Ergomed Employee Data Protection Notice
Published: 23 April 2024
As a responsible and forward-looking business, the Ergomed group of companies recognizes the need to comply with applicable data protection legislation and ensure that effective measures are in place to protect the personal data of our employees, customers, and other stakeholders.
As an employer, Ergomed must meet its contractual, statutory, and administrative obligations. Please bear in mind that your direct employer is part of the international group with ERGOMED Group Limited, with registered offices at 1 Occam Court, Surrey Research Park, Guildford, GU2 7HJ Surrey, United Kingdom, as the parent company (“Ergomed”).
This privacy notice elaborates on what to expect when Ergomed collects personal information about you. However, please note that the information we will process about you will vary depending on your specific role and personal circumstances. Ergomed is the controller for this information unless this notice specifically states otherwise.
1. How do we get your information (personal data sources)
Much of the data we will have asked you to provide us directly when you started your employment. Alternatively, we may have asked you for it during your employment, or you have provided it to us independently for us to help you with something.
If we do not receive information directly from you, we either generate it ourselves (such as your Employee ID and username) or we will receive it from third parties, such as:
- Government tax offices (Not applicable to all countries)
- Pension Scheme providers Disclosure and Barring Service (Or local equivalent)
- Occupational Health Providers
- From an employment/recruitment agency
- From referees, either external or internal
- From providers of staff benefits
- CCTV images from our landlords or taken using our own CCTV systems
We request data from you when you:
- Submit a successful application for a job with us
- Respond to requests for information from our Onboarding tool
- Complete your new starter and payroll forms
- Update your personal record via Cezanne Self Service system during employment or ask us to update your record in any way
- Supply emergency contact details – in which case we will assume that the person whose details you give us are happy for these details to be shared by you
- Request parental leave, in which case we will receive the spouse/partner’s name and the name of their employer from you or from your spouse/partner’s employer
- Sharing it during the course of your employment, for example, during correspondence with you, during the annual appraisal process if you need to take sick leave, or if your role changes
- Provide job history, experience, education, and professional memberships information when completing CV forms in Cornerstone
Please note that we may receive and/or retain data in various forms, whether in writing, electronically, verbally or otherwise. You will inevitably be referred to in many Ergomed documents and records that are produced by you and/or your colleagues in the course of carrying out your business duties.
2. What personal data we process (categories of personal data):
We process the following categories of personal data:
Personal Information
- Your name
- Photograph
- Employee Username
- Employee ID
- Date of Birth
- Gender
- Nationality
- Personal ID Number, NI Number/Social Security Number (Varies by location) and Expiry date
- Copies of documentation proving your right to work such as your passport or VISA
- Contact Details (address, Phone numbers and personal email etc.)
- Marital Status (in some countries for the purpose of Social Security, Taxes and/or Medical Insurance)
Job Information
- Your role title and department
- Information about your employee contract such as:
- Start Date/s
- Hours
- Contract Type
- Salary
- Bonus/commission payments
- Information about any benefits you receive/Have received
- Pensions schemes
- Short Term Benefits such as Car Allowance/Discretionary Bonuses and Meal Allowances
- Long term benefits such as options scheme
- Details or periods of leave take by you, including:
- Holiday – Sickness Absence
- Family leave
- Sabbaticals
- Your bank details for pay and expenses purposes
- Working time records
Performance Information
- Assessments of your performance, including:
- Appraisals
- Performance reviews and ratings
- Training you have participated in
- Performance improvement plans
- Promotions
- Salary Review Information
- Details of any disciplinary or grievance procedures in which you have been involved, including:
- Any warnings issued to you and related correspondence
Education and Work History
- Details of your:
- Qualifications
- Skills – Experience
- Employment history
- Membership in professional chambers and associations
- Languages
- Articles and Publications
- References given and received
- Research proposed or undertaken
- Pension Information
Information about your family, lifestyle, and social circumstance
In certain circumstances we will also hold limited information about your spouse, partner, or civil partner, or other individuals. This is collected, for example, where you name them as an emergency contact or where shared parental leave is requested.
