Privacy Policy for Employees
December 2024
Oak Wills Limited is committed to protecting the individual privacy rights and choices of all our employees and the personal information you share with us.
Our Privacy Notice contains important information about the types of personal information we collect and process; what we do with it; who we may share it with and why; and your rights when it comes to the personal information you provide us with. We may need to make changes to our Privacy Notice in line with regulatory requirements and will let you know if we do so.
1. Who we are
When we say we, us or our in this privacy notice, we mean Oak Wills Limited, a company incorporated and registered in England and Wales with company number 15892785 and whose registered office is at Alpha House, 296 Kenton Road, Harrow, Middlesex, United Kingdom HA3 8DD.
For the purposes of the Data Protection Legislation, we are the controller of your personal data. This means that we are responsible for deciding how we hold and use personal information about you.
If you have any questions about this policy or the personal data we hold about you, please contact us at Info@oak-wills.com.
2. Types of data that we process
When you are employed by us, we will collect and process a wide variety of your personal data. We start by collecting the personal data on your CV or application form and the information that we gathered from you during the recruitment process. This personal data forms the start of your HR file. We will collect additional information from third parties including former employers. Once you have been employed, we continue to process additional personal information in the course of job-related activities throughout the period of you working for us.
In order for you to be employed by us, we will collect your name, home address, gender, identity number, date of birth, employment start date and your signature. We will also need to see your passport as proof of your right to work in the UK/EU (as applicable).
In order to pay you, we will need your bank account details. We may also receive court orders that require us to make deductions from your pay (e.g. non-payment of council tax or child maintenance.)
We will have information on your next of kin and emergency contact.
We will conduct a standard or basic criminal records checks. Please see our criminal records policies for more information.
During your time with us, we will collect information about your health, such as when you are ill, have had an accident, require spectacles or have a medical or dentist appointment. We need to process this personal data in order to fulfil our legal obligations to you as your employer, with your consent (e.g. spectacles or a dentist appointment) or as a requirement of your employment contract.
If you become pregnant, we will process your health data in order to assure ourselves, and you, that the workplace is safe for you. You also have rights in the workplace when you are pregnant and we will process your health data and proof of your baby’s birth in order to fulfil your rights for maternity leave.
If you wish to take paternity leave, we will process your personal data (your name and your request) in order to fulfil your legal right to do so.
You have the right to request flexible working and we will process your personal data (your name and your request) during this process.
There may come a time that we will be required to process your personal data during a disciplinary or grievance process. This information will likely be your name and statements from other people about you. We will also hold performance information about you.
If you leave us, we will collect personal data from your resignation letter and your leaving date.
We provide pensions for our staff and need to process your name, date of birth, identity number and your salary information in order to do this.
We will have data on your salary, annual leave, any benefits, and your job titles, work history, working hours, holidays, training records and professional memberships.
Your image in a photo or video is your personal data. We may wish to use your image on our website or other marketing information in order to promote the business but will always seek your consent for this. You do not have to agree that we can use your image – it is completely your choice.
We will have information about your use of our information and communications systems to ensure compliance with our IT policies and to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
During the course of your employment, you will be required to put your name on or sign a wide variety of documents. Your name or signature is your personal date but the contents of the document, unless it is about you, is not your personal data.
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
3. How do we use your personal data and what is our legal basis
We need a legal basis in order to process your personal data. Most of our processing is because we either have a legal obligation to process the data or because we have a contract of employment with you. On occasion, we will seek your consent to process your personal data but you are free to refuse.
We will process this personal data because we have a legal obligation to do so. |
|
We will process this personal data because we have a contract of employment with you. |
|
We will process this personal data because you have consented for us to do so. |
Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know. |
We will process this personal data because we have a legitimate interest in doing so. |
You have the right to object to our processing your data using legitimate interest. Please speak to us if you have any concerns. |
Special category data
The GDPR defines special category data as:
- • personal data revealing racial or ethnic origin;
- • personal data revealing political opinions;
- • personal data revealing religious or philosophical beliefs;
- • personal data revealing trade union membership;
- • genetic data;
- • biometric data (where used for identification purposes);
- • data concerning health;
- • data concerning a person’s sex life; and
- • data concerning a person’s sexual orientation.
Special category data needs more protection because it is sensitive than regular personal data, such as name and email.
In general, we will not process particularly special category personal information about you unless it is necessary for performing or exercising obligations or rights in connection with employment. On rare occasions, there may be other reasons for processing, such as it is in the public interest to do so. The situations in which we will process your particularly sensitive personal information are listed below. We have indicated the purpose or purposes for which we are processing or will process your more sensitive personal information.
