Introduction
Your information is very important to us and we look after it carefully in line with privacy and data protection laws, including the General Data Protection Regulation and any applicable UK legislation. We’ve set out below in more detail what information we collect about you, how we use that information and your rights as a data subject.
This Freelancer Privacy Notice relates to Freelance PAYE or Freelance Self Employed contracts and describes the categories of personal information we may process, how your personal information may be processed and how your privacy is safeguarded in the course of our relationship with you. It is intended to comply with our obligations to provide you with information about the Company’s processing of your personal information under privacy laws. It does not form part of your contract of engagement.
We may update this Freelancer Privacy Notice from time to time and will notify you when any changes are made. This Freelancer Privacy Notice was last updated on 25 May 2018.
The Company is committed to protecting the security of the personal information you share with us. To support this, we’ve taken appropriate technical, physical and organisational measures to make sure the level of security is appropriate to the risk. Our policies covering Privacy & Data Protection and our Code of Conduct are available on the Company’s intranet or HR@Boomcymru.co.uk
More detail on the Freelancer Privacy Notice:
- Who is the Company?
- How does the Company collect data?
- What information is the Company processing and why?
- Who has access to my data?
- Where is my data transferred?
- How long does the Company keep my data?
- What rights do I have and how can I use them?
Who is the Company?
Any reference to “we”, “us”, “our” and “the Company” is to the Boom Cymru TV group of companies. We’re known as the “data controller”. You can contact us at GDPR@boomcymru.co.uk for more information about how we process your data, including how to exercise your rights as a data subject. The Company or relevant associated company of the Company identified in your contract of engagement will be the data controller of your personal data. In addition, where processing of personal data is undertaken by other associated companies of the Company for their own independent purposes, these associated companies may also be controllers of your personal data.
How does the Company collect data?
The Company collects and records your personal information from a variety of sources, but mainly directly from you. You will usually provide this information directly to your Company or production/project team contact through you applying for assignments, or during our contracting, onboarding and payment processes or emails and CV’s which you send to the Company in the course of your engagement on a production or project or an unsolicited CV for potential future engagements.
Following your engagement with the Company you may also elect to send us updated versions of your CV from time to time (“Updated CV’s”).
We may also obtain some information from third parties, for example, tax authorities, benefit providers or where we employ a third party to carry out a background check (where permitted by applicable law) or if securing references as part of the process for offering assignments.
In some circumstances, data may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, Closed Circuit television, telephone logs and recordings and email and Internet access logs), if and to the extent permitted by applicable laws.
In these circumstances, the data may be collected by the Company or a third party provider of the relevant service. This type of data is generally not accessed on a routine basis but access is possible. Access may occur, for instance, in situations where the Company is investigating possible violations of Company policies such as those relating to travel and expense reimbursement, use of the telephone system and the Internet, or Freelance conduct generally, or where the data are needed for compliance or billing purposes. More frequent access to such data may occur incidental to an email surveillance programme, if and to the extent permitted by applicable laws.
Where we ask you to provide personal information to us on a mandatory basis, we will inform you of this at the time of collection and in the event that particular information is required by the contract or statute this will be indicated. Failure to provide any mandatory information will mean that we cannot carry out certain processes. For example, if you do not provide us with your bank details, we will not be able to pay you.
In some cases it may mean that we are unable to continue with your engagement as the Company will not have the personal information we believe to be necessary for the effective and efficient administration and management of our engagement with you.
Apart from personal information about you, you may also provide the Company with personal information of third parties, i.e., for purposes of administration and management including to contact your next-of-kin in an emergency. Before you provide any such third party personal information to the Company you must first inform these third parties of any data you intend to provide to the Company and of the processing to be carried out by the Company, as detailed in this Freelance Privacy Notice.
What information are we processing and why?
