Privacy Statement - Controller

1. Introduction and Contact Information
2. Visitors to our website and marketing Services
3. Your privacy rights
4. Prospective, Current and Former Employees
5. How we gather your personal identifiable information
6. How we lawfully use your personal identifiable information
7. How long we keep your personal identifiable information
8. Automated decision making
9. Who has access to your data
10. Keeping your personal identifiable information up to date, accurate and adequate
11. Data Transfers
12. Confidentiality and Security
13. Aareon UK Commercial and Employee Information

1. Introduction and Contact Information

1.1 This is the Aareon UK Limited (AUK) Privacy Notice. AUK is part of a group of companies with Aareon AG as the Parent Company which is based in Germany. This Privacy Notice describes the categories of personal identifiable information (PII) we process and for what purposes. We are committed to collecting and using data fairly and in accordance with the requirements of the UK’s Data Protection Act 2018 (DPA), including the General Data Protection Regulation which has been adopted in full by the United Kingdom since leaving the European Union, and is now known as UK General Data Protection Regulation (GDPR) .

1.2 We take your privacy seriously and in this notice you can find out more about your privacy rights and how we collect, use, share and secure your PII. This includes the information we already hold about you and any further information we might collect about you, either direct from you or from a third party.

1.3 This Privacy Notice sets out our commitments to you as a prospective, current or former employee AUK complies with the Data Protection Laws in the countries in which we operate, all being within the EU. This notice explains how we collect, use, store, share, retain and secure your PII.

1.4 Our website may, contain links to and from the websites of our commercial partners and other third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies, which we recommend you read. We do not accept any responsibility or liability for such third-party policies and you should check these policies before you submit any personal information to these websites.

1.5 In addition, if you arrived on this website from a third party site, we cannot be responsible for the privacy policies and practices of the owners or operators of that third party site and recommend that you check the privacy policy of that third party site and contact its owner or operator if you have any concerns or questions.

1.6 This Privacy Notice is a public document and applies when AUK obtain and use your PII as a Data

Controller. (We also have a second Privacy Notice on our website which highlights how we demonstrate our compliance as a Data Processor, in the supply of our services and products to our customers.)

1.7 The difference between a Data Controller and Data Processor is important.

a. When AUK carries out functions on behalf of other Data Controllers, (our customers) this means we act as their Data Processor. We carry out functions which may involve individuals’ PII on behalf of our customers and these processing operations are based on our customers’ written instructions and under a contract.

b. Where AUK determines the use of individuals’ PII, as a prospective, current or former employee as well as when we process information when carrying out our marketing operations, we do so as a Data Controller.

1.8 This Privacy Notice will be updated from time to time: accordingly, we recommend you keep yourself informed by reviewing it from time to time.

1.9 As a Data Controller, we determine and process PII in regard to the following operations:

• Visitors to our website

• Prospective, current and former employees

• Current and former employees of our prospect customers

• Current and former employees of our contractors and consultants

1.10 Our Data Protection Officer’s details are below and can be contacted if you have questions about your data, data protection, your rights or wish to make a complaint:

By post: By email:

Security & Compliance Manager DP@Aareon.com

Aareon UK Limited

International House

24 Holborn Viaduct

London

EC1A 2BN

2. Visitors to our Website and Marketing Services

2.1 Visitors to our website are important, as we want to supply you with full access to the services, products we offer across AUK and the Aareon Group and our preferred Partners. When you visit our websites we have a ‘cookie policy’. It is important you read this as it supplies details of how we collect, monitor, use, share, retain and secure your PII.

2.2 We will obtain PII from you when you request a contact, or a call back or a demonstration of our products and services. We have a marketing data base and only hold PII of individuals who have:

Requesting information or applying for a role within AUK;
Requested information about our products and services, through our website;
Supplied us your contact details at an event, conference or meeting;
Used LinkedIn to ask or have accepted an invite to connect with a staff member
Being a customer of AUK, we will keep you informed on updates to existing products and services and new products and services;
Being a customer of AUK we will also rely on our legitimate Interests to keep you informed of new products and services which in our opinion will be a benefit to your business.
As a customer you can opt out at any time from receiving marketing communications from us.

2.3 Individuals can unsubscribe at any time to receiving marketing or any other information by emailing dp@aareon.com. Customers cannot opt out of all communications from ourselves as the majority of our communications will be under the performance of a contract.

