Effective Date: August 28, 2023
Last Updated: August 28, 2023
Red Ventures (Europe) Employee Privacy Notice
What is the purpose of this notice?
Red Ventures is committed to protecting your privacy. In this notice “Red Ventures Europe”, “us”, “our”, and “we” means Red Ventures employees based in the European Union and United Kingdom..
This notice, which applies to all current and former employees and contractors, describes how we collect and use your personal data before, during and after your working relationship with us. This notice should be read in conjunction with our other corporate policies and procedures.
The 'Data Controller' of your personal data is Red Ventures Limited whose registered office is at The Cooperage, 5 Copper Row, London, SE1 2LH. This means that we decide how we hold and use your personal data. The law requires us to tell you the information in this notice. This notice is not part of our contract with you. We may update this notice at any time and will make an updated copy available to you.
You should read this notice so that you understand how and why we use your personal data and your rights under data protection law.
Our Data Protection Officer is Mark Scott. You can contact him at email@example.com.
Data protection principles
We comply with data protection law. This means that the personal data we hold about you must be:
- used lawfully, fairly and transparently;
- collected for legitimate purposes that we have told you about and not used in any
- way that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary for the purposes for which they
- are used;
- accurate and kept up to date;
- kept only for as long as necessary for the purposes for which they are used; and
- kept securely.
The information we hold about you
'Personal data' means any information about an individual from which that individual can be identified: it doesn't include data where the information necessary to identify the person has been removed (anonymous data).
For the purposes of this Privacy Notice we collect information on the following categories of data subjects:
- Applicants and prospective employees of Red Ventures Europe
- Employees of Red Ventures Europe
- Past employees of Red Ventures Europe
- Prospective contractors of Red Ventures Europe
- Contractors of Red Ventures Europe
- Past contractors of Red Ventures Europe
We collect, store and use the following categories of Personal Data relating to you:
- Personal identification information including your name, gender, prefix, date of birth and photograph;
- Contact information, including your home address, personal email address and phone numbers, and emergency contact details;
- Absence records, including for holiday, time off for dependents, and compassionate leave;
- Appraisals, reviews and training records;
- Background check results, if required;
- Details of the company that employs you, including your work address;
- Copy of your passport, and any visa or other immigration permissions relating to your right to work;
- Details of all share options and SIP shares you hold including transaction history;
- Disciplinary and grievance records, including information collected for internal investigations;
- Your work email address(es);
- Employee identification number(s);
- Employment history, including your employment contract, offer letter, start date, details of benefits and working hours;
- National Insurance number, Social Security Number, or similar national identifier;
- Payroll information (for example: payroll number, P60, P45, payslips, tax records, payroll records and bank account details);
- Pension details including benefits;
- CV / Resume, education records and previous employment references;
- Salary amount;
- Work related emails, data used during meetings, phone records and travel records;
as well as;
- Information regarding your usage of Red Ventures IT systems including login information, access to IT systems (including date and time of access), information regarding usage of internet, telephone and messenger systems;
- Information contained on any work device (including mobile phones, tablets or laptops) collected in the context of any investigation; and
- Information from monitoring of Red Ventures devices and accounts (including email) and any personal device to which the Red Ventures device management policy is applied; and information captured on security systems, including CCTV and key card entry systems.
The law recognises ‘special categories' of personal data which require a higher level of protection for us, such as information about someone's health or sexual orientation.
We may collect, store and use the following ‘special categories' of personal data:
- information about your nationality, race or ethnicity;
- information about your health including any medical condition, health and sickness records, including:
- medical reports, fitness to work notes, occupational health records, accident records and medical insurance arrangements.
- where you leave employment and under any share plan operated by a group company the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision;
- details of any absences (other than holidays) from work including time on statutory parental leave and sick leave; and
- where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions and permanent health insurance purposes;
- information about criminal convictions and offences;
- biometric information that you may volunteer to enable easy and secure access to your work device(s) and business applications;
- information relating to any trade union subscriptions and time off for related activities; and
- information specific to your level of exposure to a pandemic - see section below for more information about this, and how it might affect you.
How your personal data are collected
We collect personal data about you through our application, recruitment, joiners, and leavers processes, from the following sources:
- Directly from you;
- From employment agencies and recruitment websites (e.g. LinkedIn);
- From your employment referees;
- From security clearance and background check providers;
- From Occupational Health and other health providers;
- From pension administrators;
- From government departments, for example, tax details from HMRC;
- From your trade union;
- From providers of staff benefits;
- From colleagues (and employees of partner organisations), regarding job-related and performance management activities;
- From training suppliers; and
- CCTV images from our CCTV systems.
If the need arises, we may seek to collect and process your personal data in response to a pandemic or local health emergency, which is in addition to that which we would normally collect from you and your family, to ensure everyone's safety and well-being.
Any such personal data we collect is limited to that which is proportionate and necessary for us to collect, taking into account the latest guidance issued by the Government and health professionals in order to manage the situation. This is to assist us in keeping people safe, and putting contingency plans into place to safeguard vulnerable individuals and aid with business continuity.