Personal information means any information describing or relating to an identifiable individual, such as name, address, age, contact details, health etc. Additional information that we process on Freelancers includes:
Personal Information
We will collect some or all of the various types of personal information about you for the purposes described in this Freelancer Privacy Notice including:
- Freelancer related data: your title, forename, middle name(s) and surname, birth name, preferred name, any additional names, gender, nationality, second nationality, civil/marital status, date of birth, age, home contact details (e.g. address, telephone number, e-mail), national insurance, social security or any other national identification number, immigration and eligibility to work data, languages spoken; next-of-kin/dependent contact information;
- Data related to your engagement with the Company: work contact details (e.g. address, telephone number, e-mail), work location, default hours, default language, time zone and currency for location, worker number and various system IDs, work biography, reporting line, worker type, hire/contract start and end dates, cost centre, role title and role description, working hours and patterns, termination/contract end date; your last day of work, references, status (active/inactive/terminated); the reason for any change in role and date of change; benefit coverage start date;
- Recruitment and talent pooling data: qualifications, references, CV and application, interview and assessment data, vetting and verification information;
- Regulatory data: records of your registration with any applicable regulatory authority, your regulated status and any regulatory references;
- Payment and benefits data: including contract pay as applicable, allowances, auto-enrolment pension schemes, bank account details, job level, social security number, tax information, expenses, participation in benefits provided by third-parties;
- Leave information: absence records (including dates and categories of leave/time-off), holiday dates;
- Data relating to Company, Production or Project processes: health and safety audits, risk assessments, incident reports, data relating to training or training received, call sheets, contacts lists, organising travel and hotel bookings, insurance cover
- Monitoring data (to the extent permitted by applicable laws): Closed Circuit television footage, system and building login and access records, keystroke, download and print records, data caught by IT security programmes and filters;
- Freelancer claims, complaints and disclosures data – freelancer involvement in incident reporting and disclosures, investigation of complaints by or regarding freelancers and;
- Supporting the Boom Cymru technology estate – personal contact details, browsing history, data stored on laptops, home ISP provider details, sound recording for training and quality purposes
- Equality and diversity data – where permitted by law and provided voluntarily, data regarding ethnicity, gender, age, race, nationality, religious belief, community background and sexual orientation
Certain additional information may be collected where this is necessary and permitted by local applicable laws.
In relation to the processing of any pension data, if applicable please note that the Trustees of the relevant pension scheme will send you a separate privacy notice to cover this.
Special categories of Personal Information
To the extent permitted by applicable laws the Company may also collect and process a limited amount of personal information falling into special categories, sometimes called “sensitive personal data”.
This includes information relating to such matters as racial or ethnic origin, religious beliefs, physical or mental health (including details of adjustments or accommodations), certain maternity/adoption information, sexual orientation, criminal records and information regarding criminal offences or proceedings.
Purposes for Processing Personal Data
In general, the processing of your personal information is necessary to perform the contract of engagement between you and the Company and for compliance with legal obligations which the Company is subject to. The processing is also necessary for the purpose of the legitimate interests pursued by the Company, except where such interests are overridden by your interests or fundamental rights and freedoms.
This processing also enables us to: provide you with various benefits (statutory holiday, auto-enrolment assessment and deductions and, if applicable to your role, statutory sick pay); to manage and administrate your engagement; and to consider you for future engagements within the Company.
Please click here for the full list of processes that use your personal information, including the purpose and the lawful basis of each process. We may undertake certain other processing of personal information which are subject to additional Privacy Notices and we shall bring these to your attention where they arise.
Some of our processing will involve special categories of sensitive information, as described above. This information will only be processed where data protection law allows this using a specific lawful justification, under one of the following bases where the processing is necessary:
- where explicit consent has been given;
- where the processing is necessary;
- for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law (including such laws which also apply to workers), social security and social protection law, to the extent permissible under applicable laws;
- for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, to the extent permitted by applicable laws;
- to protect your vital interests or of another person where you are physically or legally incapable of giving consent (for example in exceptional emergency situations, such as a medical emergency); or
- for the establishment, exercise or defence of legal claims; or
- for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained.
Please click here for some examples of processes using special categories of sensitive information
We may seek your consent to certain processing which is not otherwise justified under one of the above bases. If consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your engagement to agree to any request for consent from the Company. Where consent is given, it may be withdrawn by you at any time, but this will not impact on any other lawful basis for processing relied on by the Company;
Personal Information relating to criminal convictions and offences will only be processed where authorised by applicable laws, for example:
- a criminal record check may be carried out on recruitment or transfer where authorised by applicable laws; or
- an allegation of a criminal offence or conviction arising during your relationship with the Company may be processed where required or authorised. For example where we have a legal or regulatory requirement to report an offence, or applicable laws authorise the Company to process information about the offence for the purpose of making decisions regarding your relationship with the Company.
