This notice sets out details of how and why we (“Waystone”, “we”, “us”, “our”), and third parties, collect and process personal information in connection with your enquiries or application for employment with Waystone or its affiliates, your employment with Waystone or its affiliates or associated interactions with us (our relationship). We do this in compliance with our obligations under applicable data protection law. This notice explains what personal data is collected, the purposes for which it is used, the third parties to whom it may be disclosed and how individuals can exercise their rights in relation to their personal data.
Waystone is the controller of your personal data as part of our relationship. Waystone engages third party service providers to process such personal data on our behalf and those third parties act as processors. We are not required to designate a Data Protection Officer. If you have any questions about the use of your personal data, your data protection rights or if you want to exercise those rights, please contact [email protected].
Personal Data that we Process
Waystone collects personal data relating to you from you or from public sources and in connection with our relationship and in connection with ensuring compliance with our legal obligations. This may include the following:
Recruitment related data and information on your personnel file – these include your name, signature, postal address, nationality, email address, fax number, date and place of birth, nationality, curriculum vitae, bank account details, tax identification, credit history, signatures, references, work and educational history, interview notes and other contact details, right to work documentation, your PPS or social security number (or equivalent); passport number; utility bills, photographic identification and verification such as copies of your passport, passport number, gender, drivers licence and address verification, photographs, working hours, annual leave and other holiday records, emergency contact details, marital status, next of kin and family details.
Payroll information – these include your PPS number, bank account details, salary arrangements, bonus entitlements and tax allowances.
Performance, grievance and disciplinary details – these include performance and grievance review forms, notes from performance review and grievance investigation meetings, performance improvement and grievance plan documentation, witness statements, complaints.
Information obtained through electronic means – these include emails stored in your email inbox, data relating to your internet browsing history, CCTV footage and other information obtained through electronic means such as swipe-card records.
Medical information and pension details – these include sick certificates, sick leave records, sick pay records, occupational health assessments and pension details.
Termination of our relationship – these include resignation letters, exit interviews and reference letters.
Special categories of more sensitive personal information – information about your race or ethnicity, religious beliefs, sexual orientation and political opinions, membership of a trade union or equivalent industrial relations body, information about your health, including any medical condition, health and sickness records, genetic information and biometric data.
We may collect and process personal data relating to you in connection with our relationship, such as via correspondence and calls, and in connection with our relationship with you. Telephone calls with you may be recorded for the purposes of record keeping, security and training.
In addition, we may collect personal data relating to you from third party sources such as specialist databases in connection with complying with legislation relating to anti-money laundering, taxation, and other legislation or from other specialist databases or sources for vetting or screening purposes or fitness and probity assessments or from employment or credit reference agencies or previous employers.
Purposes of Processing and Legal Basis
Personal data will be processed for the following purposes and on the legal grounds set out below:
- processing your application with us and during the recruitment process, to assess your suitability for a role, establishing your identity and determine the terms on which you work with us and to manage an effective recruitment process;
- during our relationship for normal HR management and administration purposes, to ensure that the terms and conditions of your appointment are properly adhered to and managed, to manage the relationship in accordance with relevant policies. This is necessary for the performance of our contract with you;
- paying you and (where relevant) deducting tax and national insurance and other mandatory or optional contributions;
- to ensure your health and safety at work, assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits;
- to afford natural justice and fair procedures (where relevant);
- conducting performance reviews, managing performance and determining performance requirements including decisions about promotions and pay reviews;
- to protect your vital interests in the event of an emergency or accident;
- to pay trade union premiums or register your status as a protected employee;
- making decisions about our relationship, to properly manage the termination of our relationship and ensuring the termination of our relationship is in accordance with relevant policies;
- complying with our legislative and regulatory obligations in connection with our dealings with you, including pension law, revenue law, health and safety law, taxation, crime-detection, prevention, investigation and prosecution, the prevention of fraud, bribery, anti-corruption, tax evasion or equivalent, to prevent the provision of financial and other services to those who may be subject to economic or trade sanctions, in response to legal or court requests or requests from regulatory authorities or where it is in the public interest;
- for quality control, business and statistical analysis, market research or for tracking fees and costs or for customer service, training and related purposes;
- to communicate with you by way of notice pursuant to applicable legislation or our constitution or circulating reports or other correspondence to you;
- maintaining appropriate business records;
- to ensure network and information security, including preventing unauthorised access to our computer and electronic communications system and preventing malicious software distribution;
- where required for tax reporting purposes;
- education, training and development requirements;
- equal opportunities monitoring;
- to respond to, evaluate or deal with any queries, complaints or legal issues in relation to you;
- internal and external audits and, where necessary, investigations;
- establishing, exercising, defending or gathering evidence relating to any legal claims, litigation or grievance or disciplinary hearings;
The legal grounds that we rely on to process your personal data are:
- that it is necessary to comply with our legal obligations;
- that it is necessary for the purposes of our legitimate interests or the legitimate interests of a third party to whom your personal data is provided. We will not process your personal data for these purposes if our or the third party’s legitimate interests should be overridden by your own interests or fundamental rights and freedoms. The legitimate interests pursued by us in this regard include:
- Conducting our business in a responsible and commercially prudent manner and dealing with any disputes that may arise;
- Preventing, investigating or detecting theft, fraud or other criminal activity;
- Pursuing our corporate and social responsibility objectives.
