POLICY ON YOUR RIGHTS IN RELATION TO YOUR DATA
This policy outlines the rights that data subjects have, under the General Data Protection Regulation (GDPR), in relation to the data about them that we hold. Data subjects, for the purposes of this policy, includes employees (current, prospective and former), workers and contractors.
THE RIGHT TO BE INFORMED
In order to keep you informed about how we use your data, we have a privacy notice for clients and contractors. You can obtain a copy of the privacy notice from your Sterling Services UK Limited representative.
The Company also has a separate privacy notice applicable to employees, available from your manager, and job applicants available from your Sterling Services UK Limited representative.
You will not be charged for receiving our privacy notices.
Our privacy notices set out:
the types of data we hold and the reason for processing the data;
our legitimate interest for processing it;
details of who your data is disclosed to and why, including transfers to other countries. Where data is transferred to other counties, the safeguards used to keep your data secure are explained;
how long we keep your data for, or how we determine how long to keep your data for;
where your data comes from;
your rights as a data subject;
your absolute right to withdraw consent for processing data where consent has been provided and no other lawful reason for processing your data applies;
your right to make a complaint to the Information Commissioner if you think your rights have been breached;
whether we use automated decision making and if so, how the decisions are made, what this means for you and what could happen as a result of the process;
the name and contact details of our data protection officer.
THE RIGHT OF ACCESS
You have the right to access your personal data which is held by us. You can find out more about how to request access to your data by reading our Subject Access Request policy.
THE RIGHT TO ‘CORRECTION’
If you discover that the data we hold about you is incorrect or incomplete, you have the right to have the data corrected. If you wish to have your data corrected, you should complete the Data Correction Form.
Usually, we will comply with a request to rectify data within one month unless the request is particularly complex in which case we may write to you to inform you we require an extension to the normal timescale. The maximum extension period is two months.
You will be informed if we decide not to take any action as a result of the request. In these circumstances, you are able to complain to the Information Commissioner and have access to a judicial remedy.
Third parties to whom the data was disclosed will be informed of the rectification.
THE RIGHT OF 'ERASURE'
In certain circumstances, we are required to delete the data we hold on you. Those circumstances are:
where it is no longer necessary for us to keep the data;
where we relied on your consent to process the data and you subsequently withdraw that consent. Where this happens, we will consider whether another legal basis applies to our continued use of your data;
where you object to the processing (see below) and the Company has no overriding legitimate interest to continue the processing;
where we have unlawfully processed your data;
where we are required by law to erase the data.
If you wish to make a request for data deletion, you should complete the Data Erasure form.
We will consider each request individually, however, you must be aware that processing may continue under one of the permissible reasons. Where this happens, you will be informed of the continued use of your data and the reason for this.
Third parties to whom the data was disclosed will be informed of the erasure where possible unless to do so will cause a disproportionate effect on us.
THE RIGHT OF ‘RESTRICTION’
You have the right to restrict the processing of your data in certain circumstances.
We will be required to restrict the processing of your personal data in the following circumstances:
where you tell us that the data we hold on you is not accurate. Where this is the case, we will stop processing the data until we have taken steps to ensure that the data is accurate;
where the data is processed for the performance of a public interest task or because of our legitimate interests and you have objected to the processing of data. In these circumstances, the processing may be restricted whilst we consider whether our legitimate interests mean it is appropriate to continue to process it;
when the data has been processed unlawfully;
where we no longer need to process the data but you need the data in relation to a legal claim.
If you wish to make a request for data restriction, you should complete the Data Restriction form.
Where data processing is restricted, we will continue to hold the data but will not process it unless you consent to the processing or processing is required in relation to a legal claim.
Where the data to be restricted has been shared with third parties, we will inform those third parties of the restriction where possible unless to do so will cause a disproportionate effect on us.
You will be informed before any restriction is lifted.
THE RIGHT TO DATA ‘PORTABILITY’
You have the right to obtain the data that we process on you and transfer it to another party. Where our technology permits, we will transfer the data directly to the other party.
Data which may be transferred is data which:
you have provided to us; and
is processed because you have provided your consent or because it is needed to perform the employment contract between us; and
is processed by automated means.
If you wish to exercise this right, please speak to your manager.
We will respond to a portability request without undue delay, and within one month at the latest unless the request is complex or we receive a number of requests in which case we may write to you to inform you that we require an extension and reasons for this. The maximum extension period is two months.
We will not charge you for access to your data for this purpose.
You will be informed if we decide not to take any action as a result of the request, for example, because the data you wish to transfer does not meet the above criteria. In these circumstances, you are able to complain to the Information Commissioner and have access to a judicial remedy.
The right to data portability relates only to data defined as above. You should be aware that this differs from the data which is accessible via a Subject Access Request.
THE RIGHT TO ‘OBJECT’
You have a right to require us to stop processing your data; this is known as data objection.
You may object to processing where it is carried out:
in relation to the Company’s legitimate interests;
for the performance of a task in the public interest;
in the exercise of official authority; or
for profiling purposes.
If you wish to object, you should do so by completing the Data Objection Form.
In some circumstances we will continue to process the data you have objected to. This may occur when:
we can demonstrate compelling legitimate reasons for the processing which are believed to be more important than your rights; or
the processing is required in relation to legal claims made by, or against, us.
If the response to your request is that we will take no action, you will be informed of the reasons.
RIGHT NOT TO HAVE AUTOMATED DECISIONS MADE ABOUT YOU
You have the right not to have decisions made about you solely on the basis of automated decision making processes where there is no human intervention, where such decisions will have a significant effect on you.
However, the Company does not make any decisions based on such processes.
However, we may carry out automated decision making with no human intervention in the following circumstances:
when it is needed for entering into or the carrying out of a contract with you;
when the process is permitted by law;
when you have given explicit consent.
In circumstances where we use special category data, for example, data about your health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership the Company will ensure that one of the following applies to the processing:
you have given your explicit consent to the processing; or
the processing is necessary for reasons of substantial public interest.