Who has access to my data?
Your personal information can be accessed by or may be disclosed within the Company on a need-to-know basis to:
- Production, talent or project teams and hiring managers relating to your current engagement or potential future engagements;
- Human Resources team members;
- Those responsible for managing or making decisions in connection with your relationship with the Company or involved in a process concerning your relationship with the Company;
- System administrators and system maintenance – by teams in the Company such as Finance, Technology, Reporting teams.
- Insurance/health and safety/legal and business affairs/for scheduling purposes
Certain basic personal information, such as your name, location, job title, contact information and any published skills and experience profile may also be accessible to other colleagues via the Company’s intranet.
Your personal information will only be shared where necessary with third parties, e.g. providers of payroll, auto-enrolment pension, onboarding/offboarding and training services and other third parties such as the Company’s insurers bankers, IT administrators, lawyers, auditors, investors, consultants and other professional advisors. Where these third parties act as a “data processor”, they carry out their tasks on our behalf and upon our instructions for the above mentioned purposes. In this case your personal information will only be disclosed to these parties to the extent necessary to provide the required services.
Personal information may also be shared with certain interconnecting systems (such such as payroll, pension and benefits systems). Data contained in such systems may be accessible by providers of those systems, their associated companies and sub-contractors. In addition, we may share personal information with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.
Where is my data transferred?
Your personal information is mainly processed within the European Economic Area (EEA), however from time to time your personal information (including special categories of personal information) will be transferred elsewhere in the world to ITV group companies or third parties to process, for the purposes described in this Freelancer Privacy Notice. ITV has group companies within the EEA and also in Hong Kong, Australia and the USA. This may also include transfer of your personal data for the purposes of any international assignments.
IT maintenance and incident support for some of ITV systems is outsourced to a company in India. Their support staff have administrative access and are able to access data and also use resources from other territories including Argentina, Canada and the USA to resolve issues as quickly as possible. Access is controlled via a privileged access management tool and can be revoked by ITV at any time.
As a result, your personal information may be transferred to countries whose data protection laws may be less stringent than yours. Where this is the case, the Company will ensure that appropriate or suitable safeguards are in place to protect your personal information and that its transfer is in compliance with applicable data protection laws.
Where required by applicable data protection laws, the Company will ensure that service providers (including other Company associated companies) sign standard contractual clauses as approved by the European Commission or other supervisory authority with jurisdiction over the relevant Company exporter. You can request a copy of any standard contractual clauses in place which relate to transfers of your Personal Information by contacting GDPR@Boomcymru.co.uk
How long does the Company keep my data?
We retain your personal information only so long as it is required for purposes for which it was collected, whilst keeping it as up-to-date as possible and making sure that irrelevant or excessive data is deleted or made anonymous as soon as reasonably practicable.
Each Updated CV which you send us will be retained by us for 4 years and can be accessed by our Hiring Managers and Production or Project Teams, in considering you for future engagements within the Company. You have a right to ask your CV to be deleted from our records, and can do so by contactingGDPR@Boomcymru.co.uk. We will endeavour always to refer to the most up to date version of your CV when considering you for future engagements.
Our aim is to ensure that data is retained in accordance with the periods set out in the Retention Schedule and that data is deleted as soon as reasonably practicable thereafter. We are looking to put into place suitable processes and procedures to achieve that aim. Please be aware that not all of the entries on the Retention Schedule will be applicable to those engaged on freelance contracts.
In order to perform our contractual obligations and to comply with the applicable laws, we generally retain your information for the duration of your engagement plus a further 6 years. Thereafter we will securely destroy your data, including that held by any third party, unless there is an obligation to retain it further.
We may keep some specific types of data, (for example tax records, pensions data) for different periods of time, as required by applicable law.
What rights do I have and how can I use them?
In law you are the ‘Data Subject’ and you have several rights that you can exercise over your data such as the right to access, correct and request to delete your personal information. From 25th May 2018 you have some additional rights e.g. data portability, restricting the processing or objecting to it if was done under legitimate interests.
You also have the right to lodge a complaint with a supervisory authority, in particular in your country of residence (e.g. the Information Commissioner’s Office in the UK), if you consider that the processing of your personal information infringes applicable law.