- That it is necessary to take steps at your request prior to entering into our contract with you and for the performance of our contract with you;
- In certain limited circumstances, where we need to protect your interests (or someone else’s interests) or where it is needed in the public interest or for official purposes.
- In certain limited circumstances, your consent.
How we use special categories of sensitive personal data
Waystone will not process sensitive personal data, unless one of the following circumstances is met;
- In certain circumstances with your explicit written consent;
- Where it is necessary for the purposes of carrying out the obligations and exercising our specific rights or of you in the field of employment and social security and social protection law,
- Where it is necessary to protect your vital interests or that of someone else where the data subject is physically or legally incapable of giving consent;
- Where it is needed in the public interest, or is requested by a law authority;
- Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards;
- Where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent;
- where you have already made the information public.
- Where Waystone is subject to a due diligence process and as provides professional experience details of senior management or key individuals in the business.
Recipients of Data
Your personal data may be disclosed to various recipients in connection with the above purposes, including:
- The Board of Waystone and (in circumstances where there is legitimate interest, performance of a contract or legal obligation) other employees;
- payroll providers, pension and health insurance providers, pensions trustee;
- The Revenue Commissioners and other foreign tax authorities as required by applicable law;
- The Central Bank of Ireland, Cayman Islands Monetary Authority, the Financial Conduct Authority, National Futures Association, Commission de Surveillance du Secteur Financier, the Workplace Relations Commission, Department of Social Protection, Pensions Authority, auditors, or other competent governmental or regulatory authorities, trade unions or equivalent industrial relations body and bodies as requested or required by law;
- Other third parties who we engage to provide services to us, such as professional advisers, independent investigators, insurers, occupational health specialists, legal advisers, auditors and IT service providers;
- To screening and other reference agencies in order to carry out money laundering and identity checks and to comply with legal obligations;
- Other members of our corporate group or the corporate groups of the entities referred to above, as well as affiliates, agents and delegates, both within and outside the EEA; and
- In the context of a business or group company sale, re-organisation or restructuring or corporate finance activities.
In connection with the above purposes your personal data may be transferred outside the European Economic Area, including to a jurisdiction which is not recognised by the European Commission as providing for an equivalent level of protection for personal data as is provided for in the European Union. These jurisdictions may include the United States of America, the United Kingdom, the Cayman Islands and Asia. If and to the extent that we do so, we will ensure that appropriate measures are in place to protect the privacy and integrity of such personal data and in particular will comply with our obligations under GDPR governing such transfers, which may include:
- entering into a contract governing the transfer which contains the “standard contractual clauses” approved for this purpose by the European Commission;
- in respect of transfers to the United States of America, ensuring that the transfer is covered by the EU-US Privacy Shield framework (for so long as that it meets with the requirements of GDPR as regards reliance on adequacy decisions under Article 45 of the GDPR);
- transferring your personal data pursuant to binding corporate rules; or
- a transfer where the European Commission has decided that the recipient ensures an adequate level of protection.
Further details of the measures that we have taken in this regard and the territories to which your personal data may be transferred are available by contacting us as set out above.
We will retain your personal data for the duration of our relationship and for such a period of time after the relationship ends as is necessary to comply with our obligations under applicable law and, if relevant, to deal with any claim or dispute that might arise.
You have the following rights, in certain circumstances and subject to applicable exemptions, in relation to your personal data:
- the right to access your personal data, together with information about our processing of that personal data;
- the right to rectify any inaccuracies in your personal data;
- the right to have any incomplete personal data completed;
- the right to erase your personal data (in certain specific circumstances).
- the right to request that your personal data is no longer processed for particular purposes (in certain specific circumstances);
- where the legal basis for processing is consent, the right to withdraw your consent at any time;
- the right to object to the use of your personal data or the way in which it is processed where we have determined it to be necessary for the purposes of our legitimate interests;
- the right to data portability (in certain specific circumstances);
- to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the requirements.
What happens if you do not provide us with your information
If we believe that we require relevant information to effectively and properly manage our relationship, we may not be able to continue our relationship with you or (in certain circumstances) to pay you or administer your pension if you decline to provide us with that personal data.