3. Your privacy rights

3.1 With the DPA you have eight rights relating to the use and storage of your PII. A Data Controller has to comply with these rights, which are:

The right to be informed - You have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the DPA. We will provide you with information including:

our purposes for processing your personal data,
our retention periods for that personal data, and
who it will be shared with.

The right of access – You have the right to a copy of the information we hold on you.
The right to rectification – You have the right to have inaccurate PII data rectified, or completed if it is incomplete.
The right to erasure – You have the right to have your data erased.
The right to restrict processing - You have the right to request the restriction or suppression of your personal data. When processing is restricted, we are permitted to store the personal data, but not use it.
The right to data portability - The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The right to object - You have the right to object to the processing of their personal data in certain circumstances. You do have an absolute right to stop your data being used for direct marketing.
Rights in relation to automated decision making and profiling - The DPA has provisions on:

automated individual decision-making (making a decision solely by automated means without any human involvement); and
profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. Where decisions are made solely by automated means you have the right to request a review by a human.

3.2 AUK has a legal obligation to answer all requests in relation to your rights. Some of these rights are not absolute, e.g. where you are still under a contract, you will not be able to have your data erased.

3.3 You can make a complaint if you feel AUK is using your PII unlawfully or holding inaccurate, inadequate or irrelevant PII which, if used, may have a detrimental impact on you or has an impact on your rights. If you wish to make a complaint, please refer your complaint to our Security & Compliance Manager, whose details are noted above.

3.4 You can also make a complaint to the data protection supervisory authority. In the UK, this is the Information Commissioner's Office, at https://ico.org.uk.

3.5 To make enquires for further information about exercising any of your rights in this Privacy Notice, please contact our Security & Compliance Manager, whose details are above.

4. Prospective, Current and Former Employees

4.1 Prospective Employees

When you apply for a role within AUK, we will ask you to supply the following information:

Contact details, (name, address, email, contact number/s)
Education and qualifications
Employee history
Hobbies and/or interests
Evidence to support your application

Special category information

Any adjustments that may be needed if you are called for an interview

Other relevant information

Convictions
For some roles we may have to apply for a Disclosure and Barring Service Check – this will be highlighted on the advert.
We will also carry out checks against the sanctions screening list, before making the offer of employment.
All employees will be checked against the sanctions screening list annually.

Data will be stored in a range of different places, including in your personnel file, in the firm’s HR management and payroll systems and in other IT systems (including the firm’s email system).

Law Enforcement - Other relevant information

In limited circumstances, AUK may need to carry out applicable law enforcement checks if an offer of employment is made and if the post requires such checks as part of the employment contract. These are called Disclosure and Barring Service Checks and they are carried out with your full knowledge via the applicable approved agency. This information when required will be highlighted on the job advertisement or during an interview.

Obtaining and processing your recruitment application

We obtain your PII when you supply this information for the purposes of applying to work for AUK. We will retain your employment applicant information for the required period of time detailed below. We will also hold and process your PII for the purposes of determining if your knowledge, skills, experience and qualifications meet the role specification. Your PII will be shared with the recruitment panel to enable the interview process to take place.

The recruitment panel will create notes of the interview and these will be processed and retained for the purposes to record the answers to the questions posed and how these answers reflected the role specification criteria. They will be further used to record the outcome of the interview process and decision.

We will not require the details of your appointed referees until an offer of employment is made. We will expect you to have informed the referees and obtained their consent to share their PII for the purposes of obtaining an employment and/or character reference.

If you are unsuccessful for the position for which you have applied, we may ask to retain your applicant and interview records for a period of up to 12 months, on our HR ‘Talent’ management system and consider your PII against any future positions that may become available. We will confirm this with you at the point of application/interview.

We will retain and process your PII via a selection of AUK approved Data Processors. These processors are organisations or individuals engaged by AUK to carryout functions on our behalf under contract and in full compliance with data protection laws. Details of such processors can be provided on request, but most, if not all, will be explained to you if you are successful in your application.

