Privacy Notice

Fair and lawful processing

Data protection legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is, the purpose for which the data is to be processed and the identities of anyone to whom the data may be disclosed or transferred.

For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, a separate condition for processing special category data must also be met. In most cases the data subject's explicit consent to the processing of such data will be required.

Processing for limited purposes

Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by data protection legislation. This means that personal data must not be collected for one purpose and then used for another incompatible purpose. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose and give their consent before any processing occurs.

Processing should be adequate, relevant and not excessive

Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any data which is not necessary for that purpose should not be collected in the first place.

Data should be accurate

Personal data must be accurate and where necessary kept up to date. Information which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards.

Retention times not excessive

Personal data should not be kept longer than is necessary for the purpose. This means that data should be destroyed or erased from the Company's systems when it is no longer required.

Personal data should not be transferred to another country without ensuring that there are adequate safeguards in place

Whenever personal data travels across borders, the Company must ensure that that personal data remains secure. Where the data originates in the EEA and is transferred outside of the EEA, the Company is under a specific obligation to ensure that certain conditions relating to the "adequacy" of the measures taken to secure it are complied with. This can be achieved through a variety of methods depending on the type of data transferred and the reasons for the transfer.

Information related to your employment

We use the following information to carry out the contract we have with you, provide you access to business services required for your role and manage our human resources processes.

• Personal contact details such as your name, address, contact telephone numbers (landline and mobile) and personal email addresses
• Your date of birth, gender and NI number
• A copy of your passport or similar photographic identification and/or proof of address documents
• Next of kin, emergency contacts and their contact information
• Employment and education history including your qualifications, job application, employment references, right to work information and details of any criminal convictions that you declare
• Location of employment
• Any content featuring you produced for use on our website or social media such as images, videos, authored articles and blog posts
• Curriculum Vitae
• Application forms
• Test results
• Interview notes
• Contracts of employment
• Appraisal records
• Performance ratings
• Training notes
• Attendance records
• Disciplinary action or grievance procedures
• Redundancy or redeployment records
• Sales/commission
• Financial reference
• Company car documentation
• Time sheets
• Employer references
• Driving licences

The personal information described above will only be made available to Manager(s) and other employees who are expressly authorised to process employee data and will not be disclosed to anyone else, except where strictly necessary (for example in a disciplinary process or in cases of emergency).

Any other information supplied on application will be kept securely and is not accessed during the day to day running of the Company.

Employee data may also be processed by third parties who have been expressly authorised by the Company to process employee data and who act only on the instructions of the Company in relation to such processing. The Company will ensure that employee data remains secure wherever it is transferred to and has put measures in place to ensure that it complies with the requirements of the General Data Protection Regulation in this regard.

Accuracy

The Company will take reasonable steps to keep your personal data up to date and accurate. Personal data may be stored up to 7 years after you have left the Company. The Manager/Accountant has responsibility for destroying personnel files.

Storage

Your personal data is kept in paper-based systems and on a password-protected computer system. Every effort is made to ensure that paper-based data is stored in organised and secure systems.

Applicant tracking system

CEF employs an Applicant Tracking system (Lever) for the purpose of managing recruitment and candidate information. This system will store and process the personal information of candidates required for the roles that they apply for (listed above). The data will be stored for a year from the end of the recruitment process, after which candidates will be asked whether they consent to continue to store the data for candidates who wish to be considered for future openings. However if candidates would prefer this not to happen their data can be securely erased as they wish.

Use of photographs

Where practicable, the Company will seek your consent before displaying photographs in which you appear. If this is not possible (for example, a large group photo), the Company will remove any photograph if a complaint is received. This notice also applies to photographs published on the Company website or in the newsletter.

Information related to your salary and pension

We process this information for the payment of your salary, pension and other employment related benefits. We also process it for the administration of statutory and contractual leave entitlements such as holiday or maternity leave.

