Employment Privacy Policy

Commissum is committed to protecting your personal data and respecting your privacy.

1. Introduction

This privacy policy (“Privacy Policy“) sets out the basis on which any personal data that Commissum collects from or about you when you interact with us as a prospective, current or former employee, will be processed by us. It also explains how we will store and handle that data and keep it safe. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

This Privacy Policy is issued on behalf of Commissum so when we mention “Commissum”, “we”, “us” or “our” in this Privacy Policy, we are referring only to Commissum, which encompasses the group of companies operating under the Commissum brand, whether in the UK or other territories. It is Commissum that is the data controller in respect of any personal data we collect about you.

2. What Information Do We Collect?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, last name, title, photographs, gender, National Insurance number, identity document data (e.g., driving licence);
  • Contact Data includes address, email address and telephone numbers;
  • Career Data includes curriculum vitae, education details, employment history, links to your professional profiles available in the public domain, e.g. LinkedIn, Twitter, business Facebook or corporate website, and referee details;
  • Immigration Status Data includes passport or visa details;
  • Financial Data includes bank account, tax-related details, details about your current or previous employment remuneration, pensions and benefits arrangements;
  • Payroll Data includes details about payments to and from you;
  • Employment Data including records of attendance, history, terms and conditions, training, disciplinary action, and records of role changes;
  • Family Data includes family member identity data for background checks, family health data as it pertains to your employment;
  • Criminal Data includes criminal convictions and offences;
  • Health Data includes disabilities, details of long- and short-term illnesses, and details of accidents occurring while you are conducting your role duties;
  • Additional Data which you may choose to share with us that you think is relevant.

The source of the personal data above will be either yourself, your referees, internal company management, trusted third parties such as recruitment agencies and vetting organisations, government departments or publicly accessible sources.

We may also collect, use and share Aggregated Data such as statistical data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

Where we collect information about your health and criminal convictions and offences, these are considered Special Categories of Personal Data. We may also use biometric data (fingerprints) for identification and access to personal devices issued only to you where the data is not stored elsewhere and is not available to anyone else; however, as alternative means are available (usernames, passwords, PINS, etc.) as will be explained at the time, if you chose to use biometric data we consider this as your explicit consent to do so.

We do not collect or process any other Special Categories of Personal Data

3. If You Fail to Provide Personal Data

Where we need to collect personal data by law, or under the terms of a contract that we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have, or are trying to enter into, with you, for example, to begin employment. In this case, we may have to cancel the offer of employment you have with us, but we will notify you if this is the case at the time.

4. When is Your Personal Data Collected?

We collect data from and about you during onboarding when you join the organisation, or prior to joining the organisation, and during the course of your employment with us. You will provide us with your personal data by completing the relevant onboarding forms including security background check forms and payroll details, and other forms at such times as the information is required.

5. How Do We Use Your Personal Data?

The law on data protection sets out a number of different reasons for which a company may collect and process personal data. Our uses of your personal data comply with the law, and include the following lawful bases:

  • To allow us to enter into and/or perform our contract with you, and enable us to comply with our legal obligations, such as employing you as a member of Commissum staff;
  • If the law requires us to, we may need to collect and process your data, for example to HMRC for tax purposes, or where people are involved in fraud or other criminal activity affecting Commissum, we may be required to share personal data with law enforcement;
  • In specific situations we may require your personal data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your interests, rights or freedoms. These legitimate interests include the use of biometric data for fingerprint authentication to computing devices.

6. Sharing Your Data with Third Parties We Instruct

We sometimes share your personal data with trusted third parties. For example, third party suppliers providing services on our behalf such as background checks and payroll.

When we do share your data with third parties we only provide the information they need to perform the service. They may only use your data for the exact purpose we specify to them and we work closely with them to ensure your privacy is secure and respected.

7. International Transfers of Your Personal Data

We are a global business and some of our offices and service providers are located in countries outside of the UK. As a result, personal data that we collect from you may be transferred to, accessed and/or stored outside the UK in order to provide our services.

If we do this, we have procedures in place to ensure your data receives the necessary protections. Any transfer of your personal data will follow applicable laws and we will treat the information under the principles set out in this Privacy Policy. In addition, any transfer of your personal data to a third country or international organisation will only ever take place on the following conditions:

  • Adequate data protection measures are in place for the destination country, as determined by the ICO
  • ICO-approved model clauses are in place between us and any joint controller or processor

For further details, please get in touch using the information provided in the ‘Contacting Us’ section.

8. How Long Will We Keep Your Personal Data?

We will only keep your personal data for as long as we need to in order to fulfil the relevant purpose(s) it was collected for, as set out in Section 5 of this Privacy Policy, and thereafter for as long as we need to keep it for legal purposes or a reasonable period as defined in our Retention Policy.

At the end of that period, your data will either be deleted or completely anonymised. For example, by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

For example, staff data is kept as long as the individual is employed by Commissum plus 6 years. When you cease employment with Commissum we will retain your data for 6 years to comply with legal and contractual obligations.

9. Ensuring Your Data is Up to Date and Correct

It is important that the personal information we hold about you is accurate and current. If your details should every change, please advise a member of HR so your details can be updated.

10. Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have in place an Information Security Management System (ISMS) certified to ISO 27001 and have put into effect suitable physical, electronic, contractual and managerial procedures to safeguard and secure the information we collect from and about you in accordance with this Privacy Policy.

11. Your Rights

Data protection laws provide you with the following rights to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
  • Request erasure of your personal information, this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
  • Request the restriction of processing of your personal information, for example if you want to establish its accuracy or the reason for processing it; and
  • Request the transfer of your personal information to another party in specific circumstances;
  • Request not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect or similar significant consequence; note Commissum does not process any personal information in this way.

You also have the right to object to the processing of your personal information where we are relying on your consent, or a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is clearly unfounded, excessive, or is a duplicate of a previous request you’ve submitted. Alternatively, we may refuse to comply with the request in such circumstances.

We may also need to request specific information from you to help us confirm your identity and ensure your right to exercise any of your rights. This is an appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

12. Contacting the Regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. You can contact them by calling 0303 123 1113. Or go online to www.ico.org.uk/concerns.

If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.

We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance.

13. Contacting Us

If you have any queries, comments or requests regarding this Privacy Policy or you would like to exercise any of your rights set out above, you can contact us in the following ways:If you have any queries, comments or requests regarding this Privacy Policy or you would like to exercise any of your rights set out above, you can contact us in the following ways:

  • By email at dataprotection@commissum.com
  • By post at Data Protection Officer, Commissum Associates Ltd, 5 Mitchell Street, Edinburgh, EH6 7BD