EMPLOYEE PRIVACY NOTICE
Date last revised: Sept 2019
IDENTITY AND CONTACT DETAILS OF CONTROLLER
The following associated Companies are controllers of data for the purposes of the Data Protection Act 1998 and General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”).
- RP COM UK Ltd trading as Goodman Maddox Restaurant
- Goodman City Limited trading as Goodman City Restaurant
- Goodman Canary Wharf Limited trading as Goodman Canary Wharf Restaurant
- Goodman Restaurant Group Limited
- Chapel Place Restaurant Ltd trading as Beast Restaurant
- Zelman HN Ltd trading as Zelman Meats Harvey Nichols Restaurant
- GGC Management Limited
- Burger and Lobster Restaurant Group
We are a UK registered company and our registered office is at our appointed solicitors,c/ o Teacher Stern LLP, 37-41 Bedford Row, London WC1R 4JH.
We are registered with the ICO to process your personal data in the manner set out in this
As your employer, the Company collects and processes personal data relating to you to manage the employment relationship in a way that is consistent with our obligations and your rights under the law.
We keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left.
We are committed to protecting your privacy and complying with the Data Protection Act 1998 and General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”).
- WHAT DOES THIS NOTICE COVER?
This Privacy Notice sets out how we will process your personal data and your rights under the law relating to your personal data.
You are therefore advised to read it carefully and any other privacy policies or information which we may provide to you on specific occasions in the future so that you are aware of how and why we are collecting, processing or storing personal data about you.
This notice applies to all current and former employees, workers and contractors.
- WHAT IS PERSONAL DATA?
Personal data is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
There are also certain “special categories” of personal data which are more sensitive and which require greater protection than ordinary personal data.
Where data is anonymous and cannot be linked back to an individual this is not personal data.
- WHAT PERSONAL DATA DO WE COLLECT?
We may collect, store and process a range of information about you.
- your application form and references;
- your name, address, date of birth and gender, contact details, including email address and telephone number;
- your nationality and entitlement to work in the UK, as well as other details we are required to check or maintain by law;
- information about your marital status, next of kin, dependants and emergency contacts;
- details of your education, qualifications, skills, experience and employment history, including start and end dates, with previous employers as well as any references taken up during the recruitment process;
- positions you may have previously applied for;
- information about the terms and conditions of your employment or engagement with us, including your employee ID, details of your schedule (days of work and normal working hours) and location of work;
- information about your level of pay, including entitlement to any pension, expenses and benefits connected to your employment, as well as your bank account details and National Insurance number;
- correspondence with or about you, for example letters to you about a pay rise or, at your request, a letter to your mortgage company confirming your salary;
- where necessary for your role, personal details related to uniform size;
- information about your attendance and any periods of leave taken by you, including annual leave, absence due to sickness, family and parental leave and sabbaticals, as well as the reasons for leave;
- details related to the performance of your role, including any assessments and appraisals, performance reviews, training you have participated in and performance improvement plans issued to you and any related paperwork
- your career development history with us, including any specific learning needs;
- details of any disciplinary, grievance and mediation procedures which you have been involved in, including any related paperwork and warnings issued to you;
- CCTV footage and other monitoring information obtained through electronic means, as well as information about how you use our electronic systems;
- biometric data such as photographs;
- details about medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments during your time with us;
- details of trade union membership; and
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
We may obtain this information in a variety of ways.
- Much of the information we hold will have been provided by you.
For example, data might be collected before employment starts through application forms, CVs or resumes; obtained from your passport or other identity documents; or collected from forms completed by you at the start of or during employment; from correspondence with you; or through interviews, meetings or other assessments during the recruitment process. Once
you have entered into a contract with us additional data may be collected through further interviews, meetings, correspondence or assessments, or from documents provided or filled in by you.
- Some information may come from other internal sources, such as your manager.
- In some cases, we may collect personal data about you from external third parties, for examples former employers who provide references, information from employment background check providers and information from credit reference, a relevant professional body, external organisations who carry out right to work checks and the Home Office.
- WHY DO WE PROCESS PERSONAL DATA?
Under the GDPR, we must always have a lawful basis for using personal data.
This may be because the data is necessary to enable us to comply with your employment contract, to comply with any legal requirements, pursue the legitimate interests of the Company and protect our legal position in the event of legal proceedings.
