigation, we have a common law duty to prevent spoliation of evidence. This would have the effect of suspending the normal disposition or processing of records, such as backup tape recycling, archived media and other storage and management of documents and information. The documents to be preserved include electronic documents which would otherwise be deleted in accordance with our retention policy or otherwise deleted in the ordinary course of business.

12 Our obligation for data accuracy

We have an obligation to ensure that the personal data we hold about you is accurate and up-to-date and we use our best endeavours to ensure its accuracy. But to do this we require your cooperation and assistance. Please let your HR team know if anything changes, for example if you move home or change your phone number or personal email address.

13 Automated decision making

We do not use personal data to carry out any automated decision making that could have a legal or similarly significant effect upon you.

14 Your rights in relation to personal data

We try to be as open as we reasonably can about the personal data that we process. If would like specific information, please ask.

You have the following legal rights concerning your personal data:

Right of access	You have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed, and, where that is the case, access to that personal data.
Right to rectification	You have the right to oblige us to rectify inaccurate personal data concerning you. Considering the purposes of the processing, you have the right to have incomplete personal data completed by providing a supplementary statement.
Right to erasure (right to be forgotten)	You have the right (under certain circumstances, but not all) to oblige us to erase personal data concerning you.
Right to restriction of processing	You have the right (under certain circumstances, but not all) to oblige us to restrict processing of your personal data. For example, you may request this if you are contesting the accuracy of personal data held about you.
Right to data portability	You have the right (under certain circumstances, but not all) to oblige us to provide you with the personal data about you which you have provided to us in a structured, commonly used and machine-readable format. You also have the right to oblige us to transmit those data to another controller.
Right to withdraw consent	If the lawful basis for processing is consent, you have the right to withdraw that consent.
Right to object to direct marketing	Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for marketing, which includes profiling to the extent that it is related to such direct marketing.
Rights in relation to automated decision making and profiling	We do not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you.

If you would like to exercise any of these rights, please contact the Data Protection Officer or Data Protection Manager using the email addresses at the top of this notice.

If you are not satisfied with the response you receive, you have the right to lodge a complaint with your national Supervisory Authority. Contact details for the relevant Supervisory Authority for the country in which you work are shown in the table below.

Employed in	Supervisory authority
United Kingdom	Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF United Kingdom (t) 0303 123 1113 (e) casework@ico.org.uk
Norway	Datatilsynet / The Norwegian Data Protection Authority Postboks 458 Sentrum 0105 Oslo Norway (t) +47 22 39 69 00 (e) postkasse@datatilsynet.no
Romania	Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal / The National Supervisory Authority for Personal Data Processing B-dul G-ral. Gheorghe Magheru 28-30 Sector 1, cod postal 010336 Bucuresti Romania (t) +40.318.059.211 (t) +40.318.059.212 (e) anspdcp@dataprotection.ro
Sweden	Integritetsskydds myndigheten (IMY) / Swedish Authority for Privacy Protection (IMY) Box 8114 10420 Stockholm Sweden (t) 08-657 61 00 (e ) imy@imy.se
Finland	Tietosuojavaltuutetun Toimisto / Office of the Data Protection Ombudsman P.O. Box 800 00531 Helsinki Finland (t) +358 (0)29 566 6700 (e) tietosuoja@om.fi
Estonia	Andmekaitse Inspektsioon / Republic of Estonia Data Protection Inspectorate 39 Tatari St. 010134 Tallinn Estonia (t) (+372) 627 4135 (e) info@aki.ee
Denmark	Datatilsynet / The Danish Data Protection Agency Carl Jacobsens Vej 35 2500 Valby Denmark (t) 33 19 32 00 (e) dt@datatilsynet.dk

15 Status of this notice

This notice does not form part of your contract of employment and does not create any contractual rights or obligations. Nothing in this notice is intended to create an employment relationship between us and any non-employee providing services to us.

This Privacy Notice, along with other Azets policies shall form our policy for processing Special Category Personal Data[3].

