This Notice which is effective from 25 May 2018, describes the practices of Credebt Exchange® Limited (“Credebt® ”) regarding the collection, use, transfer, disclosure and other handling and Processing of the Personal Data of current and past employees of Credebt® .
In relation to Personal Data provided by you to Credebt®, Credebt® will act as Data Controller of such Personal Data. This means that Credebt® determines why and how such data is used. Credebt’s® data processing is generally undertaken in fulfilment of its legitimate interests and for the performance of contracts.
2. What is Personal Data?
Personal data is any information relating to a living individual which allows either directly or indirectly the identification of that individual. Personal Data can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual and that would allow the individual to be identified or identifiable. The type of Personal Data that Credebt® collects and Processes in relation to employees is described in more detail in the table in Appendix II of this Notice.
3. How We Collect and Use your Personal Data
The table at Appendix II also describes in detail the particular purposes and lawful basis for Credebt’s® processing of employee Personal Data as required by Data Protection Law. Credebt® will generally Process your Personal Data for personnel administration purposes and for purposes as necessary for and connected with the performance of contracts, such as employment contracts, and in its legitimate interests.
Credebt® may obtain Personal Data about you from third parties, such as former employers, educational institutions, recruitment agencies, recruitment platforms such as LinkedIn, government agencies, from information in the public domain and available on the internet and from other employees (e.g., other Credebt® staff, members of the HR Department, etc.). We may also seek Personal Data about you from third parties in connection with: (I) locating former employees and beneficiaries for purposes of administering retirement, pension or other benefits; (II) performance evaluations; (III) academic and professional references; (IV) disciplinary matters and internal investigations; (V) purposes that relate to your employment relationship with us; and (VI) other purposes permitted in accordance with applicable law. Where we obtain Personal Data about you from third parties, we will do so in accordance with Data Protection Law.
4. Special Categories of Data
Credebt® Processes Special Categories of Data (“SCD”) relating to employees in limited circumstances, typically related to the ordinary course of personnel administration which is in accordance with the Data Protection Law. Such Processing of SCD is permitted under several provisions of the Data Protection Law, including the following:
4.1 Article 9(2)(f) GDPR where it is “necessary for the establishment, exercise or defence of legal claims” and this ground is amplified under the Data Protection Act 2018 which permits the Processing of SCD where it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights (and which may include Processing in the context of disciplinary proceedings); and
4.2 In relation to the management of medical risk and medical claims the Data Protection Act 2018 permits the Processing of SCD where it is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of an employee, for the management of health or social care systems and services or for ensuring high standards of quality and safety of health care.
5. Your rights under Data Protection Law
5.1 Data Protection Laws provide certain rights in favour of data subjects. The rights in question are as follows (together the “Data Subject Rights”):
(a) The right of a data subject to receive detailed information on the Processing (by virtue of the transparency obligations on the Data Controller);
(b) The right of access to Personal Data;
(c) The right to rectify or erase Personal Data (known as the “right to be forgotten”);
(d) The right to restrict Processing;
(e) The right of data portability; and
(f) The right to object to automated decision making, including profiling and where processing is based on the legitimate interests of Credebt® or a third party.
5.2 The Data Subject Rights are subject to certain conditions and accordingly will not be available in all circumstances.
5.3 Any data subject wishing to exercise their Data Subject Rights should contact Andrew Hoey at firstname.lastname@example.org. Your request will be dealt with in accordance with Data Protection Law.
6. Data Security and Data Breach
6.1 We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.
6.2 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of Personal Data security breaches (Art. 34). For further information on identifying and reporting a Data Breach please contact Andrew Hoey at the details below. If you become aware of or suspect that a Data Breach has taken place you are required to immediately notify the Credebt Data Officer by both phone and email:
Phone 01 685-3600
7. Disclosing Personal Data
7.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data that we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data).
7.2 We may also share Personal Data: (a) with a statutory body where there is a lawful basis to do so; (b) with selected third parties including our legal, financial and tax advisors and sub-contractors; (c) if we are under a legal obligation to disclose Personal Data. This includes exchanging information with other organisations for the purposes of fraud prevention or investigation.
7.3 Where we enter into agreements with third parties to Process Personal Data on our behalf, we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data where required by Data Protection Law. Examples of such third party service providers that we engage, and to whom we may provide Personal Data include but are not limited to communications providers, payroll service providers, pension administrators, occupational health providers, marketing or recruitment agencies, operators of data centres used by us, security services, catering service providers, and professional advisors such as external lawyers, accountants, tax and pensions advisors.
8.0 Data Retention
We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed (as such purposes are set out in this Notice).
9.0 Data Transfers outside the EEA
10.0 Further Information/Complaints Procedure