DATA PROTECTION: FAIR PROCESSING NOTICE
IN-SYNC Digital Ltd takes the protection and privacy of personal data seriously. This Fair Processing Notice explains how we will use our Operative’s personal data before, during and after being an Operative working on assignments through IN-SYNC.
Our contact details
4 The Millennium Centre,
Surrey, GU9 7XX
Telephone number: 01252 704 034
Our Data Protection Officer can be emailed at firstname.lastname@example.org.
What personal data do we collect about you, how do we use that personal data, and what is our legal basis?
We need a legal basis in order to process your personal data. Our processing is because we either have a contract with you or you wish to obtain a contract with us, we have a legal obligation to process the data or the processing is a legitimate activity. On occasion, we will seek your consent to process your personal data but you are free to refuse.
When you are an operative or wish to become an operative of IN-SYNC, we collect and process your personal data:
- in order to fulfil our contract with you;
- to fulfil our legal obligations under Right to Work legislation;
- where the activity is a legitimate one for a business; and
- with your consent for marketing.
We process your personal data because we have a contract with you, you would like to enter into a contract with us or it is a legitimate business activity.
We process the following data to provide you with services and to contact you. Our legal basis to do so is because we have a contract with you or you would like to enter into a contract with us. We cannot provide you with a contract without this information.
- your name
- date of birth
- NI number
- home phone
- email address
- your financial data
- your employment data
- Unique Tax Reference number (UTR, verification for tax and CIS)
Once you become an Operative with IN-SYNC, we will assign you a unique identifier number as this is a legitimate activity in order to avoid any system errors or mistakes in making payments.
We will send you relevant information on auto-enrolment pensions (if appropriate) and HMRC update as part of our contractual service with you.
If you have a beneficiary or next of kin, we will collect and process their name, address, phone and DOB as this is a legitimate activity for us. Next of kin will only be contacted in emergency circumstances if it is in your vital interest that we do so.
We process your personal data because we have a legal obligation to do so.
Right to Work in the UK
In order to comply with our legal obligations under Right to Work legislation, we need to confirm your identity and will process any of the following documents to do so. We cannot have a contract with you unless we can verify your identity and right to work in the UK.
In order to process the identity checks, we will use credit reference agencies (“CRAs”). These checks are regulatory requirements.
To do this, we will supply your personal information to CRAs and they will give us information about you. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
IN-SYNC uses Callcredit as our CRA. Callcredit’s role also is as a fraud prevention agency, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with Callcredit are explained in more detail at www.callcredit.co.uk/crain
We process your personal data with your consent and where it is a legitimate business activity.
We will send you information pertaining to IN-SYNC because you are an Operative of ours as this is a legitimate business activity. We will also send you this information for one year after you have left IN-SYNC as you may wish to come back to us and this is a legitimate activity.
We will send you marketing information and newsletters from other companies in the IN-SYNC Group only when you consent for us to do so.
We will send you marketing information from certain third parties, only where this is linked to the provision of any financial services through an IN-SYNC Group Company, and is a legitimate business activity. You can limit or withdraw consent for this marketing at any time.
Should you choose to engage with such a third party service provider you will be provided with a separate Data Protection processing notice in respect of what service from the relevant service provider.
You have the right to unsubscribe to marketing at any time. If you do choose to unsubscribe, we will keep your name and email address on a suppression list so that we don’t email you again by accident and this is a legitimate activity for us.
If you are on our suppression list, you will still receive communications that are necessary to the performance of your chosen services, or notifications to avoid you missing deadlines and/or incurring penalties.
How long do we hold your personal data?
We will hold your personal data that was collected for right to work purposes for two years from when you ceased a relationship with IN-SYNC, after which it will be destroyed. This is a legal obligation.
We will hold the personal data that was collected for the purposes of engaging you for seven years, after which it will be destroyed. This is a legal obligation.
We will hold your name, email and phone number to send you marketing information as long as you would like us to do so. If you withdraw your consent, we will hold this data for five years in a suppression list so that we don’t market to you against your wishes.
If you have started the process to become an Operative and then changed your mind or it you are not accepted as an Operative, we will hold your data for two years, after which it will be destroyed. We hold it for two years in case it is required for by law enforcement agencies, the Home Office or for legal reasons.
Do we use any automated decision making?
We do not use any automated decision making.
Who do we share your personal data with?
Depending on your personal circumstances we may share your personal data with the following recipients:
- HMRC for the purpose of providing your chosen services and responding to requests for information;
- Home Office for the purpose of any right to work checks or queries;
- Our software, technology applications, database providers (Campaign Monitor Pty Ltd, Docusign UK Ltd, IRIS Software Ltd, Microsoft, SmartSheet Inc, TextAnywhere Ltd, Text Marketer Ltd, Signable Ltd, OVH, Symantec, Veritas, Gamma Horizon, Akixi, Zendesk, MFG, Hubspot, Quotevine, Instapage, Landingi, Facebook, Google, LinkedIn, Umbraco, Wordpress, Outgrow, YouTube, Outbrain, Plivo, The SMS Works, Merit, Feefo) necessary for recording, securing and updating your personal details and administering services internally as well as external communications;
- Callcredit Information Group Ltd for the purpose of identification, address and bank account verification;
- Barclays Bank Plc for the purpose of making payments;
- Capita Pay360 for the purpose of administering payments;
- companies that verify publicly available documents and information (e.g. Credit Reference Agencies, Home Office);
- High Court Enforcement Officers Association for the purposes of enforcing High Court writs to seize and sell assets to settle unpaid judgements;
- Information Commissioners Office in the event of a request for information or breach;
- IN-SYNC Group Companies (only with your consent) for marketing relevant services.
- Legal advisors and consultants
- Insurance companies
Do we transfer your personal data outside of the EU or EEA?
Your data is kept in the EU or EEA except for data that is processed by SmartSheet Inc, a technology application used by us to create administrative spreadsheets.
SmartSheet Inc is located in the USA, which is non-adequate country for data transfer as determined by the European Commission. Your data is protected by SmartSheet Inc by the Data Processing Addendum (“DPA”) they have in place, which incorporates the Standard Contractual Clauses (“SCC”) to ensure there is a valid transfer mechanism in place in accordance with the GDPR and Smartsheet regularly reviews its practices to ensure that it treats all data in accordance with Article V Standards of the GDPR. Details of which can be found here https://www.smartsheet.com/legal/DPA. Smartsheet continues to maintain its participation in and have certified their compliance with the EU-U.S. and US-Swiss Privacy Shield Frameworks and Principles (collectively, the “Privacy Shield Principles”) although this has been invalidated by the European Court of Justice, Smartsheet is committed to continuing to protect personal data in accordance with the Privacy Shield Principles.
You have rights in respect of our processing of your personal data which are:
- To access to your personal data and information about our processing of it. You also have the right to request a copy of your personal data (but we will need to remove information about other people).
- To rectify incorrect personal data that we are processing.
- To request that we erase your personal data if:
- we no longer need it;
- if we are processing your personal data by consent and you withdraw that consent;
- if we no longer have a legitimate ground to process your personal data; or
- we are processing your personal data unlawfully
- To object to our processing if it is by legitimate interest.
- To restrict our processing if it was by legitimate interest.
- To request that your personal data be transferred from us to another company if we were processing your data under a contract or with your consent and the processing is carried out automated means.
If you want to exercise any of these rights, please contact us on 01252 704034 or email our Data Protection Officer on email@example.com.
You also have the right to lodge a complaint about our processing with the UK's Information Commissioner's Office.