16 Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will inform you if we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

Version 20220303

Dated: 18 July 2022

APPENDIX A – Data Retention Schedule

The period for which we will retain your personal data is dictated partly by national employment legislation. The table below shows the retention period depending upon the country where your employer is based.

Type of data	UK	Norway	Romania	Sweden	Finland	Estonia	Denmark
Job applications, CVs and interview records of unsuccessful applicants	12 months	12 months	12 months	12 months	12 months	N/A	6 months
Personnel and training records (including references, appraisals, grievance procedures and disciplinary matters)	7 years after employment ceases	5 years after employment ceases	75 years (except appraisals which are kept for 3 years)	During the employment relationship	10 years	10 years after employment ceases, 50 years after employment ceases for contracts started before 2009.	5 years after employment ceases
“Right to work” documentation	One year after the foreign employee has ceased working for the company, or until the national border enforcement agency[1] has examined and approved the documentation, whichever is the longer period.
Contracts of employment and changes to terms and conditions	7 years after employment ceases	5 years after employment ceases	75 years as part of the employment records	Permanent	10 years after employment ceases.	10 years after employment ceases, 50 years after employment ceases for contracts started before 2009.	5 years after employment ceases
Payroll	7 years after employment ceases	5 years after fiscal year end	50 years	Permanent	6 years after employment ceases or fiscal year ends, “Payroll card” 50 years.	7 years after fiscal year end.	Current calendar year + 5 year after employment ceases
Income tax	7 years after employment ceases	5 years after fiscal year end	50 years	Permanent	6 years after employment ceases or fiscal year ends.	7 years after fiscal year end.	Current calendar year + 5 years after employment ceases
Reportable accident, death or injury in connection with work.	Permanently	NA	75 years as part of the employment records	Permanent (+10 years after death of person involved	10 years	55 years	Permanently
Criminal Record Checks	Deleted following recruitment process unless relevant to ongoing employment relationship.	NA	75 years as part of the employment records	NA	NA	NA	Presented upon employment, not stored by Azets
Collective and workforce agreements that could affect current employees	Permanently	Permanently	Permanently	NA	Permanently	NA	NA
CCTV Images	30 days	30 days	30 days	NA	2 weeks	NA	30 days

APPENDIX B– Lawful Basis for Processing your Personal Data

Personal Data

Depending on the processing activity, we rely on the following lawful bases for processing your personal data under the UK GDPR or EU GDPR (whichever applies to your country of employment) and other relevant national data protection legislation:

Article 6(1)(b) processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Article 6(1)(c) so we can comply with our legal obligations as your employer.
Article 6(1)(f) for the purposes of our legitimate interest.
Article 6(1)(a) consent under certain specific circumstances.

Special category data

Where the information we process is special category data, for example your health data, the additional lawful bases for processing that we rely on are[2]:

Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights.
Article 9(2)(h) for the purposes of preventative or occupational medicine and assessing your working capacity as an employee.
Article 9(2)(f) for the establishment, exercise or defence of legal claims.

Criminal convictions and offences

If we process information about workers’ criminal convictions and offences the lawful bases we rely on to process this data are:

Article 6(1)(b) for the performance of a contract[3].

[1] The UK Border Agency (UKBA) in the United Kingdom.

[2] In the UK we also rely on processing conditions at Schedule 1 part 1 paragraph 1 and Schedule 1 part 1 paragraph 2(2)(a) and (b) of the Data Protection Act 2018. These relate to the processing of special category data for employment purposes, preventative or occupational medicine and the assessment of your working capacity as an employee

[3] In the UK we also rely on the processing condition at Schedule 1 part 1 paragraph 1 of the Data Protection Act 2018.

[1] For example, in accordance with ICAEW guidance in the UK, “Guidance on the duty to report misconduct”, effective from 1 October 2020.

[2] In the UK this is to comply with Practice Direction 31B

[3] as required in the UK by the UK Data Protection Act 2018, Schedule 1, Part IV (“the appropriate policy document”)

Business Accounting

Advisory

Audit & Assurance

Business Services

International Services

Payroll

Strategic Partnerships

Tax

Wealth Management

Services