Fair Processing Notice for UK applicants, consultants and employees

Introduction

SDL is committed to respecting your privacy. This Fair Processing Notice explains the processing of the personal data of people who apply to work with us and work with for SDL PLC, SDL Sheffield Ltd, and SDL Tridion Ltd, these companies will be referred to as “SDL”. For each member of staff the data controller will be the company which employs you and for directors it is the company of which you are a director, in addition SDL PLC will perform functions of the head of the SDL group of companies and when performing such functions will be a joint data controller of the personal data of employees of SDL Sheffield Ltd, and SDL Tridion Ltd. SDL PLC will also be the data controller for all contractors, freelancers, applicants, interview candidates, interns, agency workers, consultants. 

All personal data that we obtain about you will be used in accordance with current data protection law applicable to you and this Fair Processing Notice. We need to collect and process personal data in order to perform your employment contract, to comply with legal obligations and for our legitimate interests to operate our business. 

The following Fair Processing Notice describes: 

  • the categories of personal data we may process; 
  • how your personal data is processed; 
  • for what purposes we process your data; and 
  • how your privacy is safeguarded in the course of our relationship with you. 

This notice does not form part of your employment contract.

Definitions

  • Personal data means any data which can identify you directly or indirectly (whether itself or when combined with other data), regardless of the format or media on which the data are stored and is explained in more detail below. 
  • Processing means any activity relating to your personal data including collection, use, alteration, storage, disclosure and destruction. 
  • Company, SDL, we, us and our means SDL and our associated companies. 
  • You or your means current and former employees, contractors, freelancers, applicants, interview candidates, interns, agency workers, consultants and directors. 
  • Employment also includes other engagements or work relationships.

Changes to this notice

SDL may update this notice at any time and may provide you with further notices on specific occasions where we collect and process personal data about you. You should check this notice regularly to take notice of any changes, however where any change affects your rights and interests, we will make sure we bring this to your attention and clearly explain what this means for you.

How we collect data about you

We may collect your personal data in a number of ways, including: 

  • personal data provided by you when you apply for a job at SDL; 
  • personal data provided by you when you start employment at SDL; 
  • personal data provided by you when you communicate with any of the corporate functions at SDL (including HR, IT, Finance) by telephone, email or via a helpdesk ticket and Yammer (for example when you contact us or any HR team members to make an enquiry or raise a concern); 
  • personal data collected from or observed about you in the course of your employment; and 
  • personal data collected from third parties such as referees, screening agencies or benefit providers about you, if this is necessary you will be informed at the time and the third party identified.

Types of personal data processed

Personal data SDL may process includes: 

  • personal details (including name, gender, nationality, date of birth, marital status, 
  • contact information (including home address, phone numbers and personal email addresses) 
  • data related to your engagement with previous employers and the Company 
  • pay and benefits data (including salary, expenses, earnings, deductions) 
  • right to work information (including visas, passports and immigration details) 
  • photographs of your information provided as part of your employment application, or created during the application process (e.g. interview notes) 
  • financial information (including bank details, social security and tax numbers). 
  • attendance information (for medical and other types of leave and vacation) 
  • performance management data including records of time worked 
  • information provided in relation to grievances, flexible working requests, appeals and complaints 
  • references 
  • disciplinary information 
  • training and development data (e.g. training received) 
  • health and safety data (e.g. accident reports, risk assessments) 
  • Monitoring data to the extent permitted by applicable laws (e.g. closed circuit television footage, system and building login and access records, download and print records, call or meeting recordings, data caught by IT security and filters) 
  • Background screening data 
  • any other legitimate personal data relating to your employment 

We may also collect, or you may choose to provide us with, the following special categories of more sensitive personal data: 

  • information revealing your race or ethnicity, religious beliefs, sex life or sexual orientation (whether or not indicated by your gender or gender identity) and political opinions 
  • information about your health, including any disability or medical condition, and dietary requirements 
  • information about criminal convictions or offences 

These special categories of personal data require us to take additional steps to ensure their security and confidentiality. We will refer to both types of data as personal data unless we specifically refer to special data.