Other Information
On occasion external bodies may provide us with information relating to seizure of salary upon debtor’s consent, enforcement decisions.
Your Image
- When this has been captured on CCTV cameras
- During company events and similar (Only with your consent which is provided via our Photo and Recording Consent documents)
Basic information about your activities during your employment with us
Including use of information and communication systems, such as access times from swipe card access, or an IP address if you access information from a device.
Special category data
We may also process some kinds of more sensitive information about you that is classed as ‘special category’ data, and which receives additional protections under law, and in terms of our processing of it.
This includes data about:
- Health, medical conditions, or disabilities
- Ethnicity
- Trade union affiliations, where applicable
- Religious belief (If applicable and only for the observation of religious holidays)
- Marital Status
For certain roles, we are required to seek information about past criminal convictions, working with children or vulnerable adults, and/or your fitness to practice in certain regulated professions.
From time to time, we will ask you to review and update the personal data we hold about you, although you are welcome to review and update this personal data more or less frequently, as you wish.
3. Why do we collect this information?
We take our obligations around the handling of data very seriously, and it is therefore important for you to know the various lawful bases that we rely on under data protection law for the processing of your personal data.
To be able to process your data lawfully, we must rely on a specific lawful basis, depending on the main reason why we need the data. Below we will explain these lawful bases and when they might be used.
Necessary to comply with a legal obligation
We process data about you under this legal basis when we need to comply with local legislation, such as in the areas of employment for tax purposes or to comply with Acts or laws around Equality and health and safety in the workplace.
Necessary to perform a contract with you
We process your data in order to carry out the contract of employment we have with you, or to enter into it in the first place – for example, ensure you have the right to work in your location, pay you a salary and keep records of disciplinary, complaint or grievance proceedings.
Necessary for the purposes of legitimate interests
Sometimes we will process your data because we have identified a ‘legitimate interest’ in doing so. The legitimate interests we identify are determined through an assessment made by weighing our requirements against the impact of the processing on you. This is done to make sure that our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data.
- Providing you with a security card, IT account, access to an email account, and give you personalized access to buildings, IT applications, resources and network services such as Wi-Fi
- Monitoring use of IT services to ensure adherence to the Acceptable Use Policy
- Providing you with access to training and development services
- Providing you with access to the online benefits portal to enhance reward offering and visibility
- Enabling effective communications to you about security or operations and to keep you informed and involved with what’s happening at Ergomed Group
- Contacting those people, you have named to be notified in the event of an emergency
- Operating and keep a record of employee performance and related processes to plan for career development, succession planning and workforce management purposes.
- Using staff information to conduct strategic analysis, modeling and forecasting to help the organization plan ahead.
- Analyzing the effectiveness of a service that we provide, such as our annual staff survey. This analysis is carried out at an aggregate level so that you are not identifiable from the data.
- Ensuring that we can keep our offices safe and secure, and taking measures to prevent and detect crime. This involves capturing images of you in our CCTV system. More information about how your data is processed within the CCTV system can be found in the CCTV code of practice which includes a privacy notice for CCTV. This is available upon request.
- With our insurance brokers and insurers and related third parties, e.g., lawyers and loss adjustors for the purpose of risk mitigation, securing insurance cover, maintaining and administering that cover and processing any claims that may arise as a result.
- Comply with our clients’ reasonable and lawful requests.
- To present to our clients that you have adequate qualification for the tasks performed.
Necessary to protect your vital interests or those of another person
On rare occasions, we may need to access or share your information in order to protect your life or that of another person, for example in an emergency situation where we cannot gain your consent or to do so could endanger life. We will only rely on vital interests in extremely limited circumstances when no other legal basis is available.
You have given us your consent to process your data for a specific purpose
We may sometimes ask for your consent to do something that involves use of your personal data. We will do this where no other lawful basis applies and where it makes sense to give you the highest level of control over how your data is used by us. For this reason, we will not ask for your consent very often where your data is being processed for employment reasons because one of the other lawful bases listed above will often be more appropriate. However, you would be asked to specifically consent to the processing of your data if, for example, we wished to use your image in marketing materials; wished to send you marketing, or to process your data where we cannot rely on one of the above bases.
