CAREERS PRIVACY POLICY
Compliance statement for employees and job applicants
This policy demonstrates our commitment to protecting the privacy and security of your personal information. It contains information regarding how we collect and use personal data or personal information about employees and applicants in accordance with the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and all other data protection legislation currently in force in the UK (“Data Protection Legislation”).
Pursuant to Data Protection Legislation, when processing data we will;
- Process it fairly, lawfully and in a clear, transparent way;
- Collect your data only for reasons that we find proper for the course of your employment in ways that have been explained to you;
- Only use it in the way that we have told you about;
- Ensure it is correct and up to date;
- Keep your data for only as long as we need it;
- Process it in a way that ensures it will not be lost or destroyed or used for anything that you are not aware of or have consented to (as appropriate).
Each company within the group is registered as a Data Controller with the ICO, the registration numbers are as follows:
The AMT Group of Companies are “data controllers”. This means that we are responsible for determining the purpose and means of processing personal data relating to you.
“Personal data”, or “personal information”, means any information relating to an identified, or identifiable individual in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
There are “special categories” of sensitive personal data, meaning data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sex life or sexual orientation, genetic data, and biometric data which require a higher level of protection.
This Data Protection Policy clarifies:
- What personal data we collect
- Why we process personal data
- With whom we share personal data
- The rights an individual has relating to their personal data and how to enact them
- Our data retention policy
- How personal data is secured
- Our complaints procedure
- Our data breach policy
Employees’ obligations regarding handling of Personal Data are contained within the Employee Handbook and are as follows:
If an employee acquires any personal information in the course of their duties, they must ensure that:
- The information is accurate and up to date, insofar as it is practicable to do so.
- The use of the information is necessary for a relevant purpose and that it is not kept longer than necessary.
- The information is secure.
What Personal Data do we collect, how do we collect it why do we process it and to whom is it shared?
Pre – Employment (Recruitment) – Personal Data:
-Name / Address
Condition for Processing Personal Data:
-Consent of individual by nature of application.
Employment (offer acceptance) - personal data:
How we collect this information
- Employment Application Form
- Direct correspondence
Condition for processing personal data:
- The performance of a contract with the data subject or to take steps to enter into a contract.
- Compliance with a legal obligation.
Employee administration – personal data:
- Sickness/Absence Records
- Disciplinary Record / Grievance Procedures
- Warnings
- Performance Information
- Bank Details / Salary – Payroll
- Driving License (Annual DVLA Check)
- Pension Details (Workplace Pension)
- Training Records
- Career Progression History (Current Title, Previous Roles & Salary)
- Location
- Exit Interview Notes
- Archived Ex-Employee Records
How we collect this information
Condition for processing personal data:
- The performance of a contract with the data subject or to take steps to enter into a contract.
- Compliance with a legal obligation
Some additional data is collected from employees:
- All of our premises are fitted with CCTV, which may capture images of our employees while they are on the premises
- Location Data collected via vehicle tracking devices whenever the employee is driving a company vehicle, including journeys made outside of work. This data is considered Sensitive Personal Data and as such is subject to strict controls on access and processing, as detailed below.
Condition for processing personal data
- Consent of individual by signing their employment contract.
Some of the data we collect and process is considered Sensitive Personal Data and is detailed below:
Employment (offer acceptance) - sensitive data:
- Medical Questionnaire
- Sex
- Marital Status
- DOB
Condition for special category data:
- Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement.
- Explicit Consent of the Date Subject.
How we collect this information
Employee administration – sensitive data:
- Sex
- Marital Status
- DOB
- First Aid Administration / Injury Records
- Accident Reporting
- Archived Ex-Employee Records
Condition for special category data:
Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement.
All Sensitive Personal Data collected and processed is subject to strict controls. Access to the data is restricted to only those for whom access is necessary for processing the data, and the data is processed only as required to carry out our obligations as an employer. All employee data is kept securely in accordance with our Information Security policy.
Employees’ Personal Data may be shared with third parties for the following purposes:
- Administration of payroll
- To assist us with carrying out our obligations under employment, social security or social protection law, or a collective agreement.
- Where we have a legal obligation to do so
- Abide by all UK and EU Data Protection legislation; and
- If they are in a jurisdiction under which UK or EU law does not apply, to apply a similar standard of protection to any Personal Data which we may share with them; and
- To process the data only for the purpose for which it was shared with them.
Your legal rights
- Request access to your personal information (commonly known as a “data subject access request”).
- This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact James McGawley, Data Protection Officer in writing.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
To withdraw your consent, please contact James McGawley, Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Information security
We have extensive security arrangements in place to protect personal data we hold on our systems. If you require full details on our security policy, please contact your account manager or the Data Protection Officer, the contact details for which are:
James McGawley
Data Protection Officer
AMT Group
174 Armley Road
Leeds
LS12 2QH
Telephone: 0844 826 2300
Email: james.mcgawley@amtvehiclerental.co.uk
Data retention policy
- Customer contact data for 7 years from the date on which you cease to be a customer of ours;
- Supplier contact data for 7 years from the end of our commercial relationship; or
- Until the customer or supplier asks us to return or destroy it and we no longer have a legitimate interest in retaining the data.
- The services have been provided or in accordance with any contract for the supply of services; or
- The customer or the data subject asks us to destroy it.
- For the duration of their employment with any member of the AMT Group; and
- For 7 years following the termination of their employment with any member of the AMT Group
In each case the above applies unless a legal obligation or other legitimate interest requires us to store the data for a longer period.
We carry out regular audits of any Personal Data we hold to ensure as far as possible that we do not hold any Personal Data that is no longer required.
Making a complaint
If you have a complaint regarding any aspect of our collection or processing of personal data or our data protection policy, please contact:
James McGawley
Data Protection Officer
AMT Group
174 Armley Road
Leeds
LS12 2QH
Telephone: 0844 826 2300
Email: james.mcgawley@amtvehiclerental.co.uk
On receipt of a complaint regarding Data Protection, within 1 working day we will acknowledge the complaint and provide a response. Where a complaint requires an extension to that time limit we will inform the complainant and provide a formal response with the conclusions to any investigation with utmost urgency.
All complaints received are logged for reference, detailing the original complaint, the details of any investigation and the resolution.
Where we are not able to reach a satisfactory resolution, individuals are advised of their right to report their concern to the Information Commissioners Office or to seek judicial remedy.
Data breach policy
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
When we become aware of a personal data breach, we will establish the likelihood and severity of the resulting risk to individuals’ rights and freedoms. Where necessary, we will promptly inform those affected. We will tell them:
- The name and contact details of our data protection officer or other contact point where more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
When we become aware of any personal data breach we will document and justify any decisions made regarding it.
Where required and where feasible, we will notify the ICO of the breach within 72 hours. Where we are unable to provide a full explanation of the breach within 72 hours we will still provide notification of the breach and an explanation of the delay, with the results of the corresponding explanation being provided as soon as they are available.
We will document any breach, whether or not the ICO or any affected individuals are notified, as follows:
- A description of the nature of the personal data breach;
The categories and approximate number of individuals concerned; - The categories and approximate number of personal data records concerned;
- A description of the likely consequences of the personal data breach;
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Personal data breaches should be reported to:
James McGawley
Data Protection Officer
AMT Group
174 Armley Road
Leeds
LS12 2QH
Telephone: 0844 826 2300
Email: james.mcgawley@amtvehiclerental.co.uk