Personal data provided by you about others

Apart from personal data relating to you, you may also provide the Company with personal data of third parties, notably your dependents and other family members, for purposes of HR administration and management, including the administration of benefits and someone to contact in an emergency. Before you provide such third party personal data of people over 18 to the Company you must first inform these third parties of any such data which you intend to provide to the Company and of the processing to be carried out by the Company, as detailed in this Fair Processing Notice. This is particularly important if you are notify SDL of health details of any person when you must have their consent to SDL knowing the information.

How SDL uses personal data about you

SDL as your employer acting in the course of the employment relationship may process personal data) about you for the following purposes:

As necessary, to perform your employment contract

Processing is necessary to perform the contract between you and the Company, including but not limited to: 

  • To make an appropriate offer to you and administer your employment contract if you join us. 
  • HR administration including maintaining your record in our HR system for integrity and security of data, ensuring information remains up to date and deleting information when it is no longer required. 
  • In order to provide and administer the payments and benefits we have agreed to provide to you as part of your contract of employment including those relating to absence or incapacity. 
  • Access controls to facilitate access to appropriate locations and systems. 
  • To provide basic employment details for the purposes of references, which could be after your employment has ended.

As necessary, to comply with a legal obligation:

Including but not limited to: 

  • HR Administration and processing is needed for compliance with employment laws, health and safety laws, data protection laws and other regulatory laws. 
  • In cases where we need to ensure equality of opportunity or treatment between people of different racial or ethnic origins, holding different religious or philosophical beliefs, people with different states of physical or mental health or people of different sexual orientation with a view to enabling such equality to be promoted or maintained. 
  • Establish the right to work in the country in which you are employed. 
  • Comply with the requirements of the tax authorities in relation to tax and social security of payments or benefits to you. 
  • To enforce policies and procedures for employees for attendance, behaviour and performance. 
  • To avoid unlawful dismissal. 
  • In cases of litigation or regulatory matters to ensure that the Company’s legal rights and interests are managed appropriately, to protect the Company’s reputation and to protect the Company from other damage or loss. 
  • In cases there is a legal obligation to disclose information or a court or other legal order to provide information is place. 
  • In cases of commercial transactions where the Company is subject to comply with automatic transfer rules. 
  • To comply with statutory Company reporting obligations and corporate governance requirements such as preparation of management information reports; financial accounts and other reports in relation to HR metrics such as retention or attendance; reporting for internal and external governance; and liaising with third parties such as investors or finance providers. 
  • To comply with legal obligations on employee relations safety, 
  • Security monitoring and preventing and detecting inappropriate or unlawful activities – to comply with health and safety laws, our duty of care and regulatory laws.

As necessary, for our legitimate interests

SDL considers the activities listed below are necessary purposes for processing of personal data to enable SDL to conduct its legitimate business interests as an employer and provider of technology and services to customers. It is not considered these activities are detrimental to the interests or fundamental rights and freedoms of employees, contractors, freelancers, applicants, interview candidates, interns, agency workers or consultants. 

Including but not limited to: 

  • Business information protection 
  • Allocating and managing work 
  • Carrying out commitments to clients 
  • Communications with prospective and actual clients 
  • Performance and talent management 
  • Training, development and succession planning 
  • Employee engagement 
  • Operating Company Policies & Procedures and Network Protection 
  • Safety, Security monitoring and preventing and detecting inappropriate or unlawful activities 
  • Business development and stakeholder management 
  • Communication and public relations

Additional legal basis we rely on where we process special category data:

  • Consent which we ask you to explicitly provide for specific purposes. 
  • Employment law, social security and social protection law, to the extent permissible under applicable laws. 
  • Preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, to the extent permitted by applicable laws. 
  • Where you have made the special data public. 
  • Protect your vital interests or of another person where you are physically or legally incapable of giving consent (for example in exceptional emergency situations, such as a medical emergency). 
  • Exercise or defense of legal claims.

