1. Introduction

This appendix should be read in conjunction with Wholegrain’s ‘Data Protection Policy’ which provides in-depth information relating to the protection of personal data and the rights of data subjects. This appendix applies to employees of Wholegrain Digital.  This appendix does not form part of your contract of employment and may be amended from time to time.

Data Controller: Wholegrain Digital
Data Protection Officer: Chris Lewis, Managing Director, [email protected].

2. What data does Wholegrain Digital hold about me?

During your employment with us, and for some time after it, we may collect, store, and process the following categories of personal data about you.  

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
  • Date of birth;
  • Gender;
  • Marital status and dependants;
  • Next of kin and emergency contact information; 
  • National Insurance number and tax code;
  • Bank account details, payroll records and tax status information;
  • Salary, annual leave, other absences, pension, and benefits information;
  • Trade union subscriptions and membership;
  • Start date and dates of continuous service;
  • Location of employment or workplace;
  • Recruitment information (including copies of right to work documentation, interview notes, assessments, references, and other information included in a CV or cover letter or as part of the application process);
  • Employment records (including job titles, job descriptions, work history, working hours, training records, development plans, time and attendance records and professional memberships);
  • Compensation and benefits entitlement and history;
  • Expenses claim record;
  • Performance information including appraisals and performance reviews;
  • Details of periods of leave taken by you, including holiday, sickness absence, dependency leave, career breaks, maternity, paternity, adoption, parental and shared parental leave and the reasons for the leave;
  • Disciplinary and grievance information, including warnings, in which you have been involved; 
  • Details of any incidents relating to Health and Safety including risk assessments; 
  • Information about your use of our information and communications systems;
  • Any information relating to your breach, or witness of a breach, of a company policy; 
  • Details of any intellectual property made wholly or partially by you; 
  • Details of any company property or software provided to you;
  • Your consent to Wholegrain collecting, holding, and processing your personal data;
  • Your image, whether captured by photograph or video; 
  • Any other category of personal data which we may notify you of from time to time.

We may also collect, store, and use the following “special categories” of more sensitive personal information as detailed below and for the following specific purposes:

  • Information about your race or ethnicity, religious beliefs, sexual orientation, and political opinions to ensure meaningful equal opportunity monitoring and reporting;
  • Information about your health, including any medical condition, health, and sickness records (which may include genetic and biometric data) including whether or not you have a disability for which the company needs to make reasonable adjustments and in relation to our Health and Safety responsibilities;
  • Information about criminal convictions, offences and DBS checks processed as part of our engagement procedures and where necessary, in the course of your employment to comply with legal and regulatory obligations to which Wholegrain Digital is subject to, in addition to grievance or investigation matters and associated hearings.

3. How is my personal information collected?

Usually we collect personal information about employees through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies, immigration advisors or other background check agencies. In addition to UK Visas and Immigration, doctors, medical/occupational professionals, Disclosure Barring Service, consultants and other professionals who advise us.

We will collect additional personal information during work-related activities throughout the period of you working for us and for some time after, as detailed in this appendix. 

Data is stored in a range of different places, including in your employee file, in Bamboo HR and in other IT systems (including the company’s email system).

4. How will you use the information about me?

We will use your personal information only when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our responsibilities in relation to your contract of employment with us. For example, in order to pay you in accordance with your contract of employment and to administer benefits available to you; 
  • Where we need to comply with a legal obligation. For example, we are required by law to check an employee’s entitlement to work in the UK, to deduct tax, to comply with Health and Safety laws and to enable employees to take periods of leave to which they are entitled;
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else’s interests);
  • Where it is needed in the public interest or for official purposes.

5. Situations in which you will use my personal information

We need all the categories of information in the list above (see ‘What data does Wholegrain Digital hold about me?’) primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal information for our legitimate interests or those of third parties, provided that your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed below:

  • Making a decision about your recruitment or appointment;
  • Running recruitment and promotion processes;
  • Maintaining accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights to ensure equal entitlement;
  • Operating and keeping a record of disciplinary and grievance processes to ensure acceptable conduct within the workplace, in addition to undertaking procedures with regard to both of these if the need arises;
  • Ensuring employees are compliant with company policies and procedures;
  • Operating and keeping a record of employee performance and related processes, to plan for career development, for succession planning and workforce management purposes;
  • Keeping a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
  • Gaining occupational health advice when making decisions about an employee’s fitness to work, ensuring Wholegrain complies with duties in relation to individuals with disabilities and to meet its obligations under health and safety law;
  • Operating and keeping a record of all types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
  • Ensuring effective general business administration, for example in business planning, restructuring, and maintenance of IT systems/security to avoid unauthorised access;
  • Undertaking organisational change and transfer of undertakings (TUPE);
  • Maintain training and apprenticeship records;
  • Determining the terms on which you work for us;
  • Checking you are legally entitled to work in the UK; 
  • Paying you and deducting tax and National Insurance contributions; 
  • Providing relevant benefits to you;
  • Liaising with your pension provider;
  • Administering the contract that applies to our working relationship with you; 
  • Business management and planning, including accounting, auditing, workforce planning and work allocation; 
  • Conducting performance reviews, managing performance, and determining performance requirements;
  • Making decisions about salary reviews and compensation;
  • Assessing qualifications and/or experience for a particular job or task;
  • Gathering evidence for possible grievance or disciplinary hearings to ensure acceptable conduct within the workplace and undertaken procedures with regard to both of these if the need arises;
  • Ensuring you are aware of, and compliant, with relevant company policies and procedures; 
  • Making decisions about your continued employment;
  • Making arrangements for the termination of our working relationship;
  • Providing references on request for your future employer;  
  • Recording education, training, and development information. So as to operate and keep a record of performance and related processes to plan for succession planning and workforce management purposes;
  • Dealing with legal disputes involving you, or other employees, workers, and contractors, including accidents at work;
  • Gaining occupational health advice when making decisions about your duties in relation your health and/or disability;
  • Managing time and attendance; 
  • Managing company assets and property;
  • Conducting employee engagement surveys;
  • Managing sickness absence;
  • Complying with health and safety obligations so as to maintain a safe working environment;
  • To prevent fraud and breaches of security;
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies;
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution;
  • To conduct data analytics studies to review and better understand employee retention and attrition rates;
  • Equal opportunities monitoring.

Some of the above grounds for processing will overlap and there may be several grounds that justify our use of your personal information.

6. Who has access to my personal data?

We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Your personal data will be accessed by the following if access to the data is necessary for the performance of their roles and activities:

  • Your Line Manager;
  • The Directors of Wholegrain;
  • External payroll and expenses providers;
  • External pension and benefit providers;
  • Bamboo HR; 
  • External HR consultant;  
  • External financial, banking and legal advisors; 
  • External Health and Safety advisors;
  • External training and development advisors/providers;
  • External IT support services; 
  • Security at Somerset House; 
  • External occupational health advisors.

Wholegrain Digital may also share your data with third parties in order to obtain pre-engagement references or checks from other employers or organisations including obtaining necessary criminal records checks from the Disclosure and Barring Service.  

Where the company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. 

Your data may be transferred to countries outside the European Economic Area (EEA) by our third-parties. In the event that a third party will do so on its behalf then the company will ensure that the necessary protocols are in place prior to any transfer occurring.  

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.

7. What happens if I fail to provide my personal information?

If you do not provide certain information when we ask for it, we may not be able to perform the contract that applies to our working relationship with you (such as paying you or providing a benefit), or we may not be able to comply with our legal obligations (such as to ensure the health and safety of our workers).

8. Change of purpose

We will only use your personal information for the purposes that we have collected it for, unless we need to use it for another reason and that reason is reasonable and compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.

We may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or allowed by law.

9. How do you use special categories of my personal information?

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing, and using this type of personal information. 

Special categories of include information that relates to the following:

  • Health;
  • Sex life;
  • Sexual orientation;
  • Race;
  • Ethnic origin;
  • Political opinion;
  • Religion;
  • Trade Union membership; and 
  • Genetic and biometric data.

We may process special categories of personal information in the situations below:

  • In limited circumstances, with your clear written consent;
  • Where we need to carry out our legal obligations;
  • Where it is required for reasons of substantial public interest;• Where you have already made the data public.

We will use your special categories of personal information in the following ways:

  • We will use information relating to leaves of absence, which may include sickness absence or family-related leave and related pay, to comply with employment and other laws.
  • We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
  • We will use information about your race or national or ethnic origin, religious, philosophical, or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under law. However, we may ask you for your consent to allow us to process certain particularly sensitive data.  If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given may be withdrawn at anytime. There will no consequences where consent is withdrawn.

10. What processes to you have in place to ensure the security of my personal data?

Please refer to the ‘Data and IT Security Policy’ for details regarding the measures that Wholegrain Digital have in place to protect the security of your personal data.

11. How long will you keep my personal data for?

The periods of retention of data are set out in the company’s ‘Data Retention Policy.’

12. Do you hold information about criminal convictions?

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided, we do so in line with our data protection policy or other policy that applies to such information.

Very occasionally, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public

We do not envisage that we will hold information about criminal convictions.

13. Do you use automated decision-making?

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We can use automated decision-making in the following circumstances:

  • Where we have notified you of the decision and given you 21 days to request a reconsideration;
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights;
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision based on any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

14. Data sharing outside the EU

We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.

If you have any questions about this appendix then please contact the Data Protection Officer.