(a) Section = A section of the policy generally covering one aspect of the information you need to disclose.
(b) Explanatory Note = What this Section is about.
(c) Suggested Text / Place Holder = An example of the type of information you could insert in this Section.
| Section | About you |
| Explanatory Note | Data Controller |
| A controller determines the purposes and means of processing personal data - this is likely to be your company. | |
| Data Protection Officer | |
| Under the GDPR, you must appoint a DPO if: | |
| - you are a public authority (except for courts acting in their judicial capacity); | |
| - your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or | |
| - your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences. | |
| Suggested Text / Place Holder | [Insert name of relevant person or organisation] is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: [Insert contact details]. For all data matters contact [Data Protection Officer/Our Data Administrator] on [Insert contact details]. |
| Section | 1.0 What employee personal data do you collect? |
| Explanatory Note | The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. For example, name, passport number, home address or private email address. Online identifiers include IP addresses and cookies. |
| You will need to conduct an audit of the data you process for employees and replace the model answer below with your own information. | |
| Suggested Text / Place Holder | Please list the types of information you collect on your employees, for example: "We collect personal details needed to administer your records as an employee, including personal information such as: Name, address, phone numbers, email addresses, date of birth, next of kin, marital status, gender, educational and professional qualifications. In addition, we hold employment information such as: past employer details, start dates, tax codes, training and assessment records. |
| Section | 2.0 Do you collect any 'special category' data? |
| Explanatory Note | The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs. |
| Suggested Text / Place Holder | We collect information including: racial/ethnic origin, trade union affiliation, and health data. |
| Section | 3.0 For what purpose(s) do you process personal data? |
| Explanatory Note | The notice must include a description of all the purposes for which the personal data will be processed. It is advisable to keep the description of the purposes as broad as possible, whilst ensuring that it is accurate and not misleading. If a purpose is missed out, the personal data may not, in most cases, be used for that purpose without reissuing the data privacy notice, setting out the new purpose, processing condition and other relevant information. This does not mean that you can include in the notice every possible purpose; the purposes included must be reasonably foreseeable. |
| NB "Process" - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. | |
| Suggested Text / Place Holder | We use your personal data for the following purposes: |
| - To manage our employees; | |
| - To maintain our own accounts and records; | |
| - To inform individuals of news, events or activities. | |
| NB for each Process created in this field, an option should appear offering the check boxes in Question 4 so that the user can specify the legal basis for processing the information. | |
| Section | 4.0 What is the legal basis on which the processing of Personal Data will take place? |
| Explanatory Note | You need to identity at least one lawful basis for each purpose of processing. You can tick more than one box if more than one applies, although you should note that some are mutually exclusive). We strongly recommend you take legal advice before selecting which legal basis is appropriate for your organisation. |
| Please select: | |
| ☑ Consent : the individual has given clear consent for your organisation to process their personal data for a specific purpose. | |
| ☑ Contract : the processing is necessary for a contract your organisation has with the individual, or because they have asked you to take specific steps before entering into a contract. | |
| ☑ Legal obligation : the processing is necessary for your organisation to comply with the law (not including contractual obligations). | |
| ☑ Vital interests : the processing is necessary to protect someone’s life. | |
| ☑ Public task : the processing is necessary for your organisation to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. | |
| ☑ Legitimate interests : the processing is necessary for your organisations legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) | |
| Suggested Text / Place Holder | N/A |
| Section | 5.0 What is your lawful basis for processing your special categories of data? |
| Explanatory Note | Ignore this section if you do not process special categories of data. tick more than one box, if more than one applies, but indicate which purpose it refers to. |
| ☑ Explicit consent of the data subject | |
| ☑ Processing necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement | |
| ☑ Processing necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent | |
| ☑ Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided that the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and there is no disclosure to a third party without consent | |
| ☑ Processing relates to personal data manifestly made public by the data subject | |
| Suggested Text / Place Holder | N/A |
| Section | 6.0 Is data shared with any third parties? |
| Explanatory Note | Your personal data will be treated as strictly confidential, and will be shared only with (see below): |
| Suggested Text / Place Holder | Your data is only shared with organisations necessary for your employment. For example: - Pension Provider - Bank - Potential future employees requesting references - Emergency services in the event of an accident - Statutory authorities. |
| Section | 7.0 Do you transfer any data outside the European Economic Area? |
| Explanatory Note | Whether personal data is transferred outside of the EEA and if so, details of the safeguards that are in place to protect the security of the data. |
| Suggested Text / Place Holder | [We do not transfer personal data outside the EEA.] OR [If personal data is transferred outside the EEA, include details of the countries and relevant safeguards that you have implemented.] |
| Section | 8.0 How long do you keep your personal data? |
| Explanatory Note | You need to include either a specific period of data retention or alternatively, you need to provide the criteria that can be used to determine how long you retain personal data. |
| Suggested Text / Place Holder | We keep your personal data for no longer than reasonably necessary for a period of [Insert relevant period] in order to [Insert Sufficient Reason for retaining personal data]. Examples include: in case of any legal claims/complaints; for safeguarding purposes etc. OR We keep your personal data for no longer than reasonably necessary and we only retain your data for the following purposes and use the following criteria to determine how long to retain your personal data [Insert relevant purposes and criteria for retention.] |
| Section | 9.0 Why are employees providing you with their personal data? |
| Explanatory Note | Disclose why you need to process the individual’s personal data. Also explain what the implications will be if you don’t process the personal data. |
| Suggested Text / Place Holder | [You are under no statutory or contractual requirement or obligation to provide us with your personal data. But failure to do so will have the following consequences [Insert details].] OR [We require your personal data as it is a [statutory] [or contractual requirement], [or a requirement necessary to enter into a contract.] OR [You are under an obligation to provide your personal data to us as [Insert reason]. If you fail to adhere the consequences will be [Insert details]. |
| Section | 10.0 Your employee's rights and their personal data |
| Explanatory Note | This clause explains a data subjects rights in relation to their personal data. These are mandatory terms under GDPR. The only term that you are allowed to remove if it does not apply, is this one: [The right to withdraw your consent to the processing at any time, where CONSENT was your lawful basis for processing the data] |
| Suggested Text / Place Holder | Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: |
| • The right to request a copy of the personal data which we hold about you; | |
| • The right to request that we correct any personal data if it is found to be inaccurate or out of date; | |
| • The right to request your personal data is erased where it is no longer necessary to retain such data; | |
| • [The right to withdraw your consent to the processing at any time, where consent was your lawful basis for processing the data]; | |
| • The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means); | |
| • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing; | |
| • The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics). | |
| Section | 11.0 Automated Decision Making |
| Explanatory Note | Please amend suggested text to suit your situation. |
| Suggested Text / Place Holder | [We do not use any form or automated decision making in our business.] OR [Provide details of any automated decision making (including profiling), state how decisions are made, the significance and consequences of the processing for the individual.] |
| Section | 12.0 Further processing |
| Explanatory Note | Please amend as appropriate. |
| Suggested Text / Place Holder | If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. |
| Section | Changes to your privacy policy |
| Explanatory Note | Please amend as appropriate. |
| Suggested Text / Place Holder | Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy. |
| Section | How to make a complaint |
| Explanatory Note | If you wish to make a complaint: |
| Suggested Text / Place Holder | To exercise all relevant rights, queries or complaints please in the first instance contact our [Data Protection Officer/Our Data Representative] on [Insert Contact Details]. If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the UK Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England. |