4.2 As an AUK employee

We will retain and store the following information:

Same as for a prospective employee, plus:
References supplied by your referees
Photograph for Identification proposes, for the promotion and advertisement of AUK.
Gender
National Insurance Number
Marital status
Partner information – if you consent as they maybe entitled to join our employee benefit scheme/s
Dependants details – if they are entitled to join our employee benefit scheme/s
Entitlement to work in the UK – such as copy of your passport, full birth certificate, right to work and reside in the country (Visa)
Copy of your driving licence – where the job involves driving and where car allowance or company car is supplied
Car Insurance details, ensuring business insurance is included, if car allowance is to be paid by AUK
Bank details to pay your salary
Next of kin – contact in the case of an emergency, you will need to ensure you have informed this person, obtained their consent to share their information with us and pass them a copy of this Privacy Notice
Details of any disciplinary or grievances you may be involved in, including any warning issued
Assessments of your performance, including appraisals, performance reviews, ratings, performance plans and any related correspondence
Absence, sickness, annual leave, unpaid leave and/or compassionate or educational leave
Payroll, benefits and expenses

Special category information

Biometric data in the form of thumb print and or facial recognition to gain access to company mobile and/or tablet
If there were any adjustments, due to a disability that may be required in the workplace to ensure your wellbeing, safety and health requirements are met while you are employed by us, whether these are permanent or temporary.
Sick records which may include medical or health conditions
Equality information – which may include ethnic origin, religion or other beliefs, sexual orientation

Other relevant information

Convictions – for some roles a Disclosure and Barring Service Check may need to be carried out, if a job role changes in that a check is necessary, you will be informed of this.
Driving information – offences or fines incurred during your employment, to ensure your continued entitlement to receive a car allowance or have access to a company car.

We may be required to share your PII with other third parties or agencies to comply with the law. We may not be able or require your consent or inform you if this would have any impact on the purposes for which the data was shared. For example, for the prevention and detection of crime or prosecution or apprehension of offenders.

This AUK employee Privacy Notice, retention and security notices will be supplied as part of the Employee Handbook.

4.3 When you leave Aareon UK’s employment

Your information will be kept in line with our retention policy and schedule, which can be obtained from our Security & Compliance Manager, whose details are above.

5. How We Gather Your Personal Identifiable Information

5.1 We obtain PII by various means; this can be by face to face, email, telephone, correspondence and/or by receiving this information from others, for example: your referee/s. We can also receive information about you from other people who know you and/or are linked to you, for example: nominated person to act on your behalf, e.g. your next of kin giving an update on your illness.

5.2 Some further examples of how we may gather your personal identifiable information are set out below:

From monitoring or recording calls as part of quality and complaints monitoring: we record these calls for training and to ensure the safety of our staff;
From monitoring your use of our website;
Time sheets;
Expenses and
From social media such as LinkedIn
Employment agencies, who will be acting as our processor or joint data controller
Health and Social care providers
Law enforcement agencies
Courts

6. How We Lawfully Use Your Personal Identifiable Information

6.1 The table below sets out the processes and the legal gateway we rely on to process the data:

Purpose / Activity	Lawful ground to process	Retention Period
Email or telephone enquiries about a vacancy or to go on our CV ‘talent’ management system	Consent	1 Month
When you submit your application	Performance of a contract	3- 12 Months
When you are invited for an interview	Performance of a contract	12 Months
When you are not invited for an interview	Performance of a contract	3 Months
To keep you informed of further job roles and retain your details for 12 months	Consent	12 Months
Offered the position	Performance of a contract	7 years after end of relationship
Health and Social Care records	Performance of a contract	7 years after end of relationship
Benefits	Performance of a contract	7 years after end of relationship
Maintain accurate up to records while you are employed, sick, annual leave, performance, etc.	Performance of a contract	7 years after end of relationship
Obtain occupational health advice	Performance of a contract	7 years
Request Medical Records from GP	Consent	7 years
Obtain external legal advice	Legal Obligation	7 years
Ensure effective general HR and business information	Performance of a contract	7 years end of relationship
Next of kin details	Legitimate Interests	Life of your employment
Payroll / Payments	Performance of a contract	Permanently
Adding LinkedIn contacts to our CRM	Consent – either before accepting an invite from us or after accepting an invite from you	Until opt-out
Keeping prospects informed about products and services and invited to participate in surveys and/or developing products	Legitimate Interest	Until opt-out
Keeping customers up to date with our products and services and invited to participate in surveys and/or developing products	Legitimate Interest	Life of contract

We will only use your data for the propose/s it was collected, unless we have reasonably consider that we need to use it for another reason and that reason is compatible with the original reason of collecting it. If this not the case and wish to continue to use your PII for a new purpose, we will inform you and in doing so will explain the legal basis which allows us to do so.

Please note that we may process your PII without your knowledge or consent, in compliance with the above rules, where we are required or permitted by law.

7. How Long We keep Your Personal Identifiable Information for

7.1 For applicants / contractors / consultants not invited to an interview we will only keep your PII and any other information you have provided for a period of 3 months, from the closing date of the advert.

