Lioncroft Wholesale Limited - Staff Privacy Notice
1 Who this notice applies to
2 Purpose and responsibilities
2.1 Lioncroft Wholesale Limited (Lioncroft, we, us, our) is committed to protecting the privacy and security of your personal information. This privacy notice explains how we collect, use, store and protect personal information about you during and after your working relationship with us, in accordance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and any national laws, regulations and secondary legislation, as amended or updated from time to time, in the United Kingdom, and any other territory which implements the GDPR.
2.2 Lioncroft, as the data controller, decides how we hold and use your personal information and must notify you of this information under data protection legislation.
2.3 This notice does not form part of your contract of employment or engagement with us.
2.4 It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
3 Data protection principles
3.1 We will comply with data protection law ensuring your personal information is: used lawfully, fairly and transparently; collected only for valid explained purposes and not used in any way that is incompatible with those purposes; relevant and limited to those purposes; accurate and kept up to date; kept only as long as necessary for the purposes we have told you about; and kept securely.
4 Personal data we collect
4.1 Personal data is any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
4.2 There are “special categories” of more sensitive personal data which require a higher level of protection.
4.3 We will collect, store, and use the following categories of personal information about you:
4.3.1 personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
4.3.2 identity documentation such as Passports, Visas or National Identity Cards;
4.3.3 personal information such as date of birth; gender; marital status and dependants; next of kin and emergency contact information;
4.3.4 employment details such as start date; location; job title, salary, annual leave, pension and benefits information; working hours, training records, professional memberships, performance, disciplinary and grievance record;
4.3.5 financial information such as National Insurance Number; bank account details, payroll records and tax status information;
4.3.6 copy of driving licence;
4.3.7 recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process);
4.3.8 CCTV footage and other information obtained through electronic means such as swipe card records and vehicle tracking data on Lioncroft vehicles including pool cars;
4.3.9 information about your use of our information and communications systems; and
4.3.10 photographs.
4.4 We may also collect, store and use the following “special categories” of more sensitive personal information:
4.4.1 information about your race or ethnicity, religious beliefs, sexual orientation and political opinions;
4.4.2 information about your health, including any medical condition, health and sickness records; and
4.4.3 information about criminal convictions and offences.
5 How we collect your data
5.1 We collect personal information during the recruitment process, either directly from you or via an employment agency, background check provider or third parties, including former employers, and throughout your employment through job-related activities.
6 Legal basis for processing
6.1 We will only use your personal information when the law allows us to, such as:
6.1.1 performing our contract with you;
6.1.2 complying with legal obligations, such as providing information to HMRC, to respond to requests from courts, law enforcement agencies and other public and government authorities;
6.1.3 pursuing legitimate interests or those of a third party where your rights don’t override these;
6.1.4 protecting your interests (or someone else’s); and
6.1.5 public interest or for official purposes.
7 How we use your data
7.1 We use your information primarily to allow us to perform our contract with you and to enable us to comply with legal obligations.
7.2 We use it for: recruiting decisions; determining terms for work; right to work checks; payroll and benefits; administering the contract; business management and planning, including accounting and auditing; capability management; salary reviews and compensation; assessing qualifications for a particular job or task, including decisions about promotions; gathering evidence for possible grievance or disciplinary hearings; making decisions about your continued employment or engagement; training requirements; legal dispute management; health and safety compliance; fraud prevention; system security; data analytics to review and better understand employee retention and attrition rates; and equal opportunities monitoring.
7.3 In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. For example:
7.3.1 to pay you through payroll (potentially third party);
7.3.2 to process sickness absence in order to facilitate the payment of statutory sick pay;
7.3.3 monitoring your work emails during any period of absence; or
7.3.4 to liaise with occupational health.
7.4 The legitimate interests that we have identified which require us to process your data are as follows:
7.4.1 to perform the operation of your contract of employment/appointment;
7.4.2 to not process such data (such as sickness absence data) would be breaking the law and thus it is necessary;
7.4.3 to pick up and deal with urgent emails as this process is vital to the running of the business;
7.4.4 fraud detection and prevention; and
7.4.5 information and system security.
7.5 We use your personal information only for its original collection purpose unless we have a compatible reason to use it differently, in which case we will notify you and explain our legal basis.
