SCOPE OF OUR PRIVACY POLICY 

This policy sets out the basis on which any personal data we collect from our website or that is provided to us, or that we create about you in the course of operations will be processed by us.  Please read the following carefully to understand our views and practices regarding  personal data and how we will treat it. 

 

INFORMATION WE COLLECT ABOUT YOU 

​

We collect information in the following ways: 

 

Information provided to us directly 

Website visitors may provide us with information about you when you submit a query on our website, write to us or call us.  This may include name, address, email address, telephone number and information provided in any correspondence with us. 

 

Information collected indirectly 

Website visitors

• We may collect personal information about you using cookies and other digital media technologies. We may receive and store information about the type of device you use to access our website, what operating system you have, some of your device settings and your IP address.  We will record details of your visits to our website, which pages you view, how long you dwell on them, the website you came to our site from and the website you leave our site to. 

​​

Employees, Workers and Contractors of Client Organisations

• As part of our engagement with client organisations we may receive from them, their suppliers, professional advisors or partners a wide range of personal and employment information including but not limited to personal and organisational identifiers, demographic information, employment history contractual entitlements and benefits of employees, those who may potentially become employees (for example, as a result of a proposed transaction to which the client is or may become a party). This may include sensitive information. 

​​

Information from other sources 

• We may obtain personal information from other sources such as LinkedIn for the purposes of business development

 

HOW WE USE THE PERSONAL DATA WE COLLECT 

​

The main uses of personal data we collect, create and hold are set out in the table below along with information about the lawful grounds for processing.  ChangeWork HR will not use personal data for any purpose that is incompatible with one or more of these uses. 

​

Fulfilling client contracts

• We will usually receive information as the sub-processors of the clients with whom we engage, but in some circumstances we may be joint controllers the information.

• Lawful basis: Legitimate interests of ChangeWork HR.   We use information provided by clients, their associated companies or business partners to fulfil a lawful contract for whom the client is a beneficiary and to respond to questions they may raise with us following the contract. The data controller is normally the client organisation and our processing activities are necessary to fulfil  a lawful contract with them

• Data retention :We retain information received or generated about individuals for as long that it is needed for us to fulfil the client contract, in accordance with data protection agreements with our client, or for a maximum of 7 years, as below.

​

Responding to queries. 

• Lawful Basis: Legitimate interests of ChangeWork HR and clients.  We use information provided by clients to respond to questions they may raise with us in a timely, accurate and professional manner. 

• Retention: We will hold this data in any event for no longer than 7 years in order to respond to  follow up queries and to respond as required to ChangeWork HR or client insurers and advisors .

​

Maintaining and enhancing our delivery capability

• Lawful basis: Legitimate interests. We record information concerning ChangeWork HRs employees, suppliers, current and former associates and potential associates  for the purposes of maintaining a delivery capability

• Retention: We will hold this data in any event for no longer than 7 years in order maintain a network of trusted associates and to fulfil our obligations to HMRC

​​

Business Development

• Lawful basis: Legitimate interests of Changework HR. 

• We retain records of clients and potential clients for as long as we feel they may be interested in working with us or benefit from our services, or until such time as they may request us not to hold that information.

 

Optimising our website and other digital marketing activities 

• Lawful basis : Legitimate interests of the ChangeWork HR.  We may  use cookies and other digital technologies on our website, in  any newsletters or other digital interactions with you to allow us to understand traffic to our website, and how well our website and outbound digital communications perform. 

• Records of our digital marketing activities and how individuals interact with them are  typically kept for 3 years

 

 

If we would like to process personal data for any other purpose incompatible with the purposes listed above, we will provide the individual and /or client as appropriate with appropriate additional privacy information at the point where these additional purposes arise.  Our commitment is that we will not process your data for any purpose other than those listed or similar to those listed in this privacy policy. 

​

DATA RETENTION 

​

ChangeWork HR will hold the data on the above schedule unless:  

a) you (if you have provided the information directly) or the provider of the information or the client in other cases as appropriate, ask us to remove it or stop processing it for specific purposes; 

b) we believe that you are no longer interested in our organisation; 

c) we no longer need it for the purposes it was collected. 

If you have any questions regarding the length of time we retain personal data please contact us here

​

KEEPING DATA UP-TO-DATE 

​

We will endeavour to keep data up to date unless the purpose for which it was collected requires the data be static and reflect the position at the point in time at which it was collected.