Processing in the substantial public interest
For the purpose of securing insurance cover for the general protection of Ergomed and its staff, maintaining and administering that cover and processing any claims that may arise as a result, which inter alia enables our staff to access Ergomed’s insurance whilst on approved business or field trips abroad, study abroad or work placement abroad.
Processing for limited purposes
We do not use profiling or automated decision-making processes which means that people are involved in every decision about you. HR uses an outsourced company that carries out psychometric assessments with managers and they utilize the information to provide an understanding of behavioral preferences. They will only do so having put in place appropriate measures to safeguard your rights and with your explicit consent. Refusal will not be to your detriment.
4. Processing your ‘Special Category’ personal data
Sensitive personal data, called “special category” data in the legislation, receives extra protection under data protection law. We can only process it if we have an additional lawful basis to rely on and meet higher standards for safeguarding it.
Special category data is defined as information which reveals:
- Your race or ethnicity, religious beliefs, sexual life or orientation, or your political opinions
- A trade union membership
- Information about your health, including:
- Any medical condition, health and sickness records
- Occupational health referrals
- Where you leave employment and the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision
- Information required for medical physicians and / or pension providers; and
- Details of absences from work (other than holidays) including time on sick leave or statutory / family leave
Of the lawful bases available to us, those we are mostly likely to rely on in relation to staff data are the following:
- Processing is necessary for the establishment, exercise or defence of legal claims against the Ergomed
- We have asked for and received your explicit consent to process your data for a specific purpose
Processing is necessary for us to carry out our obligations or exercise our (or your) rights under employment, social security and social protection law
This would apply when, for example, we:
- Keep a record of reasonable adjustments for a disability to allow us to meet our obligations under local laws and Act’s such as the Equality Act
- Ensure that you are physically fit to work in a particular role
- Set up a voluntary salary deduction to a trade union
- Processing is necessary for purposes of preventive or occupational medicine and to assess your working capacity as an employee
- This would apply when we obtain advice from medical professionals (Occupational Health) with regards to making adjustments to your working practices due to a health condition
Processing is necessary to protect your life or someone else’s
We will rely on this basis on rare occasions when we cannot reasonably get your consent for whatever reason.
Processing is necessary for statistical purposes
We respect your right to data protection and where measures are taken to safeguard your rights and freedoms, such as through the collection of minimal data. This includes compiling statistics for equal opportunity initiatives.
If in the future, we intend to process your personal data for purposes other than those for which your personal data were collected, we will provide you with information on those purposes and any other relevant information by way of updating this privacy notice.
5. How long we keep your personal data:
As a principle, information about you will not be kept for longer than it is needed for the purpose it was collected.
We have record retention schedules which document how long difference information is required.
As the retention schedules indicate, we need to keep different data for differing periods of time, and you will always be told how long your personal information will be kept, or how we calculate this – this will either be when you give it to us, or if you don’t give it to us yourself, as soon as possible after we obtain or receive it.
If you have any queries regarding how long we keep your data that are not answered in the schedules, please contact DPO@ergomedgroup.com.
6. Who do we share your information with?
Whilst you are working with us, we will need to share certain information both internally between departments and with external parties.
As a principle, only minimal information will be shared as necessary and only where we have identified a lawful basis or exemption for doing so, and the data is proportionate to the need. There is guidance and governance in place to help staff to ensure that only the necessary data is made available to other departments or third parties who would not otherwise have access to it.
Some information must be shared by HR with other departments to complete essential tasks related to your employment, such as payroll, occupational health, pensions and arranging access to IT services.
