Data Protection Policy

 Data Protection Terms and Conditions These are the terms and conditions for the contract between: 

 — us, Officehero Management LTD trading as B2B Facility Solutions

— you, our customer; 

for us to provide you with the services set out in the client agreement attached to these terms and conditions. 

Data Protection 

For the purposes of the contract, you are the ‘data controller’ and we are the ‘data processor’ for personal data processed in connection with the contract (employee data), as per the meanings given to them under the  General Data Protection Regulation (GDPR). In limited circumstances, we may also be a ‘data controller’  regarding the methods of processing data to facilitate the contract. 

When we process personal data for the purposes of the contract we will do the following: 

1. Do so only for the purpose of meeting our obligations under the contract, or where the law permits us to do so.  

2. Comply with all relevant instructions or requests you give us about processing this personal data.  

3. Take appropriate security measures to protect this personal data against unauthorised or unlawful processing, and accidental loss, destruction or damage. Those measures will take  account of:  

• the nature of the information and the harm which could arise from such processing,  loss, destruction or damage; and  
• the technology available; and  
• the cost of taking the measures.  

4. Not allow this personal data to be transferred out of, or processed outside, the European  Economic Area. unless we have taken such measures as are necessary to ensure the transfer is compliant with all applicable data protection laws. 

5. Not pass this personal data to any third party (other than our sub-contractors and key service  providers) unless there is a legal or statutory obligation to do so, or: 

• we have your permission in writing; and  
• we have entered into a written contract with that third party and they agree to meet  obligations that are equivalent to those set out in this clause; 

6. Will only engage third-party sub-contractors provided that:  

• We maintain an up-to-date, and accessible, list of its sub-contractors which we shall  update with details of any change in sub-contractors at least 10 days prior to any  such change - consent is deemed to be given (where required) if no objection is  received within 30 days of updating this list
• We impose data protection terms on any sub-contractors we appoint that require it to protect the Data to the standard required by Applicable Data Protection Law. 

7. Provide reasonable and timely assistance to assist you in dealing with data protection related  requests relating to the data we hold, including to respond to:  

• any request from a data subject to exercise any of its rights under the Applicable Data  Protection Law 
• any other correspondence, enquiry or complaint received from a data subject,  regulator or other third party in connection with the data we hold  

8. Inform you of any high-risk activities relating to your data, and corporate, with any risk  assessments required  

9. Inform you of any data breaches relating to your data without undue delay 

10. Delete or return to you any personal data provided for the purpose of this contract

11. Make sure that all our personnel who need access to this personal data for the purposes of  the contract keeps to this clause.  

12. Allow you, after you have given reasonable notice, to enter our premises or any other  location where this personal data is processed so you can make sure this clause is being met.  For this purpose, you will have the access you need to facilities, staff, systems, records,  books, accounts and relevant information. 

Officehero Management LTD trading as B2B Facility Solutions (“we” or “us”) is committed to data protection and data privacy. We have undertaken a review on the way we handle data and the way in which we use it to provide our services and manage business operations. 

We hold personal data on all our employees to meet legal obligations and to perform vital internal functions. This notice details the personal data we may retain, process and share with third parties relating to your employment and vital business operations. We are committed to ensuring that your information is secure, accurate and relevant. To prevent unauthorised access or disclosure, we have implemented suitable physical, electronic, and managerial procedures to safeguard and secure personal data we hold. 

INTRODUCTION 

We have issued this notice to describe how we handle personal information that we hold about our staff and job applicants (collectively referred to as "you"). For the purposes of this notice, the term "employee" includes [INSERT SCOPE OF NOTICE] We respect the privacy rights of individuals and are committed to handling personal information responsibly and in accordance with applicable law. This notice sets out the personal data that we collect and process about you, the purposes of the processing and the rights that you have in connection with it.   If you are in any doubt regarding this notice, please contact [INSERT].   

TYPES OF PERSONAL DATA WE COLLECT   

During your employment with us, or when making an application for employment, we may process personal data about you and your dependents, beneficiaries and other individuals whose personal data has been provided to us. 

The types of personal information we may process include, but are not limited to:  

• Identification data   
• Contact details 
• Employment details 
• Background information 
• Spouse & dependents information, marital status. 
• Financial information. 
• IT information.   
• If you are a temporary employee, contract worker or consultant, the type of personal information we process is limited to that needed to manage your specific work assignment.
• References relating to previous roles and employment conduct may be undertaken prior to commencement of employment. We will only gather references from referees provided to us by the employee, or prospective employee.   
  