• Information about your job role and your employment contract including; your start and leave dates, salary, any changes to your employment contract, working pattern (including any requests for flexible working)
• Details of your time spent working and any overtime, expenses or other payments claimed
• Details of any leave including sick leave, holidays, special leave etc
• Pension details including membership of both state and occupational pension schemes (current and previous)
• Your bank account details, payroll records and tax status information
• Details relating to Maternity, Paternity, Shared Parental and Adoption leave and pay. This includes forms applying for the relevant leave, copies of MATB1 forms/matching certificates and any other relevant documentation relating to the nature of the leave you will be taking
• Company Car user registration numbers, mileage claims and payments

Information relating to your performance and training

We use this information to assess your performance, to conduct pay reviews and to deal with any employer/employee related disputes. We also use it to meet the training and development needs required for your role.

• Information relating to your performance at work e.g. probation reviews, PDRs, promotions
• Grievance matters and investigations to which you may be a party or witness
• Disciplinary records and documentation related to any investigations, hearings and warnings/penalties issued

Information relating to monitoring

The Company monitors electronic communication, information access and other activities of its employees in the following ways:

• E-mail facilities and internet access are provided solely for business purposes and, therefore, the Company reserves the right to review e-mail messages. You should, therefore, not place on the system any message or communicate anything which you regard as personal
• The Company employs CCTV cameras in various staff areas, IT data centres, stores, warehouse areas and car parks. These cameras are installed for the purpose of crime prevention and for your safety, ensuring H&S and company procedures are followed and assisting with identifying unsafe practices. CCTV footage may be reviewed by the appropriate personnel at management discretion. Further information is available in our CCTV policy
• The Company reserves the right to intercept any electronic communications or data exchange (including email) for monitoring purposes, record keeping purposes, preventing or detecting crime, investigating or detecting the unauthorised use of the Company's telecommunication and information system or ascertaining compliance with the Company's policies, practices or procedures

All of our ICT systems and the swipe access system for the entry and exit of our premises are auditable and can be monitored, though we don’t do so routinely. We are committed to respecting individual users’ reasonable expectations of privacy concerning the use of our ICT systems and equipment. However, we reserve the right to log and monitor such use in line with our Acceptable Use Policy. Any targeted monitoring of staff will take place within the context of our disciplinary procedures.

Information relating to your health and wellbeing, equal opportunities monitoring and other special category data

We use the following information to comply with our legal obligations. We also use it to ensure the health, safety and wellbeing of our employees.

• Health and wellbeing information either declared by you or obtained from eye examinations, sick leave forms, fit notes i.e. Statement of Fitness for Work from your GP or hospital
• Accident records if you have an accident at work or in a car whilst on company business and all accidents occurring in company vehicles
• Details of any desk audits, access needs or reasonable adjustments
• Information you have provided regarding Protected Characteristics as defined by the Equality Act and s.75 of the Northern Ireland Act for the purpose of equal opportunities monitoring. This includes racial or ethnic origin, disability status, and gender identification and may be extended to include other protected characteristics.

The Company recognises that certain types of data are particularly sensitive. This includes, for example, information in relation to such matters as racial or ethnic origin, trade union membership and physical or mental health or condition. Although inevitably there will be a need for the Company to process and transfer sensitive data on occasions, the Company will collect and process as little sensitive information as possible and only where necessary.

Special category data

Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:

• Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights
• Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent
• Article 9(2)(f) for the establishment, exercise or defence of legal claims
• Article 9(2)(g) - where processing is necessary for reasons of substantial public interest

In addition, we rely on the processing condition at Schedule 1 part 1 paragraph 1 of the DPA 2018. This relates to the processing of special category data for employment purposes.

Criminal convictions and offenses

We process information about staff criminal convictions and offences. The lawful basis we rely on to process this data are:

• Article 6(1)(b) for the performance of a contract. In addition, we rely on the processing condition at Schedule 1 part 1 paragraph 1