Other purposes for which personal data may need to be shared internally
- Analysis to ensure our compliance with equality of opportunity and diversity legislation
- Allow for line managers to provide staff with sufficient support in their role
- Ensuring our compliance with legislation, regulation and our own internal controls
- Strategic analysis, planning and forecasting
- Investigating alleged employee misconduct
Third parties with whom information about staff may need to be shared by Ergomed
- Tax Offices such as HMRC, or Health and Safety Executive (HSE) to meet statutory reporting obligations
- External pensions providers to administer staff pensions
- Occupational Health
- Local Law Agencies such as Disclosure and Barring Service to obtain criminal record checks for certain roles
- Law enforcement agencies for the prevention or detection of crime
- External auditors
- Legal advisors to Ergomed, and court of law as necessary
- Emergency response services as necessary to protect your vital interests or those of another person
- Benefit Providers who will manage the online benefits portal on behalf of Ergomed
- Third parties who carry out aspects of processing on our behalf, such as mailing houses
- With our insurance brokers and insurers and related third parties, e.g., lawyers and loss adjustors for the purpose of risk mitigation, securing insurance cover, maintaining and administering that cover and processing any claims that may arise as a result
- We may share your personal data with Clients in order to manage our business
In most cases, information about how your data is shared will be given to you closer to the time by the relevant department.
Data will be stored in a range of different places in HR management systems including third party platforms and on other IT systems (including email).
Being a global group there may be necessary circumstances in which we may transfer your personal data to countries outside the European Economic Area, even to those countries that are not deemed to offer an adequate level of personal data protection, in order for us to comply with our legal or contractual requirements. In such cases, we ensured that such transfers are compliant with applicable regulation and that appropriate transfer safeguards are put in place to keep your personal data secured.
If you would like more information about who we share information with, please contact: DPO@ergomedgroup.com.
7. How we protect your information
We take the security of your data seriously. Details on Company-wide measures surrounding IT security can be found in the principal IT Security Policy (IT-POL-003) which sets out the definition of commitment to and requirements of Information Technology and Security. It specifies regulations to be implemented to secure information and technology that the company manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.
We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure the security of data.
8. Your rights:
As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information here about your rights as a data subject.
You have the right to:
- Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
- Ask us to confirm that your personal data is being processed and to access (i.e., have a copy) of that data as well as to be provided with supplemental information about the processing.
- Request that we rectify any inaccuracies where the data we hold on to you is inaccurate or incomplete.
- Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
- Restrict the processing of your personal data in certain ways. Obtain your personal data for reuse.
- Object to certain processing of your personal data.
- If you would like to exercise any of your rights, contact DPO@ergomedgroup.com
However, please mind that providing your personal data is a contractual requirement and neglecting to provide that personal data may affect our ability to enter into or continue with a labor contract with you, and it may prevent us from complying with our legal obligations.
While we hope we can answer any questions that you may have, if you have unresolved concerns, you also have the right to complain to a relevant data protection supervisory authority. Ergomed registered in front of the UK Information Commission’s Office as Data Controller of your data and pays annual fee imposed by local requirements. In case you wish to obtain contact details of your local data protection authority, please reach out and we will share relevant contact details.
9. Ergomed Data Protection Contacts:
If you have any concerns as to how your personal data is processed or you would like to obtain current copy of the personal data we hold about you, you can contact at any time our Data Protection Officer at: DPO@ergomedgroup.com
In addition, please note that Ergomed appointed GDPR EU Representative – Ergomed Istraživanja Zagreb d.o.o. If you are located in the EU/EEA, and you would like to contact us or exercise any relevant privacy right, you can reach out to our EU GDPR Representative directly at GDPRREP@ergomedgroup.com or via post at Oreškovićeva 20A, 10010, Zagreb (Croatia).
10. Make a complaint
If you have any concerns about the way that we have handled your personal data, please email the Data Protection team as we would like to have the opportunity to resolve your concerns. If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data. In addition, you can reach out to the local data protection authority to make a complaint. A list of relevant local data protection authorities with contact details can be obtained from the Data protection team.
11. Changes to this Notice:
We may occasionally update this privacy notice. When we do, we will revise the “last updated” date at the top of the privacy notice. If there are material changes to this privacy notice or in how Ergomed will use your personal data, we will use reasonable efforts to notify you either by prominently posting a notice of such changes before they take effect on our websites or by directly sending you a notification. We encourage you to periodically review this privacy notice to learn how Ergomed protects your personal data.
© 2024 Ergomed v1.0 18012024/EN