Sensitive personal data (‘special categories of personal data’ under UK Data Protection legislation) includes any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, genetic data, biometric data for the purposes of unique identification, trade union membership, or information about your health/sex life. Generally, we try not to collect or process any sensitive personal information about you, unless authorised by law or where necessary to comply with applicable laws. In some circumstances, we may need to collect some sensitive personal information for legitimate employment-related purposes: for example:   data relating to your racial/ethnic origin, gender and disabilities for the purposes of:  equal opportunities monitoring;   to comply with anti-discrimination laws; and   for government reporting obligations;    data relating to your physical or mental health to:    provide work-related accommodations,   health and insurance benefits to you and your dependents; or   to manage absences from work.  

PURPOSES FOR PROCESSING PERSONAL DATA

1. Recruitment

If you are applying for a role with us then we collect and use this personal data for recruitment purposes – in particular, to determine your suitability for a specific role. This includes assessing your skills, qualifications and verifying your information, carrying out reference checks andbackground checks (but only where necessary)and to generally manage the hiring process and communicate with you about it.    If you are accepted for a role with us, the data collected during the recruitment process will form part of your ongoing employee record.   For more information, please see [insert link to public notice for recruitment data] 

2. Employment 

We collect and process personal data relating to our employees to meet our obligations under the employment contract and to comply with our legal obligations. We take the security of your data seriously and are committed to being transparent about how we collect and use that data and to meeting our data protection obligations. 

Once you become an employee, we collect and use this personal information for managing our employment or working relationship with you – for example, your employment records and contract information (so we can manage our employment relationship with you), your bank account and salary details (so we can pay you), your equity grants (for benefits plan administration) and details of your spouse and dependents (for emergency contact and benefits purposes). 

Where we process special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that we use for these purposes is anonymised or is only collected with the express consent of employees, which can be withdrawn at any time. 

We have policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed without authorisation and only accessed or used for specific legal purposes.    

You have some obligations under your employment contract to provide the organisation with data. You may also have to provide the organisation with data in order to exercise your statutory rights,   such as in relation to statutory leave entitlements. Failing to provide this data may mean that you are unable to exercise your statutory rights.  

We process our employees' personal information through a global human resources system ("HR System") called [INSERT DETAILS e.g. Atlas], which is a tool that helps us to administer HR and employee compensation and benefits at an international level and which allows staff members to manage their own personal information in some cases. This is provided by Citation [INSERT COMPANY NAME - .e.g. Citation Ltd] who utilise third-party servers via Microsoft Azure to hold its HR System data and other business services; these are both based in the United Kingdom and have been assessed against stringent security requirements to ensure that all appropriate security controls are in place to protection personal information.  

3. Legitimate business purposes 

We may also collect and use personal information when it is necessary for other legitimate purposes, such as to help us conduct our business more effectively and efficiently – for example, for general IT security management, accounting purposes or financial planning. We may also process your personal information to investigate violations of law or breaches of our own internal policies.   [The IT Department will record and monitor usage of all our IT equipment, user activity, voice traffic, email and Internet usage as deemed necessary. The IT Department will observe the strictest confidentiality when undertaking these activities. They will make their report directly to [INSERT] who will determine the actions that may need to be taken in any particular case.] Our site(s) is/are protected by closed-circuit television (CCTV) systems throughout its premises as deemed necessary and employees should expect all areas (other than those where use would contravene common decency) to be visible on a television monitoring system. Any information obtained from systems will be used with strict adherence to the UK Data Protection legislation. Information will be used for the prevention and detection of crime and to ensure compliance with our policies and procedures and our legal obligations. This may include using recorded images as evidence in disciplinary proceedings. 

4. Legal purposes 

We may also use your personal data where we consider it necessary for complying with laws and regulations, including collecting and disclosing employee personal information as required by law (e.g. for tax, health and safety, anti-discrimination laws), under judicial authorisation, or to exercise or defend our legal rights. 

