1. Introduction

This appendix should be read in conjunction with Wholegrain’s ‘Data Protection Policy’ which provides in-depth information relating to the protection of personal data and the rights of data subjects.

This appendix applies to contractors of Wholegrain Digital.  This appendix does not form part of your contract for services and may be amended from time to time.

Data Controller: Wholegrain Digital
Data Protection Officer: Chris Lewis, Managing Director, [email protected].

2. What data does Wholegrain Digital hold about me?

During your engagement with us, and for some time after it, we may collect, store, and process the following categories of personal data about you. 

  • Personal contact details such as name, title, company/business addresses, personal address, telephone numbers, and personal email addresses;
  • Gender;
  • Next of kin and emergency contact information; 
  • Bank account details; 
  • VAT registration number and company name; 
  • Pay per hour/per day/per task/per project information; 
  • Expenses claim record;
  • Start date of your contract for services; 
  • Location of employment or workplace;
  • Time and attendance records;
  • Contractual information such as the start date of your contract for services, the duration of it, termination, obligations on termination, right of substitution, professional indemnity, payment terms, ownership of intellectual property and work procedure, allocation of company property/data/records and the agreement to confidentiality;
  • Engagement information including noted from discussions or referrals from/to third parties, details of qualifications and membership of any professional bodies, CV;
  • Personal data about you from third parties, such as references supplied by former clients;
  • Personal data about you to third parties, such as references requested to future or current clients of yours; 
  • Payment and invoice records;
  • Performance information including feedback to you, training, or team events you have participated in at Wholegrain’s expense; 
  • Details of any incidents relating to Health and Safety including awareness of Wholegrain risk assessments; 
  • Details of periods of leave taken by you, including holiday, sickness absence, dependency leave, career breaks, family leave and the reasons for the leave;
  • Grievance and investigation information in which you have been involved; 
  • Details of any incidents relating to Health and Safety including risk assessments; 
  • Information about your use of our information and communications systems;
  • Any information relating to your breach, or witness of a breach, of a company policy; 
  • Details of any intellectual property made wholly or partially by you; 
  • Details of any company property or software provided to you;
  • Your consent to Wholegrain collecting, holding, and processing your personal data;
  • Your image, whether captured by photograph or video; 
  • Any other category of personal data which we may notify you of from time to time.

We may also collect, store, and use the following “special categories” of more sensitive personal information as detailed below and for the following specific purposes:

  • Information about your race or ethnicity, religious beliefs, sexual orientation, and political opinions to ensure meaningful equal opportunity monitoring and reporting;
  • Information about your health, including any medical condition, health, and sickness records (which may include genetic and biometric data) including whether or not you have a disability for which the company needs to make reasonable adjustments and in relation to our Health and Safety responsibilities;
  • Information about criminal convictions, offences and DBS checks processed as part of our engagement procedures and where necessary, in the course of your employment to comply with legal and regulatory obligations to which Wholegrain Digital is subject to, in addition to grievance or investigation matters and associated hearings.

3. How is my personal information collected?

Usually we collect personal information about contractors through the initial engagement process, either directly from you or sometimes from an agency or background check provider. We may sometimes collect additional information from third parties including former clients/employers, credit reference agencies, immigration advisors or other background check agencies. In addition to UK Visas and Immigration, doctors, medical/occupational professionals, Disclosure Barring Service, consultants and other professionals who advise us.

We will collect additional personal information during work-related activities throughout the period of you working for us and for some time after, as detailed in this appendix. 

Data is stored in a range of different places, including our IT systems (including the company’s email system) and financial payment systems.

4. How will you use the information about me?

We will use your personal information only when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  1. Where we need to perform our responsibilities in relation to your contract for services with us. For example, in order to pay you in accordance with your contract for services; 
  1. Where we need to comply with a legal obligation. For example, to comply with Health and Safety laws; 
  1. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • We may also use your personal information in the following situations, which are likely to be rare:
  • Where we need to protect your interests (or someone else’s interests);
  • Where it is needed in the public interest or for official purposes.

