This Policy reflects the requirements of the European Data Protection Regulation (“GDPR”) as it came into effect on May 25, 2018. This provides you with all the necessary information on the personal information Rixxo Limited holds on its job applicants, volunteers, temporary workers, subcontractors and employees.
Rixxo provides this information in pursuit of a transparent relationship with all people we work with and adhering to the values of the business.
- “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
- “Authorised Affiliate” means any of The Client Affiliates permitted to or otherwise receiving the benefit of the Services pursuant to the Agreement.
- “Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.
- “Controller” means an entity that determines the purposes and means of the processing of Personal Data.
- “Client Data” means any data that The Company and/or its Affiliates processes on behalf of The Client in the course of providing the Services under the Agreement.
- “Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
- “EU Data Protection Law” means (i) prior to May 25, 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”) and on and after May 25, 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (in each case, as may be amended, superseded or replaced).
- “Personal Data” means any Client Data relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law.
- “Processor” means an entity that processes Personal Data on behalf of the Controller.
- “Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.
- “Sensitive Data”. The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
- “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
- “Services” means any product or service provided by The Company to The Client pursuant to and as more particularly described in the Agreement.
- “Sub-processor” means any Processor engaged by The Company or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or any Affiliate of The Company.
Rixxo holds personal details on applicants, volunteers, temporary workers, subcontractors and employees; including name, address, personal and professional email addresses and contact numbers, as well as availability details, skills and work requirements. We also hold information on next of kin or emergency contacts as provided.
In addition to this we keep information that relates to pay, tax, pension, professional accreditations and performance related information.
Sensitive personal data, such as information in respect of criminal convictions, related to a protected characteristic or a health matter for example, must not be passed on to any third party without the express written consent of the individual.
The types of data held:
- Date of Birth
- Telephone number
- Mobile telephone number
- Personal email
- Work email
- Home address
- Next of kin details
- Relationship status
- Employment history
- Bank name
- Bank account details
- National insurance details
- Tax code
- P45, P60, P11
- Doctors notes
- Medical history
- Past or spent criminal convictions
- Time keeping
- Performance records
- Professional references
- Employment contracts
- Absent from work records
- Curriculum Vitaes
- Time off
- Disciplinary records
- Grievances at work
- Health and safety information
These details are processed for recruitment and payroll purposes and includes processing carried out on computer including any type of device, including server, desktop, laptop, tablet or any mobile device.
Personal data is only to be processed with the consent of the person whose data is held.
Therefore, if they have not consented to their personal details being passed to a third party, this may constitute a breach of the Data Protection Act 1998. By applying for a job and/or providing us with personal data, people will be giving their consent to processing their details for recruitment purposes. Personal data used for any other purpose requires the consent of the person(s). Personal data on candidates may be stored to allow Rixxo to notify people of future job openings.
Caution should be exercised before forwarding the personal details of any individuals on whom personal data is held, to any third party such as past, current or prospective employers, suppliers, customers and clients, persons making an enquiry or complaint and any other third party.
Lawful Basis For Processing
Rixxo holds a ‘Lawful Basis For Processing Personal and Sensitive’ as set out by the Information Commissioner’s Office (ICO) in relation to the GDPR regulations set out here.
Storage of Data
Data is stored securely within Rixxo’s document storage systems, accounting and HR software.
Personal data is reviewed on a regular basis to ensure that it is accurate, relevant and up to date and Rixxo employees shall be responsible for doing this by logging into Rixxo’s HR software.
HMRC requires that payroll details are kept for three tax years and invoice related details for six tax years. Pension details are required to be stored for 75 years.
Rixxo is also required to maintain records in relation to grants funded by Government Organisations for a period of up to 40 years.
Rixxo holds information on organisations, including contact names, addresses and telephone numbers. It also stores details about temporary and permanent jobs for recruitment and invoicing purposes. As stated above, invoice details are kept for six years in compliance with our legal obligations.
We may have to share your data with third parties, including third-party service providers and other entities in the group.
We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.
We process your personal data involving transferring your data outside the European Economic Area (EEA) as some of our external third parties are based outside the EEA, so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Why might you share my personal information with third parties?
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Which third-party service providers process my personal information?
“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers: IT services, such as Marvel Business Solutions Ltd extended payment plans, and payment processing providers, market research, product fulfilment and data analytics. The activities for which we use third-party service providers may change from time to time in order for us to meet the needs of the business.
How secure is my information with third-party service providers and other entities in our group?
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
What about other third parties?
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may need to share details relevant to staff socials, events or similar, but will request permission before doing so. We may also need to share your personal information with a regulator or to otherwise comply with the law.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us by emailing firstname.lastname@example.org.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.