Please click here for more information on your rights and how to use them or contact HR@Boomcymru.co.uk or GDPR@Boomcymru.co.uk
Who is the Company? More information …
Boom Cymru TV Limited is registered in England (Company Number: 02936337) and its registered office is; GloWorks, Porth Teigr Way, Cardiff CF10 4GA. The Boom Cymru group of companies includes, but is not limited to, the following companies that may issue you with an employment contract:
- Gorilla TV Limited
Registered in England under number 03776018
Registered Office: GloWorks, Porth Teigr Way, Cardiff CF10 4GA
- Bait Studio Limited
Registered in England under number 05991179
Registered Office: GloWorks, Porth Teigr Way, Cardiff CF10 4GA
Any queries relating to the General Data Protection Regulation (GDPR) should be directed to GDPR@boomcymru.co.uk.
Boom Cymru TV Limited is registered with Information Commissioner’s Office (ICO) as data controller (registration number: Z9940465). For more information please visit the ICO’s website www.ico.org.uk
Other companies in the Boom Cymru group are registered with ICO where necessary.
Purpose and lawful basis
Ref | Purpose for processing | Necessary for Performance of Contract | Necessary to comply with a Legal Obligation | Legitimate Interest | What is the Company’s Legitimate Interest |
a) | Recruitment and selection | Y | Y | Y | The Company considers it has a legitimate interest in fully assessing applications for freelance assignments and talent pools to ensure only suitable and appropriate candidates are both assessed and selected, so that the Company identifies the right people for its business who will be able to contribute to its operations and culture.
The Company also considers it has a legitimate interest in retaining the details of freelancers in a talent pool and sharing the details with other production teams within the Company so that these individuals can be considered for future engagements the Company is recruiting for. The Company understands that this is the expectation of the freelance community and enables these individuals to be hired more frequently, which we believe is in their interest and to their benefit. |
b) | Appropriate vetting for recruitment and team allocation including, where relevant and appropriate credit checks, right to work verification, identity fraud checks, criminal record checks (if and to the extent permitted by applicable laws), relevant assignment history, relevant regulatory status and professional qualifications; | Y | Y | The Company considers it has a legitimate interest in managing its business operations in the most effective way and needs to make decisions relating to the future of its business in order to preserve its business operations or grow its business, including the interests of the workforce as a whole and the Company customer base. | |
c) | Providing and administering pay, statutory benefits, assessment and deductions for auto-enrolment, reimbursement of expenses and making appropriate tax and social security and other deductions and contributions as required; | Y | Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business, including ensuring that freelancers are paid and in undertaking normal business operations. |
d) | Allocating and managing duties and responsibilities and the business activities to which they relate, including business travel; | Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring each freelancer undertakes appropriate duties, undertakes their role correctly and in accordance with appropriate procedures and in undertaking normal business operations. | |
e) | Identifying and communicating effectively with freelancers; | Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business including undertaking normal business operations and maintaining a dialogue with freelancers. |
Ref | Purpose for processing | Necessary for Performance of Contract | Necessary to comply with a Legal Obligation | Legitimate Interest | What is the Company’s Legitimate Interest |
f) | Training | Y | Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring that each freelancer undertakes appropriate duties, undertakes mandatory training and undertakes their roles correctly and in accordance with appropriate procedures. |
g) | Conducting statutory reporting and surveys for benchmarking, identifying improved ways of working,(these will often be anonymous but may include profiling data such as age and gender to support analysis of results);
|
Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business. This includes ensuring that each freelancer undertakes appropriate duties and mandatory training, undertakes their role correctly and in accordance with appropriate procedures. Undertaking normal business operations, maintaining a dialogue with freelancers, ensuring they are paid and complying with applicable laws and regulations. | |
h) | Processing information about absence or medical information regarding physical or mental health or condition in order to: assess eligibility for statutory benefits if applicable, make adjustments or accommodations to duties or the workplace; make management decisions regarding engagement or continued engagement; | Y | Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring each freelancer undertakes appropriate duties and undertakes their roles correctly and in accordance with appropriate procedures and managing absence and leave entitlements.
