Personal data is processed in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) and other applicable national and European privacy legislation and regulations (together the “data protection law”). The relevant local data protection regulator is the Information Commissioner’s Office.
The glossary in the Annex defines some of the terms used in this policy.
To the extent the company decides why and how personal data is processed, the company is a data controller of such personal data.
The company may process personal data of, for example, employees, former employees, temporary workers, self-employed persons, job applicants, contractors, suppliers, customers, and visitors.
3. TYPES OF PERSONAL DATA
3.1 Employees and Contractors
The company collects and processes personal data in relation to our employees, candidates for employment and contractors, as well as our former employees and former contractors. This personal data includes: personal details such as name, date of birth, social security number, bank account details, next of kin, details of social media accounts, visa / passport data; contact details such as address and phone number(s); personnel file details including, for example, terms and conditions of employment, training, performance evaluations, promotions, personal development plans, conduct and disciplinary data, work location, salary information, bank account details and tax and social security numbers, security clearances; employment history/application details such as educational history and employment history; editorial or journalistic content such as links to works e.g. links to video files or audio files; CCTV imagery; medical information such as medical certificates and sick notes; family details such as names and dates of birth of children (e.g. relevant if an individual is applying for parental leave); details required for pension; details regarding trade union membership; and performance related data such as performance management ratings for managers and annual incremental salary reviews of employees, psychometric testing, etc. The above list is not exhaustive but covers the most commonly collected, used and otherwise processed personal data.
3.2 Suppliers and Customers
The company collects and processes personal data in relation to individuals who are, and/or are working with, our suppliers and customers. This personal data may include: personal details such as name, title, position, work identification numbers, department, business unit (including contact data collected for training / verification); and contact details such as email address, telephone number(s) and work location; and tax information such as vat / tax numbers.
3.3 Special Categories of Personal Data
The types of special categories of personal data that the company may process includes, without limitation, health data, information on criminal convictions and biometric data. The company processes all personal data in accordance with data protection law, and, in particular, any special categories of personal data.
4. PURPOSES OF PROCESSING
The company processes personal data for the purpose(s) for which the personal data has been obtained.
Common examples of the reasons why the company processes personal data include: payroll and benefit administration; HR, performance and talent management; operational performance and management; marketing and PR; improving and monitoring health and safety; improvement of business products and services; research and statistical analysis; business strategy; internal audits or investigations; prevention and detection of unlawful and/or criminal behaviour towards us or our customers and employees; and/or fulfilling legal obligations. We may process personal data for other reasons from time to time. The company tries to ensure individuals are informed about the purpose(s) for processing their personal data at the time the company collects consent. Where this is not possible or practicable, the company tries to inform you as soon as possible after the processing of personal data. Individuals have the right to withdraw consent at any time.
The company may process the personal data of various individuals (for example, employees, contractors, customers and candidates for employment) for talent management and workforce evaluation (to potentially include attendance and performance analysis) or for marketing analysis.
The company engages in such processing where: (a) expressly authorised by national law (including for fraud and tax evasion monitoring); (b) necessary for the entering into or performance of a contract; or (c) the individual has given appropriate consent.
6. INDIVIDUAL RIGHTS
Individuals have certain rights under data protection law.
6.1 Inspection and Access: you can request from us a summary and a copy of your personal data which we process or which is processed on our behalf;
6.2 Correction/Addition/Removal: where you believe your personal data is inaccurate or incomplete, you are entitled to request us to correct, amend or delete your personal data;
6.3 Objection: you may object to us processing your personal data based on our legitimate reasons for processing;
6.4 Restriction: you may request that we restrict the processing of your personal data where the accuracy of your personal data is contested, our processing is unlawful, you believe we no longer need the personal data or you have objected to processing; and
6.5 Automated Decision Making: where the company undertakes automated decision making (including profiling), which significantly affects you, you are entitled to object to such decision-making.
The company’s Individual Rights Procedure, available on request, explains how the above requests can be made and how the company will manage these requests.
7.1 Security Measures
The company has technical and organisational measures in place to protect personal data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access.
Personal data is held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, and various IT measures.
For more information on the company’s security measures, please see the Information Security Policy, available on request.
7.2 Personal Data Breach
The company will manage a data breach in accordance with the personal data breach reporting procedure. All data breaches should be reported to Leviat's Data Protection Officer at firstname.lastname@example.org.
8. DISCLOSING PERSONAL DATA
From time to time, the company may disclose personal data to third parties, or allow third parties to access personal data which we process (for example where a law enforcement agency or regulatory authority submits a valid request for access to personal data).
The company may also share personal data: (a) with another member of the CRH Group (including our subsidiaries, our ultimate holding company and its subsidiaries); (b) with selected third parties including business partners, suppliers and sub-contractors; (c) with third parties when we sell or buy any business or assets; or (d) if the company is under a legal obligation to disclose personal data. This includes exchanging information with other companies and organisations for the purposes of fraud prevention.
Where the company enters into agreements with third parties to process personal data on our behalf it will ensure that the appropriate contractual protections are in place to safeguard it. Examples include communications providers, payroll service providers, occupational health providers, marketing or recruitment agencies, operators of data centers used by the company, etc.
9. DATA RETENTION
The company keeps personal data only for as long as the retention of such personal data is deemed necessary for the purposes for which that personal data are processed. Personal data is retained in accordance with relevant laws and company guidelines.
10. DATA TRANSFERS OUTSIDE THE EEA
11. ROLES AND RESPONSIBILITIES
12. COMPLAINTS PROCEDURE
13. ASSOCIATED POLICIES
This policy should be read in conjunction with the following policies and procedures:
• Individual Rights Procedure (available on request)
• Personal Data Breach Procedure (available on request)
• Information Security Policy (available on request)
• Website Privacy Statement
Annex - GLOSSARY
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Data controller” means the entity that decides why and how personal data is processed.
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.
“Personal data” is any information relating to a living individual which allows the identification of that individual. A person is identifiable if his/her identity can reasonably be established from the data without any disproportionate effort. Personal data can include:
Employees and Contractors
1. Personal details such as name, date of birth, bank account details, next of kin, details of social media accounts;
2. Contact details such as address and phone number(s);
3. Personnel file details including, e.g., terms and conditions of employment, training, performance evaluations, promotions, personal development plans, conduct and disciplinary data, work location, salary information, bank account details and tax and personally identifiable numbers such as a social security numbers;
4. Employment history/application details such as educational history and employment history;
5. Editorial or journalistic content such as links to works, e.g. Links to show-reels or audio files;
6. Medical information such as medical certificates and sick notes;
7. Family details such as names and dates of birth of children, e.g. Relevant if an individual is applying for parental leave;
8. Details required for pension;
9. Details regarding trade union membership; and
10. Performance related data such as performance management ratings for managers and annual incremental salary reviews of employees, psychometric testing, etc.
Suppliers and Customers
1. Personal details such as name, title, position, work identification numbers, department, business unit;
2. Contact details such as email address, telephone number(s),
3. Work location; and
4. Tax information such as vat / tax numbers.
“Processing” includes collecting, using, recording, organising, altering, disclosing, destroying or holding personal data in any way. Processing can be done either manually or by using automated systems such as information technology systems and “process” and “processing” shall be interpreted accordingly.
“Profiling” is the automated processing of personal data for the purpose of assessing certain aspects relating to an individual so as to analyse or predict the individual’s performance, decisions or behaviour.
“Special Categories of Personal Data” are types of personal data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special categories of personal data also include the processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any personal data relating to criminal convictions or offences.