LEGAL BASIS FOR PROCESSING PERSONAL DATA

Our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the way we collect it. We will normally collect personal data from you only where we need it to perform a contract with you (i.e. to manage the employer/employee relationship), where we have your freely given consent to do so, or where the processing is in our legitimate interests and only where this interest is not overridden by your own interests or fundamental rights and freedoms.  In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.   Any processing based on consent will be made clear to you at the time of collection or use – consent can be withdrawn at any time by contacting [INSERT] 

WHO WE SHARE PERSONAL DATA WITH

We take care to allow access to personal data only to those who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the data is used in a manner consistent with this notice and that the security and confidentiality of the data is maintained.   

1. Transfers to third-party service providers 

In addition, we make certain personal data available to third parties who provide services to us. We do so on a "need to know basis" and in accordance with applicable data protection and data privacy laws.   For example, some personal data will be available to our employee benefit plans service providers and third-party companies who provide us with employment law advice, health and safety support, payroll support services, expenses, tax and travel management services.    Please see ‘Annex A – Third party processors’ at the end of this document for further detail of any third-party service provider and the information provided to them. 

2. Transfers to other third parties 

We may alsodisclose personal data to third parties on other lawful grounds, including: 

• To comply with our legal obligations, including where necessary to abide by law, regulation or contract, or to respond to a court order, administrative or judicial process 
• In response to lawful requests by public authorities (including for national security or law enforcement purposes) 
• As necessary to establish, exercise or defend against potential, threatened or actual litigation 
• Where necessary to protect the vital interests of our employees or another person   
• In connection with the sale, assignment or other transfer of all or part of our business; or
• With your freely given and explicit consent  

TRANSFER OF PERSONAL DATA ABROAD

We may need to transfer personal data to countries outside of the United Kingdom. When we export your personal data to a different country, we will take steps to ensure that such data exports comply with applicable laws. For example, if we transfer personal data outside the European Economic Area (EEA) to a country without an EK or UK Adequacy Agreement, such as to the United States, we will implement an appropriate data export solution such as entering into contracts with the data importer that includes an International Data Transfer Addendum, and where necessary we will perform an International Transfer Risk Assessment..   

DATA RETENTION

Personal data will be stored in accordance with applicable laws and kept for as long as needed to carry out the purposes described in this notice or as otherwise required by law. Generally, this means your personal information will be retained until the end or your employment, employment application, or work relationship with us plus a reasonable period of time thereafter to respond to employment or work-related inquiries or to deal with any legal matters (e.g. judicial or disciplinary actions), document the proper termination of your employment or work relationship (e.g. to tax authorities), or to provide you with ongoing pensions or other benefits.   [For more information, please see our Data Retention Policy, which outlines our current document retention schedule.] 

YOUR RIGHTS 

You may exercise the rights available to you under data protection law as follows: 

• The right to be informed. 
• The right of access. 
• The right to rectification. 
• The right to erasure. 
• The right to restrict processing. 
• The right to data portability. 
• The right to object. 
• Rights in relation to automated decision making and profiling.  

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You can read more about these rights at: https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/ To exercise any of these rights, please contact [INSERT].   

Annex A - THIRD PARTY PROCESSORS

The following are our key third-party processors who will, during your employment, process your personal data. 

1. Citation 

We outsource our HR system to Citation who hold records on all our employees, which may include:

• Name and address 
• Email address 
• Salary and conditions of employment 
• Performance 
• Disciplinary and grievance notes 
• Qualifications and training records  

We outsource our Health and Safety management to Citation, who may hold records on the following:

• Incidents involving our employees 
• Risk assessments relating to our employees 
• Training records  

Citation’s systems use a secure cloud solution. Information on Citation’s security is available by contacting [INSERT]. 

 We process personal data relating to those who apply for job vacancies with us or who send speculative job applications to us. We do this for employment purposes, to assist us in the selection of candidates for employment, and to assist in the running of the business. 

The personal data may include identifiers such as:

• name
• date of birth
• personal characteristics such as gender
• qualifications and 
• previous employment history.

We will not share any identifiable information about you with third parties without your consent unless the law allows or requires us to do so. 

The personal data provided during an application process will be retained for at least six months or, if required by law, for as long as is required. 

This privacy notice does not form part of an employment offer or contract between us. If we make an employment offer to you, we will provide further information about our handling of your personal information in an employment context separately.

If you would like to find out more about our data retention policy and how we use your data, you want to see a copy of the information about you that we hold or have any questions or issues regarding data protection, please email us with the Subject “Data Protection Request”.