The Company considers that it has a legitimate interest in managing and supporting its workforce, managing health and safety risks and operating its business. This includes taking steps to identify and mitigate risks to freelancers or other workers’ health, safety or welfare and ensuring that where required appropriate adjustments are made to working conditions. |
i) | Complying with reference requests where the Company is named by the individual as a referee; | Y | The Company considers it is in the legitimate interests of a new engager to receive confirmation of engagement details from the Company for the purposes of confirming the former freelancer’s engagement history. | ||
j) | Operating email, IT, internet, social media and other policies and procedures. To the extent permitted by applicable laws, the Company carries out monitoring of the Company’s IT systems to protect and maintain the integrity of the Company’s IT systems and infrastructure; to ensure compliance with the Company’s IT policies and to locate information through searches where needed for a legitimate business purpose; | Y | Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business. The IT function is essential to ensuring that this can be carried out in the most effective way. This includes maintaining the integrity and security of data and facilitating records management.
This includes putting in place appropriate policies and procedures for measuring compliance, detecting breaches and taking action if they are not complied with. |
Ref | Purpose for processing | Necessary for Performance of Contract | Necessary to comply with a Legal Obligation | Legitimate Interest | What is the Company’s Legitimate Interest |
k) | Satisfying its regulatory obligations to supervise the persons engaged or appointed by it to conduct business on its behalf, including preventing, detecting and investigating a wide range of activities and behaviours, whether relating to specific business dealings or to the workplace generally and liaising with regulatory authorities; | Y | Y | The Company considers it has a legitimate interest in ensuring that its business, clients, employees, freelancers and systems are protected including detecting and preventing crimes or criminal activity; ensuring only appropriate freelancers are engaged in our business; ensuring compliance with export control and other legal requirements placed upon us (both by EU and non-EU laws). | |
l) | Protecting the private, confidential and proprietary information of the Company, its employees, freelancers, clients and third parties; | Y | Y | The Company considers it has a legitimate interest in ensuring that its business, clients, employees, freelancers and systems are protected including protecting our assets and the integrity of our systems, detecting and preventing loss of our confidential information and proprietary information. | |
m) | Complying with applicable laws and regulation (for example maternity or parental leave legislation, working time and health and safety legislation, taxation rules, worker consultation requirements, other employment laws (to the extent they apply to workers) and regulation to which the Company is subject in the conduct of its business); | Y | Y | The Company considers that it has a legitimate interest in managing its workforce and operating its business. This includes ensuring each freelancer undertakes appropriate duties, carries out mandatory training and undertakes their roles correctly and in accordance with appropriate procedures. It is also necessary to undertake normal business operations and maintain a dialogue with freelancers and comply with applicable laws and regulations. | |
n) | Monitoring programmes to ensure equality of opportunity and diversity with regard to personal characteristics protected under applicable anti-discrimination laws; | Y | Y | The Company considers it has legitimate interests in ensuring that it takes action to prevent discrimination and promote an inclusive and diverse workplace. | |
o) | For business operational and reporting documentation such as management and headcount reporting, the preparation of annual reports or tenders for work or client team records including the use of photographic images; | Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring each freelancers undertakes appropriate duties and undertaking normal business operations. | |
p) | To operate the relationship with third party customers and suppliers including the disclosure of relevant vetting information in line with the appropriate requirements of customers to those customers, contact or professional CV details or photographic images for identification to clients or disclosure of information to data processors for the provision of services to the Company; | Y | Y |
The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring each freelancer undertakes appropriate duties and undertaking normal business operations. This includes the sharing of appropriate information with existing and prospective customers and suppliers about who is or will be working with them in order to develop strong relationships and support the effective performance of commitments with customers and suppliers. |
Ref | Purpose for processing | Necessary for Performance of Contract | Necessary to comply with a Legal Obligation | Legitimate Interest | What is the Company’s Legitimate Interest |
In some cases this may also include supporting customers and suppliers to comply with their legal or regulatory obligations or security requirements by having sufficient information about those providing services to them.
The Company also has a legitimate interest in ensuring that it can engage with customers and suppliers effectively and that they can access the information they need to provide the service for which they have been engaged. |
|||||
q) | Where relevant for publishing appropriate internal or external communications or publicity material (including photographic images) via the Company Intranet, social media and other publicity and communication channels in appropriate circumstances; | Y | Y | The Company considers it has a legitimate interest in managing and communicating with its workforce and operating its business including ensuring that each freelancer undertakes appropriate duties and undertaking normal business operations.