- We need to process personal data to enter into an employment contract with you and to ensure that we then meet our contractual obligations to you. For example, we need to process various types of personal data in order to provide you with an employment contract, to ensure that you receive the correct pay and benefits that you are entitled to under your contract (benefit, pension and insurance entitlements).
- We may also need to process data to ensure that we are complying with any and all legal obligations that apply to us. For example, we are required to check each employee’s entitlement to work in the UK, to comply with health and safety laws, to ensure that employees can take periods of statutory leave to which they are entitled and to deduct tax as part of the PAYE system.
- In other cases, we may have a legitimate interest in processing personal data before, during and after your employment with us and keeping records about our interaction with you. Processing data in this way allows us to properly and consistently manage both our business and our workforce. For example, CCTV is in use at all of our restaurants for your protection and protection of the property, as well as for the prevention and detection of crime (each company is separately registered with the ICO to process your data in this way.)
Where we rely on legitimate interests as the justification for processing personal data, we will never process your data where these interests are overridden by your own interests, rights and freedoms.
We may also need to process data about individuals to respond to and defend against legal claims.
Processing employee data for one or more of the reasons set out above allows us to:
- make decisions about recruitment, retention and promotion of employees;
- check that individuals are legally entitled to work in the UK;
- maintain accurate and up to date employment records about our staff, including their terms and conditions of work, contractual and statutory rights and contact details (including details of who to contact in the event of an emergency);
- ensure that you are paid properly, that the correct levels of tax and National Insurance are deducted and that you receive all benefits that you are entitled to;
- administer the pension scheme;
- ensure acceptable conduct within the organisation by running and keeping records of disciplinary and grievance processes;
- effectively manage and run the business by monitoring and keeping records of employee performance and related processes, engaging in performance reviews and undertaking succession planning;
- monitor and keep records of periods of absence and absence management to ensure that individuals take and remunerated correctly for statutory periods of absence and also to ensure compliance with our legal obligations around such leave;
- obtain occupational health advice, to ensure that we comply with our legal duties in relation to individuals with disabilities and meet our obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that we comply with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
- respond to and defend against legal claims;
- ensure effective general HR and business administration, including assuring the security and safety of our sites;
- provide references on request for current or former employees;
- respond to and defend against legal claims; and
- maintain and promote equality in the workplace.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
We may process some special categories of personal data, such as information about health or medical conditions, to comply with our employment law obligations (such as if we need to make reasonable adjustments for employees with disabilities) and/or for the purposes of occupational health and assessing the working capacity of employees.
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you. We will use information about criminal convictions and offences usually where such processing is necessary to carry out our obligations and provided we do so in line with our contractual obligations.
Where we process other special categories of personal data, such as information about ethnic origin or religion or belief, this is done for the purposes of equal opportunities monitoring. This is in order that we can promote and maintain equality of opportunity, and also in order that we can carry out monitoring which is for reasons of substantial public interest for the purpose of keeping such equality of opportunity under review.
Data that we use for these purposes is anonymised or is collected with your explicit consent unless this is not required by law or the information is required to protect your health in an emergency.
Where we are processing data based on your consent, you have the right to withdraw that
consent at any time by contacting email@example.com.
You are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.
- WHO HAS ACCESS TO PERSONAL DATA?
Your information may be shared internally, including with members of the HR team (including payroll), your line manager and managers in the business when relevant to their roles and IT staff if access to the data is necessary for performance of their roles.
We may transfer information about you to other group or associated companies as detailed at the beginning of this notice for purposes connected with your employment or the management of the company’s business.
Some activities are carried out by selected third parties service providers who have been contracted by us for the purpose of processing your personal information in accordance with the terms set out in this notice.
For example, your personal data may be disclosed to the following third parties that process data on our behalf for the reasons listed:
- recruitment and onboarding after recruitment stage via our Applicant Tracking System
- management of our HR system
- provision of benefits via our reward and recognition platform
- provision of private medical insurance
- provision of other benefits e.g: cycle to work scheme, childcare vouchers if you are eligible
- provision of occupational health services
- management of tronc distribution
- delivery of our e-newsletter and internal communication that are operated by ourselves and hosted by third party service provider who is data processor and only process personal information in line with our instructions
- collection of feedback via various surveys that are operated by ourselves and hosted by third party service provider who is data processor and only process personal information in line with our instructions.