Where personal data is to be used to make organisational decisions, steps will be taken to anonymise the data and general statistics/numbers used, wherever possible.
How we use your personal data
We only use your personal data when the law allows. Most commonly, we will use your personal data:
- to take steps before entering a contract with you;
- to perform our contract with you;
- to comply with a legal obligation; and
- for our legitimate interests (or those of a third party) and your rights and interests do not override those interests.
More specifically, we will use your personal data to:
- carry out and maintaining right to work checks including your immigration status, qualifications, personality/psychological profiles, and role-specific background checks;
- pay you, deduct tax and National Insurance, and provide employee benefits;
- provide your rights to time off and family leave;
- contact you when you are not at work or your emergency contacts in an emergency;
- address disciplinary or grievance issues;
- manage your performance, and address training and development needs;
- address fitness to work health related adjustments;
- operate the business day to day;
- monitor equal opportunities and diversity;
- ensure compliance with IT policies and network and information security and other employee policies; and
- protect the business through security and entry to premises, systems and processes.
We may also use your personal data in the following less common situations:
- to protect your vital interests (or someone else's); and
- in the public interest (for example, it is necessary for reasons of public interest in the area of public health) or for other official purposes.
Some of our reasons for using your personal data may overlap and there may be more than one reason that justifies our use of your personal data.
If you fail to provide personal data
If you do not provide your personal data when requested, we may not be able to perform our contract with you (such as paying you or providing a benefit) or we may not be able to comply with our legal obligations (such as to ensure the health and safety of our workers). If you fail to provide the information necessary for us to meet our legal and regulatory requirements, or to operate our business, you may be subject to disciplinary action.
Change of purpose
We will only use your personal data for purposes consistent with the original purpose that we told you about. If we need to use your personal data for an unrelated purpose, we will tell you (usually by updating this policy) and explain the legal basis for doing so.
We may use your personal data without your knowledge or consent where this is required or permitted by law.
How we use particularly sensitive personal data
‘Special categories' of personal data require higher levels of protection and so we have in place appropriate safeguards when processing special categories of personal data. We will only do this when we have further justification for collecting, storing and using this type of personal data.
We may process special categories of personal data about you in the following circumstances:
- with your explicit written consent;
- where we need to carry out our legal obligations (for example, completing our accident register, if you have an accident at work) or exercise rights in connection with employment;
- where it is needed in the public interest, such as for equal opportunities monitoring; or
- in connection with the outbreak of Coronavirus - see the statement about this above.
Less commonly, we may process this type of personal data in connection with legal claims brought against us, or to protect your vital interests (or someone else's) and you are either not capable of giving consent or you have already made the information public.
Our obligations as an employer
We use your special categories of personal data in the following ways:
- We will use information relating to leave of absence, which may include sickness absence or family related leave, to comply with employment and other laws.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence, and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance.
- If you leave employment and under any share plan operated by a group company the reason for leaving is determined to be ill-health, injury or disability, we will use information about your physical or mental health, or disability status in reaching a decision about your entitlements under the share plan.
- We will use information about your gender, race, or national or ethnic origin, to ensure meaningful equal opportunity monitoring and reporting.
- We may use your information in participation with Employee Resource Groups (ERGs) you have involvement with.
Do we need your consent?
We do not need your consent if we use special categories of your personal data to carry out our legal obligations or exercise specific rights in the field of employment, health and safety, and criminal law.
We may ask you to give consent in some cases. If we do, we will give you details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. It is not a condition of your contract with us that you agree to any request for consent from us.
Information about criminal convictions
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where it is necessary to carry out our obligations under employment law, or where role specific background checks are required in line with our background checks policy.
Less commonly, we may use information relating to criminal convictions in connection with legal claims, to protect your vital interests (or someone else's) and you are either not capable of giving consent or you have already made the information public.
We only collect information about criminal convictions if it is appropriate for your role and it is lawful to do so. If it is, we will collect information about criminal convictions as part of the recruitment process or through job-related activities during your time working for us.
We may use your personal data in this way in accordance with the Substantial Public Interest Conditions set out in Schedule 1 of the Data Protection Act 2018.
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We may use automated decision-making in the following circumstances:
- where we have notified you of the decision and have given you 21 days to request a reconsideration;
- where necessary to perform a contract with you and appropriate measures are in place to safeguard your rights; or
- with your consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision using any special categories of personal data, we must have your consent, or it must be justified in the public interest and we must also put in place appropriate measures to safeguard your rights.
We will not make automated decisions that have a significant impact on you unless we have told you and have a lawful basis for doing so.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
We may share your personal data with third parties, including service providers and other group companies. We ask those third parties to keep your data secure and comply with the law.
We may transfer your personal data outside of the EEA. If we do, you can expect your personal data to be adequately protected.
Why might you share my personal data?
We may share your personal data with third parties where required by law, where it is necessary to administer our working relationship with you, or where we have another legitimate interest in doing so.
Which service providers use my personal data?
