GDPR Candidate Privacy notice

Prepared By: Sr. Compliance Officer
Approved By:  ZAFAR I. ANJUM, Group CEO

What is the purpose of this document?

• CRI Group is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you.
• You are being sent a copy of this privacy notice because you are applying for work with us (whether as an employee, worker or contractor). It makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under the General Data Protection Regulation ((EU) 2016/679) (GDPR).
• If you have questions regarding your personal data and how we use it, please contact our Compliance Department (acting as DPO) using the contact details below: Compliance Department, dataprotection@crigroup.com

Data protection principles

We, CRI Group, will comply with data protection law and principles, which means that your data will be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only if necessary, for the purposes we have told you about.
• Kept securely.

Lawful basis for processing

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

1. Where we need to perform the contract, we have entered with you

CRI Group’s contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to payroll, bank account, postal address, sick pay, leave; maternity pay, pension and emergency contacts.

2. Where we need to comply with a statutory or legal obligation

Our statutory responsibilities are those imposed on the company by legislation. The data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax; national insurance; statutory sick pay; statutory maternity pay; family leave; work permits; and equal opportunities monitoring.

3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests:

CRI Group has a legitimate interest in processing personal data during employment. Processing data from employees allows us to manage the employment relationship. Our management responsibilities are those necessary for the organisational functioning of the company. The data processed to meet management responsibilities includes, but is not limited to, data relating to recruitment and employment; training and development; absence; disciplinary matters; health and safety; security, e-mail address and telephone number; and criminal convictions. We may also need to process data from employees to respond to and defend against legal claims.

4. We may also use your personal information in the following situations, which are likely to be rare:

• Where we need to protect your interests (or someone else’s interests)
• Where it is needed in the public interest (or for official purposes).

How we use personal sensitive information

‘Special categories’ categorised in GDPR and particularly sensitive personal information requires high levels of protection. We need to have further justification for collecting, storing and using this type of personal information.

CRI Group may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, physical and mental health, disability, criminal allegations, proceedings or convictions, in the following circumstances (in limited circumstances, with your explicit written consent. (GDPR Art 7)):

• Where we need to carry out our legal obligations in line with our data protection policy.
• Where it is needed in public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme, and in line with our data protection policy.
• Where it is needed to assess your working capacity on health grounds, subject to appropriate safeguards.
• Less commonly, we may process this type of information where it is needed in relation to legal claims or where is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

We will use your sensitive personal information in the following ways:

• We will use information relating to leaves of absence, which may include sickness absence or family-related leave, to comply with employment and other laws.
• We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and management sickness absence and to administer benefits.
• We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided, we do so in line with our data protection policy.
• In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent for us.

The kind of information we hold about you

The types of personal data we collect:

• Information about you:

Name, address, date of birth, marital status, nationality, and preferred language, details of any disabilities, work restrictions and/or required accommodations.

• Information to contact you at work or home:

Name, address, telephone, and e-mail addresses.

• Information about who to contact in a case of emergency (yours or ours):

Name, address, telephone, e-mail addresses and their relationship to you.

• Information to identify you:

Photographs, passport and/or driving license details, proof of residence, electronic signatures.

• Information about your suitability to work for us:

References, interview notes, work visas ID information such as passport details and, records/results of preemployment checks, including criminal record checks, credit and fraud checks.

• Information about your skills and experience:

CVs, resumes and/or application forms, references, records of skills and experience: qualifications, skills, training and other compliance requirements.

• Information about your terms of employment with CRI Group:

Letters of offer and acceptance of employment, your employment contract.

• Information that we need to pay you:

Bank account details, national insurance or social security numbers (where applicable).

• Information that we need to provide you with benefits and other entitlements:

Length of service information, health information, leave requests.

• Information to allow you to access our buildings and systems:

Employee identification number (UIN), computer or facilities access and authentication information, identification codes, passwords, answers to security questions, photographs, video images.

• Information relating to your performance at work:

Performance ratings, leadership ratings, targets, objectives, records of performance reviews, records and/or notes of 1 to 1s and other meetings, personal development plans, personal improvement plans, correspondence and reports.

• Information relating to discipline, grievance and other employment-related processes:

Interview/meeting notes or recordings, correspondence.

• Information relating to your work travel and expenses:

Bank account details, passport, driving licence, vehicle registration.

If you fail to provide personal information

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

How we use particularly sensitive personal information

1. Recruitment

• To assess your suitability to work
• To perform vacancy and applicant management activities
• To conduct screening, assessments and interviews;
• To maintain a library of correspondence;
• To make offers and provide contracts of employment
• To conduct pre-employment checks, including determining your legal right to work and carrying out criminal record and credit checks where applicable
• Human Resources (“HR”), finance and other business administration purposes
• Staffing, including resource planning, recruitment, termination, and succession planning;
• Budgetary and financial planning and administration; Organisational planning and development and workforce management
• Compensation, payroll, and benefit planning and administration, including salary, tax calculations, reward and recognition payments, insurance and pensions
• Workforce development, education, training and certification
• Performance management;
• Problem resolution, including carrying out internal reviews, grievances, investigations, audits;
• Business travel and expense management
• To conduct business reporting and analytic administration of flexible work arrangements, administration of employee enrolment and participation in activities and programmes offered to eligible employees
• Work-related injury and illness, including the management of employee Health & Safety, and disabilities
• To communicate with you and to facilitate communication between you and other people, compliance and compliance reporting, including conflict of interest and gifts and hospitality reporting
• Risk management, Project Management, Training and Quality purposes.