7.6 We may process your information without your knowledge or consent where required or permitted by law.
8 What if you do not provide personal data?
8.1 If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
9 How we use particularly sensitive information
9.1 “Special categories” of sensitive personal information require higher levels of protection and additional justification for processing. We may process special category data:
9.1.1 in limited circumstances, explicit written consent. If required, we will contact you separately about this;
9.1.2 to meet our legal obligations and in line with our Data Protection Policy in force from time to time;
9.1.3 for public interest, such as for equal opportunities monitoring or in relation to our pension scheme, and in line with our Data Protection Policy; and
9.1.4 to assess working capacity on health grounds with appropriate confidentiality safeguards.
9.2 Less commonly, we may process this information for legal claims; to protect your or others’ interests where you cannot consent; or where you made the information public.
9.3 We will use this information in the following ways:
9.3.1 Leave/absence information – to comply with employment and other laws.
9.3.2 Health/disability information – to ensure workplace health and safety, assess fitness to work, provide appropriate workplace adjustments, monitor and manage sickness absence and administer benefits.
9.3.3 Diversity information – for equal opportunities monitoring and reporting, and to comply with employment laws (e.g., when concerns relate to protected characteristics).
9.4 We don’t need your consent when using special category data to meet legal obligations or exercise employment law rights. Where we do seek written consent, we’ll provide full details of the information needed and reasons, allowing you to decide carefully. Consent is not a condition of your contract with us.
10 Information about criminal convictions
10.1 We only process criminal conviction information where legally permitted, typically to fulfil obligations and provided we do so in line with our Data Protection Policy.
10.2 Less commonly, we may use this information for legal claims, to protect your or others’ interests where you cannot consent, or where you have made information public.
10.3 We collect criminal conviction information only when appropriate given the nature of the role and legally permissible. This may occur during recruitment or when you notify us directly during employment. We use this information for initial hiring assessments.
11 Automated decision-making
11.1 Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.
11.2 We do not currently use automated decision-making but will notify you in writing if this changes.
12 Data sharing
12.1 We may share your data with any group companies and third parties, including service providers. All third parties must respect data security and treat information in accordance with the law.
12.2 We will not transfer your personal information outside the EU.
12.3 We share personal information when required by law, to administer the working relationship or where we have a legitimate interest.
12.4 “Third parties” includes service providers (including contractors and designated agents) and group entities. Third party services include: payroll, pension administration, benefits provision, audit and administration, IT services.
12.5 All third-party service providers and group entities must take appropriate security measures to protect your personal information in line with our policies. They cannot use your personal data for their own purposes and may only process it for specified purposes under our instructions, treating information confidentially and securely.
12.6 We share information with group entities for regular reporting, business reorganisation, group restructuring, and system maintenance. We may also share data in business sales/restructuring contexts, with regulators, or to comply with legal requirements.
13 Data security
14 We maintain appropriate security measures to prevent unauthorised loss, use, access, alteration or disclosure of your personal information. Access is limited to employees, agents, contractors and third parties with business need-to-know, who process information only on our instructions under confidentiality duties.
15 We have procedures for suspected data breaches and will notify you and regulators where legally required.
16 Data retention
16.1 We retain personal information only as long as necessary for collection purposes, including legal, accounting or reporting requirements. Retention periods for different data types are available in our data protection policy.
16.2 We determine retention periods considering: data amount, nature and sensitivity; risk of harm from unauthorised use/disclosure; processing purposes and alternative means; and legal requirements.
16.3 Sometimes, we may anonymise your information so it cannot be associated with you, allowing use without further notice to you. After your employment/engagement ends, we retain and securely destroy personal information in accordance with applicable laws and regulations.
17 Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. You must keep us informed of any changes to your personal information whilst working for us.
18 Your rights
18.1 By law you have the right to: access your personal information (commonly known as a data subject access request); request corrections; request erasure; object to processing; restrict processing; and transfer your personal information to another party.
18.2 Contact the HR Manager in writing via email to exercise these rights. You don’t have to pay a fee to do this, but we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
18.3 We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
18.4 In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the HR Manager via email as set out at 17.2 above. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
18.5 If you have any questions about this privacy notice or how we handle your personal information, please contact the HR Manager via email as set out at 17.2 above.
19 Complaints
9.1 You should contact us first, but you also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
20 Changes to this privacy notice
20.1 We may update this privacy notice at any time and will provide a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.