That includes giving information to the workforce or, where appropriate customers, our audience, other stakeholders or the wider market about relevant business activities, plans or projects. That can include making reference to those freelancers who are involved in the relevant matters being communicated above.
Effective communication with freelancers contributes to the attraction and retention of high calibre freelancers, development and retention of customer relationships, audience engagement and participation, strong business performance, business growth and maintaining and enhancing the Company’s reputation. This supports the Company’s immediate and long-term business goals and outcomes. |
|
r) | To support administration and management and maintaining and processing general records necessary to manage the freelance relationship and operate the contract of engagement; | Y | Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring that each freelancer undertakes appropriate duties, undertakes mandatory training and their roles correctly and in accordance with appropriate procedures; managing leave entitlements; undertaking normal business operations; maintaining a dialogue with freelancers; and complying with applicable laws and regulations. |
s) | To change access permissions; | Y | Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business. The IT function is essential to ensuring this can be carried out in the most effective way including complying with the Company policies and access controls. |
Ref | Purpose for processing | Necessary for Performance of Contract | Necessary to comply with a Legal Obligation | Legitimate Interest | What is the Company’s Legitimate Interest |
t) | To provide technical support and maintenance for information systems; | Y | Y | Y | The Company considers it has a legitimate interest in managing its workforce and operating its business. The IT function is essential to ensuring that this can be carried out in the most effective way including maintaining the integrity and security of data and facilitating records management. |
u) | To enforce our legal rights and obligations, and for any purposes in connection with any legal claims made by, against or otherwise involving you; | Y | Y | Y | The Company considers it has a legitimate interest in protecting its organisation from breaches of legal obligations owed to it and to defend itself from litigation. This is needed to ensure that the company’s legal rights and interests are managed appropriately. |
v) | To comply with lawful requests by public authorities (including without limitation to meet national security or law enforcement requirements), discovery requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities (including without limitation data protection, tax and employment), whether within or outside your country; | Y | Y | Y | The Company considers it has a legitimate interest in ensuring that it complies with all legal requirements placed on it, whether those are EU obligations or non-EU obligations. The Company wishes to maintain its reputation as a good corporate citizen and to act appropriately in all the countries in which it does business. This includes cooperating with authorities and government bodies. Indeed, the Company is required to comply with laws and regulations in those countries in which it does business and to require otherwise would lead to conflicts of laws issues. |
w) | Production and exploitation of audio-visual programming for commercial purposes, including retaining the programme and your personal data in it in our archive, for the purpose of repeating the programme or otherwise using it for commercial purposes | Y | The Company has a legitimate interest in producing audio visual programming for commercial exploitation, as such “off-screen” contributions from individuals are crucial to this production activity and require the processing of personal information about these individuals. | ||
x) | Other purposes permitted by applicable laws, including legitimate interests pursued by the Company where these are not overridden by the interests or fundamental rights and freedoms of colleagues. |
Special category data
Ref | Purpose for processing | Lawful basis |
a) | Assess and review eligibility to work for the Company in the jurisdiction in which you work.
|
This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws.
In particular the requirement to check that you are legally permitted to work in your jurisdiction. |
b) | The collection of statistical data subject to local laws, or where required to record such characteristics to comply with equality and diversity requirements of applicable local legislation or to keep the Company’s commitment to equal opportunity under review. | This processing is necessary for (i) the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws and (ii) the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained. |
c) | Compliance with employment, health and safety or social security laws. For example, to provide statutory incapacity benefits if relevant, avoid breaching legal duties to you, to ensure fair and lawful management of your engagement, to administer statutory benefits and remuneration related to health, sickness absence and long-term incapacity, to make reasonable accommodations or adjustments and avoid unlawful discrimination or dealing with complaints arising in this regard. | This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws.
To the extent that this data is managed by our occupational health advisers or third-party benefit providers, this processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, to the extent permitted by applicable laws. |
d) | Management and investigation of any complaint under the relevant Company’s internal policies where such characteristics or information are relevant to the particular complaint, in order to comply with employment law obligations. | This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws.