We might also share your data with third parties in order to
- comply with legal obligations;
- obtain pre-employment references from other employers;
- obtain employment background checks from third-party providers;
- obtain necessary criminal records checks from the Disclosure and Barring Service;
- obtain necessary verification of right to work with Home Office.
We may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.
At present we do not store or transfer some or all of your personal data in countries outside of the European Economic Area (EEA).
These are known as “third countries” and may not have data protection laws that are as strong as those in the UK and/or the EEA.
However, should we need to do so in the future in relation to the management and operation of the business data will be transferred outside the EEA only on the basis of specific assurances or safeguards (contractual or otherwise) which are put in place to ensure that your data is adequately protected as it would be within the UK or the EEA.
This means that we will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR as follows.
- HOW DO WE PROTECT PERSONAL DATA?
We take data security very seriously and we use appropriate technical and organisational measures to protect the personal information that we collect and process about you.
The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information and we have internal controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed.
All information you provide to us is stored on our secure servers, Cloud-based storage solutions, in our recruitment systems and in other IT systems (including our email system).
Where we have given you (or where you have chosen) a password that enables you to access certain parts of our HR system, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Any data sent to us by email is automatically encrypted in transit.
We take care to allow access to personal information only to those who require such access to perform their tasks and duties, and to third parties who provide services to us or otherwise have a legitimate purpose for accessing it.
Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the information is used in a manner consistent with this Privacy Notice and that the security and confidentiality of the information is maintained.
- FOR HOW LONG DO WE KEEP PERSONAL DATA?
We will not keep your personal data for any longer than is necessary in light of the reasons for which it was first collected.
Once you have taken up employment with us, your personal data will therefore be kept secure for the duration of your employment and will only be used for purposes directly relevant to your employment.
Once your employment has ended, we will retain the file in accordance with the requirements of our retention schedule for 7 years.
After that we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
- YOUR RIGHTS
Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018
(DPA) you have a number of rights with regard to your personal data.
- Right to be informed: our Privacy notice should tell you everything you need to know on how we will be using your data, but you can always contact us to find out more or to ask any questions using the details in Part 11.
- Right to access your personal data: you can make a data subject access request. You are entitled to receive a copy of the personal data we collect about you and to check that we are lawfully processing it. Part 11 will tell you how to do this.
You can make a subject access request by completing the organisation's form for making a subject access request.
- Right to have information corrected: you can request correction of the personal data that we hold about you if you believe that it is incorrect or incomplete.
- Right to erasure: you are entitled to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below). Any requests for erasure of data during the retention periods outlined above will be considered in line with that retention notice and subject to, for example, whether the data may need to be retained in order to defend any legal claims, either actual or potential. We may decline to delete personal data if a justification for us to retain the data remains.
- Right to object to processing: you can object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and your particular circumstances mean that you want to object to processing on this ground. We will then consider the situation further on the basis of the objection that you have raised.
- Right to restrict processing: you can request the restriction of processing of your personal data in certain circumstances, for example if you wish to suspend the processing of personal data about you if for a period if data is inaccurate or you have asked us to establish the reason for processing it, or there is a dispute about whether or not your interests override the organisation's legitimate grounds for processing data.
- Right to data portability: you can request the transfer of your personal data to another data controller.
- Right not to be subject to automated decision-making, including profiling: our employment decisions are not based solely on automated decision-making.
If you would like to exercise any of these rights, please contact HR department, firstname.lastname@example.org.
If you believe that we have not complied with the requirements of GDPR with regard to your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
- YOUR DUTY TO INFORM US OF CHANGES
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
- HOW CAN YOU ACCESS YOUR PERSONAL DATA?
If you want to know what personal data we have about you, you can ask us details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.
We will require you to verify your identity to us before we provide any personal data, and reserve the right to ask you to specify the types of personal data to which your request relates.
All subject access requests should be made in writing and sent to the email to email@example.com.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within 28 days and, in any case, not more than one month of receiving it.
Normally, we aim to provide a complete response, including a copy of your personal data within that time.
In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request.
You will be kept fully informed of our progress.
- WHAT IF YOU DO NOT PROVIDE PERSONAL DATA?
You have some obligations under your employment contract to provide data to us.
In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable us to enter a contract of employment with you.
If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.
If you do not provide other information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
- CHANGES TO THE PRIVACY NOTICE
This document does not form part of any contract of employment or contract for services and is entirely non-contractual.
As a result, we reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.