​

INFORMATION SECURITY 

​

We will take all steps reasonably necessary including implementing policies, procedures and security controls (and adhering to client policies, procedures and security controls communicated to us and where we have agreed to do so)  to ensure that personal data is treated securely and protected from unauthorised and unlawful access and is used in accordance with this privacy notice. 

​

Unfortunately, the transmission of information via the internet is not completely secure and although we will do our best to protect personal data transmitted to us via the internet we cannot guarantee the security of any information transmitted to ChangeWork HR from any device: any transmission is made is at the users own risk.  Where we have given you (or where you have chosen) a password which you are responsible for keeping this password confidential. We ask you not to share a password with anyone 

 

SHARING PERSONAL DATA 

​

We will share personal data that we hold with the following categories of organisations/people as necessary in order to undertake our processing activities. This list is not exhaustive and may change from time to time.  If we add a different category of those we disclose personal data to we will update this privacy notice.  Please contact us if you would like an up-to-date list of our data processors, or data sharing activities. 

​

Official Organisations, clients and advisors 

We share personal data from time to time with:

• government agencies and official authorities such as HMRC;

• our clients their associated companies and in limited circumstances their business partners;

• our professional advisors and our clients’ professional advisors with whom we are working on client assignments;

• others if we are under a duty to disclose or share personal data to comply with any legal obligation; 

• to fulfil any service that you request from us (e.g. enquiry via our website). 

​

Other type of organisation 

We employ specialist companies to host our website, email, database(s), and provide facilities for our social media presence.  These organisations are data processors and governed by legal obligations set out in the GDPR.  Examples of the disclosures we make in this category are set out below: 

​

International transfers of personal data

In the event that we are required to transfer personal data to a country outside of the European Economic Area we will only do so in the following circumstances: 

• the European Commission has issued an opinion approving the adequacy of that country’s data protection laws; 

• the third party and the Changework HR (or our client as appropriate) sign an appropriate contract approved by the European Commission or the UK’s Information Commissioner’s Office (often referred to as “model clauses”);  

• the third party is signed up to an approved transfer mechanism such as the EU:US Privacy Shield; or in exceptional circumstances through another lawful mechanism set out in the GDPR or DPA. 

​​

If you would like to know more about any international transfers and the safeguards in place, please contact us online via our contact form 

 

 

YOUR RIGHTS 

​

You have certain rights set out in the data protection law as set out below:  Requests to exercise these rights should be made to the organisation which is the data controller. If you would like to exercise right  and you think ChangeWork HR is the data controller you should contact us online via our contact form and if the data controller is not ChangeWork HR we will tell you who we believe the data controller is. 

 

Right of access. 

• You may have the right of access to information we hold about or concerning you. 

​

Right of rectification or erasure. 

• If you feel that any data that we hold about you is inaccurate you have the right to ask us to correct or rectify it.  You also have a right to ask us to erase information about you where you can demonstrate that the data we hold is no longer needed by us, or if you withdraw consent if that is the basis upon which our processing is undertaken, or if you feel that we are unlawfully processing your data.  Your right of rectification and erasure extends to anyone we have disclosed your personal information to and we will shall take all reasonable steps to inform those with whom we have shared your data about your request for erasure. 

​

Right to restriction of processing. 

• You may have a right to request that we refrain from processing your data where you contest its accuracy, or the processing is unlawful and you have opposed its erasure, or where we don’t need to hold your data anymore but you need us to establish, exercise or defend any legal claims, or we are in dispute about the legality of our processing your personal data. 

​

Right to Portability. 

• You may have a right to receive any personal data that you have provided to us in order to transfer it onto another data controller where the processing is based on consent and is carried out by automated means. This is called a data portability request. 

​

Right to Object. 

• You may have a right to object to our processing of your personal data. This also includes the right to object to any processing based on legitimate interests,. 

​

Right to Withdraw Consent. 

• You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent.  You can do so by contacting our support care team and they will immediately mark our records accordingly, this will then take effect as soon as possible.  Please be aware that some activities may already have left our system at time of consent withdrawal. 

​

Right of Complaint. 

• You also have a right to lodge a complaint about any aspect of how we are handling your data with the UK’s Information Commissioner’s Office who can be contacted at www.ico.org.uk. 

​

 

COOKIES 

 

​