In particular employment laws relating to the effective management of complaints, anti-discrimination laws and our duty of care to freelancers. |
Data retention schedule
Category | Record Type | Retention Period |
Recruitment information | Job applications, CVs, test results and interview records of successful candidates | Six months following closing date of applications |
Recruitment information | Speculative cvs and subsequent updated versions for talent pools or potential future assignments or roles | Four years from the date of being received |
Recruitment information | Background/DBS checks – criminal offences, proceedings and sentences where this is legally required/permitted or where the employee or freelancer has consented (e.g. to protect the safety and security of staff and customers, or for insurance purposes) | Six months from the date of recruitment |
Recruitment information | Immigration checks (documentation required for immigration purposes – e.g. to evidence citizenship, details of residency, work permit) | Two years after the termination of employment or engagement |
Personal information | Employee, freelancer or contractor title, forename, middle name(s) and surname, birth name, preferred name, any additional names, employee or other identification number, gender, date of birth, home contact details (eg address, telephone number, e-mail), national ID number | Whilst employment or engagement continues and for up to six years after employment or engagement ceases. For the purpose of credits, name and role may be retained for the duration of the exploitation of the programme. |
Personal information | Nationality, second nationality, civil/marital status, next-of-kin/dependent/emergency contact information | Whilst employment or engagement continues and for up to six yearsafter employment or engagement ceases |
Basic work details | Work contact details (eg corporate address, telephone number, e mail), default language, time zone | Whilst employment or engagement continues and for up to six yearsafter employment or engagement ceases |
Terms & conditions of employment or engagement | Employee contracts, written particulars of contract, terms and conditions (including any updates), freelance terms and conditions, contractor agreements | Whilst employment or engagement continues, and for up to six years after employment or engagement ceases |
Terms & conditions of employment | Collective workforce agreements (including past agreements) | Permanently – so long as the agreements may affect present employees |
HR & Training Records | HR records (generally) | Whilst employment or engagement continues, and for up to six years after employment or engagement ceases |
HR & Training Records | Employee Performance Reviews | |
HR & Training Records | Employee disciplinary/ grievance records | |
HR & Training Records | Qualifications [and regulatory records] | |
HR & Training Records | General employee training records (unless specific legislation applies to training records for a given role) | |
HR & Training Records | Records of DBS/CRB checks | |
HR & Training Records | Investigation records, including whistleblower reports | |
HR & Training Records | Records of termination, retirement or resignation | |
HR & Training Records | Records of absence (not sickness or maternity/paternity/adoption related) | |
HR & Training Records | Records of absence (sickness related) | Whilst employment or engagement continues, and for up to six years after employment or engagement ceases. |
HR & Training Records | Medical information, including allergies, disabilities, dietary requirements, GP contact details (where required legally or where consent given, e.g. to allow statutory time off for sickness, or to enable appropriate pay/employment adjustments to be made). | Whilst employment or engagement continues, and for up to six years after employment or engagement ceases |
HR & Training Records | Photographs of employees or freelancers – ID pass watercooler profile (active directory) | Whilst employment or engagement continues, and for up to six years after employment or engagement ceases |
HR & Training Records | Annual leave records | Six years (or possibly longer if leave can be carried over from year to year) |
HR & Training Records | Other leave records | Whilst employment or engagement continues, and for up to six years after employment or engagement ceases |
Working Time Regulations | Working Time Opt-out forms (where relevant) | Six years from the date on which they were entered into |
Working Time Regulations | Records to show compliance with WTR (e.g. time sheets for opted-out workers, health assessment records for night workers) | Six years after the relevant period |
Payroll and Wages/Freelancer/Contractor payments | PAYE records required by HMRC & 46R (Freelancers) records, NI numbers | Whilst employment or engagement continues, and for up to six years plus current year after employment or engagement ceases |
Payroll and Wages/Freelancer/Contractor payments | Miscellaneous Payments and Deductions eg Bonus schedules, Overtime downloads, Contract pay, VAT payments, Salary increases, SAYE listings, Voluntary deductions. Including working hours details | For up to Six years following Financial Year end for Audit purposes |
Payroll and Wages/Freelancer/Contractor payments | Employee/Freelancer/Contractor Bank details | Whilst employment or engagement continues, and for up to six years after employment or engagement ceases |
Finance and Accounting | Bank instruction and Payment files | Whilst employment or engagement continues, and for up to six years plus current year after employment or engagement ceases |
Benefits in Kind | PAYE records by HMRC, including NI numbers eg car, fuel, medical cost data for P11d reporting | Whilst employment or engagement continues, and for up to six years plus current year after employment or engagement ceases |