5. Situations in which you will use my personal information

We need all the categories of information in the list above (see ‘What data does Wholegrain Digital hold about me?’) primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal information for our legitimate interests or those of third parties, provided that your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed below:

  • Making a decision about your engagement; 
  • Determining the terms on which you are engaged with us; 
  • Paying your invoice; 
  • Maintaining accurate and up-to-date records and contact details (including details of who to contact in the event of an emergency) and administering your contract for services; 
  • Business management and planning, including accounting, auditing, workforce planning and work allocation;
  • Conducting reviews of your performance and determining performance requirements/deliverable; 
  • Assessing qualifications and/or experience for a particular job or task; 
  • Gathering evidence for disciplinary and grievance processes to ensure acceptable conduct within the workplace and undertaking grievance procedures; 
  • Ensuring you are compliant with relevant company policies and procedures;
  • Gaining occupational health advice to ensure Wholegrain complies with duties in relation to individuals with disabilities and to meet its obligations under health and safety law;
  • Ensuring effective general business administration, for example in business planning, restructuring, and maintenance of IT systems/security to avoid unauthorised access and use;
  • Making decisions about your continued engagement;
  • Making arrangements for the termination of your contract for services;
  • Providing references on request for your current or future clients;   
  • Education, training, and development requirements so as to operate and keep a record of contractor performance and related processes to plan for succession planning and workforce management purposes;
  • Dealing with legal disputes involving you, or other employees, workers, and contractors, including accidents at work;
  • Managing time and attendance; 
  • Managing company assets and property;
  • Complying with health and safety obligations so as to maintain a safe working environment;
  • To prevent fraud and breaches of security;
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies; and• Equal opportunities monitoring.

Some of the above grounds for processing will overlap and there may be several grounds that justify our use of your personal information.

6. Who has access to my personal data?

We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Your personal data will be accessed by the following if access to the data is necessary for the performance of their roles and activities:

  1. Your client contact; 
  2. The Directors of Wholegrain;
  3. External expense providers;
  4. Bamboo HR;
  5. External HR consultant;  
  6. External financial, banking and legal advisors; 
  7. External Health and Safety advisors;
  8. External training and development advisors/providers;
  9. External IT support services; 
  10. Security at Somerset House; 
  11. External occupational health advisors.

Wholegrain Digital may also share your data with third parties in order to obtain pre-engagement references or checks from other organisations including obtaining necessary criminal records checks from the Disclosure and Barring Service.  

Where the company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. 

Your data may be transferred to countries outside the European Economic Area (EEA) by our third-parties. In the event that a third party will do so on its behalf then the company will ensure that the necessary protocols are in place prior to any transfer occurring. 

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.

7. What happens if I fail to provide my personal information?

If you do not provide certain information when we ask for it, we may not be able to perform the contract that applies to our working relationship with you (such as paying you), or we may not be able to comply with our legal obligations (such as to ensure the health and safety of our workers).

8. Change of purpose

We will only use your personal information for the purposes that we have collected it for, unless we need to use it for another reason and that reason is reasonable and compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.

We may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or allowed by law.

9. How do you use special categories of my personal information?

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing, and using this type of personal information. 

Special categories of include information that relates to the following:

  • Health;
  • Sex life;
  • Sexual orientation;
  • Race;
  • Ethnic origin;
  • Political opinion;
  • Religion;
  • Trade Union membership; and 
  • Genetic and biometric data.

We may process special categories of personal information in the situations below:

  • In limited circumstances, with your clear written consent;
  • Where we need to carry out our legal obligations;
  • Where it is required for reasons of substantial public interest;• Where you have already made the data public.

We will use your special categories of personal information in the following ways:

  • We will use information about your health and disability status, to ensure your health and safety in the workplace and to provide appropriate workplace adjustments.
  • We will use information about your race or national or ethnic origin, religious, philosophical, or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under law. However, we may ask you for your consent to allow us to process certain particularly sensitive data.  If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given may be withdrawn at anytime. There will no consequences where consent is withdrawn.

10. What processes to you have in place to ensure the security of my personal data?

Please refer to the ‘Data and IT Security Policy’ for details regarding the measures that Wholegrain Digital have in place to protect the security of your personal data.

11. How long will you keep my personal data for?

The periods of retention of data are set out in the company’s ‘Data Retention Policy.’

12. Do you hold information about criminal convictions?

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided, we do so in line with our data protection policy or other policy that applies to such information.

Very occasionally, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public

We do not envisage that we will hold information about criminal convictions.

13. Do you use automated decision-making?

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We can use automated decision-making in the following circumstances:

  • Where we have notified you of the decision and given you 21 days to request a reconsideration;
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights;
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision based on any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

14. Data sharing outside the EU

We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.

If you have any questions about this appendix then please contact the Data Protection Officer.