- • We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, and pensions. We need to process this information to exercise rights and perform obligations in connection with your employment.
- • If we reasonably believe that you or another person are at risk of harm and the processing is necessary to protect you or them from physical, mental or emotional harm or to protect physical, mental or emotional well-being.
Do we need your consent?
- • We do not need your consent if we use special categories of your personal information in accordance with our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
- • We do not need your consent where the purpose of the processing is to protect you or another person from harm or to protect your well-being and if we reasonably believe that you need care and support, are at risk of harm and are unable to protect yourself.
4. Whom we may share your personal data with
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Entity | Legal basis for sharing |
---|---|
Our professional advisers such as lawyers and accountants | Legitimate interest |
Government or regulatory authorities or law enforcement | Legal obligation |
Professional indemnity or other relevant insurers | Legitimate interest |
Regulators/tax authorities/corporate registries | Legal obligation |
Third parties to whom we outsource certain services such as, without limitation, document processing and translation services, confidential waste disposal, IT systems or software providers, IT support service providers, document and information storage providers | Legitimate interest |
Pension administrators | Legal obligation |
Whenever we share your personal information, we will do so in line with our obligations to keep your information safe and secure.
Please note this list is non-exhaustive and there may be other examples where we need to share with other parties in order to provide our services as effectively as we can.
We conduct an appropriate level of due diligence and put in place contractual documentation in relation to any sub-contractor to ensure that they process personal data appropriately and according to our legal and regulatory obligations.
5. Where your information is processed
Your information is processed in the United Kingdom.
Our security controls are aligned to industry standards and good practice; providing a controlled environment that effectively manages risks to the confidentiality, integrity and availability of your information.
6. How we protect your information
We take information and system security very seriously and we strive to comply with our obligations at all times. Any personal data which is collected, recorded, or processed in any way, whether on paper, online or any other media, will have appropriate safeguards applied in line with our data protection responsibilities.
Your data is protected by controls designed to minimise loss or damage through accident, negligence, or deliberate actions. Our employees and consultants are trained to protect sensitive or confidential information when storing or transmitting data in any medium including electronically and must undertake annual refresher exercises on this.
7. How long we keep your information for
Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. To determine the appropriate retention period for personal data, we consider applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes we process your personal data for, and whether we can achieve those purposes through other means. We specify the retention periods for your personal data in our data retention policy.
Under some circumstances we may anonymize your personal data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent. Once you are no longer an employee of the company, we will retain and securely destroy your personal data in accordance with our document retention policy and applicable laws and regulations.
8. How to access your information and your other rights
You have the following rights in relation to the personal data we hold about you:
Your right of access
If you ask us, we'll confirm whether we're processing your personal data and, if necessary, provide you with a copy of that personal data (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
Your right to rectification
If the personal data we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified. If you are entitled to rectification and if we've shared your personal data with others, we'll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we'll also tell you who we've shared your personal data with so that you can contact them directly.
Your right to erasure
You can ask us to delete or remove your personal data in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we've shared your personal data with others, we'll let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we'll also tell you who we've shared your personal data with so that you can contact them directly.
Your right to restrict processing
You can ask us to 'block' or suppress the processing of your personal data in certain circumstances, such as where you contest the accuracy of that personal data or you object to us. If you are entitled to restriction and if we've shared your personal data with others, we'll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we'll also tell you who we've shared your personal data with so that you can contact them directly.
Your right to data portability
You have the right, in certain circumstances, to obtain personal data you've provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
Your right to object
You can ask us to stop processing your personal data, and we will do so, if we are:
- o relying on our own or someone else's legitimate interests to process your personal data, except if we can demonstrate compelling legal grounds for the processing; or
- o processing your personal data for direct marketing purposes.
Your right to withdraw consent
If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time.
Your right to lodge a complaint with the Supervisory Authority
If you have a concern about any aspect of our privacy practices, including the way we've handled your personal data, you can report it to the Supervisory Authority in your country. We would, however, appreciate the chance to deal with your concerns before you approach the Supervisory Authority so please contact us in the first instance.
Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the data or where data may be exempt from disclosure due to reasons of legal professional privilege or professional secrecy obligations.
9. Changes to This Privacy Notice
We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any updates. If we would like to use your previously collected personal data for different purposes than those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your personal data for a new or unrelated purpose. We may process your personal data without your knowledge or consent where required by applicable law or regulation.