Expenses | Business expenses posted via corporate credit, claimed via expenditure on personal credit car or cash basis | Whilst employment or engagement continues, and for up to six years plus current year after employment or engagement ceases |
Family policy records | Dates of Maternity/paternity/adoption leave, Maternity certificates showing expected due data (MATB1) | Whilst employment or engagement continues, and for up to six years after employment or engagement ceases |
Family policy records | Details of Maternity/paternity/adoption payments, or of period without maternity payment | Whilst employment or engagement continues, and for up to six years after employment or engagement ceases |
Monitoring | CCTV footage | One month |
Monitoring | IT system log data / web log data / other electronic identification data (including device data) | No longer than necessary |
Legal | Details of any claims by employees/freelancers/contractors against the company | Six years from termination of employment or engagement |
Legal | Details of any claims by employees/freelancers/contractors against company insurance | Six years from termination of employment or engagement |
Legal | Details of any claims involving employees, freelancers or contractors | Six years from termination of employment or engagement |
Special categories of data | Racial or ethnic information (e.g. for equal opportunities purposes/with consent) | Whilst employment or engagement continues and for up to six years after employment or engagement ceases |
Special categories of data | Sexual orientation (e.g. for equal opportunities purposes/with the consent) | Whilst employment or engagement continues and for up to six years after employment or engagement ceases |
Special categories of data | Political affiliations, religion, community background, philosophical or similar beliefs where this is legally required / permitted or where the employee has consented, e.g. to allow statutory time off for religious purposes, or to enable the payment of religion/belief-based taxes in some countries | Whilst employment or engagement continues and for up to six years after employment or engagement ceases |
Special categories of data | Consents for processing of sensitive personal information | For so long as the data is processed and for up to six years afterwards |
Benefits | Record of reward and benefit entitlement, start date and participation | Whilst employment or engagement continues and for up to six years after final payment of benefit |
Health and Safety | Details of any reportable accident, death or injury in connection with work | At least three years from the date the report was made |
Data subject rights
What are my data subject rights and how can I use them?
As a data subject you have lots of control over the information that we hold on you, these rights and how to use them are explained below. If you have any questions, need more information or guidance please contact HR@Boomcymru.co.uk or GDPR@Boomcymru.co.uk.
Access to my data
You can request access to the information we hold on you with some limited exceptions and we will also tell you;
- why we are processing it;
- who are we sharing it with and if any information is transferred to a country not deemed to have adequate protections in place for personal data;
- how long will we be keeping your data;
- the source of the information, if it was not collected directly from you;
- if we are using your data for automated decision making or profiling.
If you are making a request for a copy of your personal data that we are processing, please be as specific as possible as this will both help us to identify the information more quickly and provide you with a copy without any undue delay.
Rectifying inaccuracies
If you feel the information we hold on you is inaccurate, you can ask us to correct or update it.
Right to be forgotten
You can also request that we erase your information, although that might not always be possible if doing so means we cannot perform our contract with you, or we have a legal obligation or legitimate interest to keep the data. We will explain the consequences of erasing your data.
Restrict the processing
If you feel we are processing your information unlawfully or with inaccurate data, you can ask us to restrict processing. Where Personal Information is subjected to restriction in this way we will only process it with your consent or for the establishment, exercise or defence of legal claims unless we have your consent. If the processing is restricted we will continue to store the data.
Object to the processing
If you disagree with any legitimate interest or public interest we have relied upon to process your data, you can object to the processing. We will then stop processing the data unless we can demonstrate a compelling legitimate ground that overrides your rights, or the processing is required to establish, exercise or defend a legal claim.
Data Portability
Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal data is processed by automatic means, you have the right to receive all such personal data which you have provided to the Company in a structured, commonly used and machine‑readable format, and also to require us to transmit it to another controller where this is technically feasible. We have produced a standard format of commonly used employee data for this purpose.
Make a complaint
We are committed to safeguarding your data and upholding your rights, but if you feel we have not done that, please contact us GDPR@Boomcymru.co.uk. Additionally you have the right to complain to the relevant supervisory authority, which in the UK is the Information Commissioner’s Office (ICO).
Please contact HR@Boomcymru,co.uk orGDPR@Boomcymru.co.uk if you want any of the information above or want your rights further explained.