2. Security purposes

Physical access control authorising, granting, administering, monitoring and terminating access to or use of our facilities, records, property and infrastructure including communications services such as business telephones and email/internet use

• Prevention and detection of crime.
• Information Technology (“IT”) administration purposes:

3. IT Systems access control and use monitoring

• IT fault reporting, management and resolution, systems administration, support, development, management and maintenance.

4. Legal purposes

• To comply with our legal obligations.

Information about criminal convictions

We envisage that we will process information about criminal convictions.

We will collect information about your criminal convictions history if we would like to offer you the work (conditional on checks and any other conditions, such as references, being satisfactory). We are required to carry out a criminal record check in order to satisfy ourselves that there is nothing in your criminal convictions history that makes you unsuitable for the role. In particular:

• As per BS 102000:2018, we are required to carry out criminal record checks for those carrying out any role with us
• The role of [SPECIFY] requires a high degree of trust and integrity [since it involves dealing with [SPECIFY] [for example, high value client money]] and so we would like to ask you to seek a basic disclosure of your criminal records history.

We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.

How we collect your personal data

• When you access our candidate portal for screening purposes;
• When you contact our HR department via telephone or email;
• When we collect data through our HR and benefits systems;
• When we collect data through the implementation of any HR Employee Relations Policies e.g. Disciplinary;
• In the course of managing your employment, for example, performance reviews, payroll;
• When you complete staff surveys;
• When you apply for a vacancy internally or externally;
• When we receive your Personal Data from third parties, for example, security screening; and recruitment agencies.

Automated decision-making

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

Data sharing: who has access to your personal data

Your information may be shared internally for the purposes of managing the employment relationship. This includes members of the HR and recruitment team, training team, managers and IT staff if access to the data is necessary for the performance of their roles.

We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. We require third parties to respect the security of your data and to treat it in accordance with the law.

We may also share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Data security: how we protect your personal data

CRI Group is committed to protecting the personal data you entrust to us. We adopt robust and appropriate technologies and policies, so the information we have about you is protected from unauthorised access and improper use.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. For further details please email the Compliance Department. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify any applicable regulator of a breach where we are legally required to do so.

The personal data you provide may be transferred to countries outside the European Economic Area (EEA). By way of example, this may happen if we are checking your references for time spent working outside of the EEA and we engage a service provider based in the appropriate jurisdiction to perform the checks on our behalf. If CRI Group transfers your personal data outside of the EEA in this way, we will take steps to ensure that your privacy rights continue to be protected as outlined in this Privacy Policy.

CRI Group recognises that some countries do not have the same standard of data protection afforded in most EU States, for this reason, CRI Group has a strict supplier management policy which includes the screening of all new suppliers, annual security questionnaires and reviews, and the use of formal processing agreements. Our processing agreements also include terms dictating that the suppliers:

• Are only permitted to process your personal data for recruitment;
• Can only retain your personal data for a maximum period of 90 days (unless they are restricted by law from doing this);
• Must immediately notify CRI Group of any suspected or actual data breach of your personal data;
• Shall take all appropriate technical and security measures to safeguard your personal data;
• Will only transfer your personal data in accordance with approved data transfer provisions.

We will ensure that only organisations that are a part of the EU-US Privacy Shield initiative will handle your personal data. More details on this certification can be found at www.privacyshield.gov/welcome

Data retention: how long will you use my information for?

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Details of retention periods for different aspects of your personal information are available in our retention policy which is available from Compliance Department and Human Resource Department. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with applicable laws and regulations.

Your rights as a Data Subject: rights of access, correction, erasure, and restriction

Under certain circumstances, by law, you have the right to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Compliance Department in writing.

Right to withdraw consent

When you applied for this role, you provided consent on [DATE] to us processing your personal information for the purposes of the recruitment exercise. You have the right to withdraw your consent for processing for that purpose at any time. To withdraw your consent, please contact the Compliance Department. Once we have received notification that you have withdrawn your consent, we will no longer process your application and, subject to our retention policy, we will dispose of your personal data securely.

Change of purpose

We will only use your personal data for the purposes for which we collected it. Please note we may process your personal data without your knowledge or consent, where this is required or permitted by law.

Data Protection Officer

We have appointed Compliance Team as data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the Compliance Team at Compliance@crigroup.com

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Or if you are out of EEA you can complain to your country’s data protection authority.

Right to Complaint

You have the right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office – please refer to its website at www.ico.org.uk. You may contact the Information Commissioner’s Office as follows:

By email: Please complete the form at https://ico.org.uk/global/contact-us/email/

By phone: 0303 123 1113

By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5A