The following service providers process your personal data for the following purposes:
Red Ventures Europe
|Workday||Workday provides our main HR system used for storing and managing employee information|
|Cisco||Cisco provides our IT monitoring capability to help keep our systems secure and to ensure work systems are being used appropriately|
|GSuite (Google Docs, Sheets, Slides, etc.)||Is used for employee communications, office functions, reporting, etc.|
|Microsoft 365 (Outlook, Excel, Word, Powerpoint, etc.)||Is used for employee communications, office functions, reporting, etc.|
|Slack||Slack is used by the company for employee communications|
|Greenhouse||Is our recruitment management platform|
|Lyra||Emotional and mental health support|
|ICAS||Free and confidential employee assistance helpline|
Red Ventures Limited
|Smith and Williamson||Smith and Williamson is our current payroll provider. The myePayWindow is under Smith and Williamson contract and used for payslips, P45, P60 and as a secure way to exchange data between RV payroll team and Smith and Williamson|
|AVIVA||AVIVA is our pension and group life insurance provider, and RV does not share any personal data with them|
|LifeSearch||LifeSearch is broker for UK benefits, they have access to data via Vitality website, and we send a census file yearly of employees with no personal data included|
|PeopleCheck||Role based Background checks and qualification verification.|
|Vitality Health Limited||Private Medical Insurance|
We will share personal data relating to your participation in any share plans with third party administrators, nominees, registrars and trustees for the purposes of administering the share plans.
How secure are my personal data with third parties
There is always some risk when processing and storing data. As such, we cannot guarantee the security of your data; however, every third party to whom we provide your personal data is required to take appropriate security measures to protect your personal data. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
When might you share my personal data with other Red Ventures companies?
We share your personal data with other Red Ventures companies as part of our regular reporting activities on company performance, in the context of business reorganisations, and for systems maintenance, support and the hosting of data. We will share personal data relating to your participation in any share plans for the purposes of administering such share plans.
What about other third parties?
We may share your personal data with other third parties, for example, in the context of the possible sale or restructuring of the business. In this situation we will, so far as reasonably practicable, share anonymised data.
We may also need to share your personal data with regulators and/or to comply with the law. This includes making returns to HMRC.
Transferring information outside the EEA
We may transfer your personal data to third party service providers located in the USA and other non-EEA countries in order to perform our contract with you.
In relation to data transferred to the USA and other non-EEA countries, we rely primarily on Standard Contractual Clauses to protect your personal data.
You can request information about the measures in place to protect your personal data outside the EEA from the Data Protection Officer.
We have put in place security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, and against unauthorised disclosure and access. We limit access to your personal data to those people (including third parties) who have a business need to access them. They may only process your personal data on our instructions, and they are subject to a duty of confidentiality. You may ask the Red Ventures security team or the Data Protection Officer for further details of these measures.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long will you use my information for?
We will only keep your personal data for as long as necessary for the purposes for which we use them (including for legal, accounting, or reporting requirements). Details of retention periods for your personal data are available from the Red Ventures HR team. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, whether we can achieve those purposes through other means, and legal requirements.
We may anonymise your personal data, in which case we may use such anonymised data without further notice to you. Once you are no longer an employee or contractor we will retain and securely destroy your personal data in accordance with our data retention policy.
Rights of access, correction, erasure, and restriction
Keeping your personal data up to date
To help us keep your personal data up to date and accurate, please tell the Red Ventures HR team if your personal details change during your working relationship with us.
Your rights in connection with personal data
You have the legal right to:
- Request access to your personal data. You have a right to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of your personal data. You may have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. You may ask us to delete or remove personal data where there is no good reason for us continuing to use them. You may also ask us to delete or remove your personal data if you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we rely on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. However, if our legitimate interests are such that they override your data protection rights, then we may continue to process your personal data despite your objection.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example, if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another organisation, but only where you have provided that data to us in the first place.
If you want to exercise any of these rights, please contact the Data Protection Officer in writing.
We comply with the law with respect to all requests, which means that there may be legal reasons why we are not able to fulfil your request.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights), however, we may charge a reasonable fee if your request for access is clearly unfounded or excessive: alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
Should you wish to exercise any of your rights set out above, we may need to request information from you to help us confirm your identity and to ensure that you are entitled to exercise your rights, such as to access the personal data (or to exercise any of your other rights). This is to ensure that personal data are not disclosed to anyone who is not entitled to receive it or is deleted or changed without your knowledge or consent.
Right to withdraw consent
Where we have asked you, and you have consented to the collection, processing and transfer of your personal data, you have the right to withdraw your consent at any time. To withdraw your consent, please contact the Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will no longer process such personal data for the purpose you originally agreed to, unless we have another lawful basis for doing so.
Data protection officer
We have appointed a Data Protection Officer to oversee compliance with this notice. If you have any questions about this privacy notice or how we handle your personal data, please contact the Data Protection Officer. You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues.
Changes to this privacy notice
We may update this privacy notice at any time, and we will make the new privacy notice available to you (usually on Appy Intranet). We may also notify you in other ways from time to time about the processing of your personal data.