7.2 For applicants / contractors / consultants invited to an interview but have not been successful we will only keep your PII and any other information you have provided for a period of 3 months, from the closing date of the interview. Unless you have

indicated you agreed to AUK retaining your CV and interview notes on our ‘talent’ or ‘contractor’ management system. This will only be retained for 12 months from the interview.

7.3 For employee – your PII will be kept for as long as it is necessary to fulfil the purposes it was collected, including in satisfying any legal, accounting, or reporting requirements. The periods for which your data is held can be found, in the company’s retention policy and schedule in the employee handbook, most will be kept throughout your employment with others having to be kept for a period of time following your exit from the company.

8. Automated decision making

8.1 Employment decisions are not based solely on automated decision making, if ever. Where AUK carry out automated decision making we will inform you the point of advertisement and supply the processing conditions and lawful basis.

9. Who has access to your data

9.1 As an applicant – your data will be kept within the online HR management tool and with the manager who has the vacancy and normally one other manager who will be on the recruitment/interview panel.

9.2 As an employee – your data may be shared internally, including HR and Finance (payroll purposes), and your line manager. In limited form your PII may be shared with board members and selected staff members where it necessary for the performance of their roles.

9.3 We may share your data with third parties including Group companies in order to obtain, and provide, pre-employment references from/to other employees, obtain employment background checks from regulatory bodies and third-party providers and obtain necessary criminal records checks from bodies such a Disclosure and Barring Service.

9.4 We also share PII with third-party suppliers that process data on our/your behalf in connection with payroll, HR and in the provision of employee benefits and occupational health services.

9.5 Our Compliance Manager will be administrating individuals requests under data protection law and this includes all Rights of an individual. Therefore, this role will have access to your PII in conjunction with Human Resources for these purposes only and only until the matter is resolved.

10. Keeping Your Personal Identifiable Information up to date, accurate and adequate

10.1 We require all individuals to keep AUK informed of any changes to their PII, e.g. appointed next of kin and/or banking information. AUK will complete a review of all data obtained for the purposes set out in this privacy notice to ensure it is held in line with the law and our retention policy, kept accurate, adequate and relevant for the purposes we have obtained and processed the data under.

11. Data Transfers

11.1 Whenever we share your PII within our Group of companies, (Aareon AG) who are all based within the EU and for the purposes of delivering you a website, responding to your enquiries and/or in the performance of employment, contract or supplier contract. We ensure an appropriate degree of protection is afforded to it.

11.2 Whenever we transfer your personal data out of the European Economic Area (EEA), we ensure an appropriate degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK’s Information Commissioners Office (ICO).
Where we use providers based in the USA, we will only engage companies who have provided assurances that requires them to provide similar protection to personal data shared within the EEA and the UK, and or signed up to the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from the EEA, Switzerland and the UK, respectively. Further details on the DPF can be found here https://www.dataprivacyframework.gov/Program-Overview
AUK have signed a Data Sharing Agreement which following our exit from the EU, means we can continue to share data within the confines of the Group.

11.3 Our directors and other appointed individuals working for AUK may, in limited circumstances, access individuals PII outside of the UK and European Union, e.g. if they are remote working, absent from the office and need to access critical business information. If they do so they will be using our security measures and will be subject to their arrangements with us which are subject to English Law, in line with the DPA and the same legal protections that would apply to accessing personal data within the UK.

12. Confidentiality and Security

12.1 We have implemented security policies, rules and technical measures to protect individual’s personal information that we have under our control from:

Unauthorised access
Improper use or disclosure
Unauthorised modification
Unlawful destruction or accidental loss

12.2 All our employees, representatives, board members and third-party contractors (data processors) who we engage, and have access to, and are associated with the processing of your PII, are obliged to respect the confidentiality and only process the information based on our instructions. We will ensure that your PII will not be disclosed until all security assurances have been documented unless we are required by law.

13. AUK Commercial and Employee Information

13.1 When someone visits our website we will collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is collected in a way which does at times identify a person who contacts us about a product. We do not make any attempt to find out the identities of those visiting our websites as a routine search. If we do want to collect PII through our website, we will be up front about this. We will make it clear when we collect PII and will explain what we intend to do with it.

13.2 The information held and published on our website and associated websites is only to be used for the purposes is has been published for. We do not consent to any organisation, member of the public to take individuals (data subjects) PII from our website and use this for their own purposes without AUK’s written consent. You can use this to contact us and discuss our services and product options or share with another organisation who you feel would be interested in contacting us.

13.3 In the case of unlawful use, we reserve the right to review and carry out legal proceedings.