The purposes we use special category personal data for:

The purposes for which SDL processes special category data are necessary for performance of the contract of employment to comply with our legal obligations as an employer. These specific purposes are now explained:

Work permits, details of residency, proof of citizenship

  • Requirement to check that you are legally permitted to work in your jurisdiction.

Racial or ethnic origin, religion, philosophical or political belief, sexual orientation or disability status

  • In particular compliance with anti-discrimination legislation.

Health and medical

  • To the extent that this data is managed by our occupational health advisers, this processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, to the extent permitted by applicable laws. 
  • Management of time off for sickness and payment of salary or equivalent.

Details of trade union membership

  • In particular human rights laws relating to freedom of association and assembly, laws relating to the Company’s interaction with Trade Union members and officials and avoiding detrimental treatment relating to Trade Union membership or activities.

Grievance, whistleblowing, anti-bullying and harassment or similar policies and procedures or disciplinary procedures

  • In particular employment laws relating to the effective management of complaints and avoiding unlawful dismissals, anti-discrimination laws and our duty of care to staff.

Processing data relating to criminal convictions and offences:

The lawful basis for processing criminal records information, are either for preventing and detecting unlawful acts where we process the information in connection with your employment in certain departments within SDL where we consider exposure to data including personal data is a high risk or the checking of criminal records is a Regulatory requirement upon our customers which they require their suppliers to fulfill. 

  • Criminal record check may be carried out on recruitment or transfer. 
  • Allegation of a criminal offence or conviction arising during your relationship with the Company:
        - where we have a legal or regulatory requirement to report an offence; or
        - applicable laws authorise the Company to process information about the offence (e.g. in a disciplinary process) for the purpose of making decisions regarding your relationship with the Company.

In the event background screening is required you will be informed and asked to consent.

Disclosures of personal data:

We will share your personal information for the above purposes as relevant and necessary. Your personal information may be:

  • Accessed by or may be disclosed internally on a need to know basis to:
        - Local, regional and global Human Resources;
        - Local, regional and executive management responsible for managing or making decisions in connection with your relationship with the Company [Compliance, Legal, Employee Relations and Information Security];
        - System administrators; and
        - Finance and IT Department and the Global HR information systems support team. 
  • Certain basic personal data may also be accessible to other employees ( limited to your name, location, job title, contact information, employee number and any published skills and experience profile) 
  • Shared with third parties whom we work together with (including without limitation, Sage People, Concur and Benefit Providers) 
  • Personal data will also be shared with certain interconnecting systems such as the main HR system and local payroll and benefits systems. Data contained in such systems may be accessible by providers of those systems, their associated companies and sub-contractors. 
  • Data will be shared with tax authorities, regulatory authorities, the Company’s insurers, bankers, IT administrators, lawyers, auditors, investors, consultants and other professional advisors, payroll providers, and administrators of the Company’s benefits programs. 
  • We may share personal data with national or international authorities in order to comply with a legal obligation to which we are subject. 
  • Your personal data will be disclosed to clients and other organisations with which SDL interacts in the course of our business. At the heart of any business is its people and their names, roles contact details and in some cases qualifications have to be shared with customers and other trade organisations as part of doing business.

Transfers of personal data:

  • Your personal data may be transferred to countries outside of the country in which you work or outside of the EEA to countries whose data protection laws may be less stringent than yours. 
  • These transfers maybe to other companies in the SDL group or to third party companies outside the group providing services to the SDL group. 
  • The Company will ensure that appropriate or suitable safeguards are in place to protect your personal information and that transfer of your personal information is in compliance with applicable data protection laws. 
  • The countries to which your personal data could be transferred are any of the countries in which SDL has offices. For transfers to SDL INC and its affiliates we rely upon the Privacy Shield see the policy at HR Global – Europe Privacy Policy (EU US Privacy Shield). For transfers between our other offices both inside and outside the EEA an Inter-Group Data Processing Agreement is in place including the EU Model Clauses as appropriate. 
  • If you require more information on the mechanisms for transfer of your data please contact privacy@sdl.com.

How SDL keeps your personal data secure

SDL has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in any unauthorised way or altered or disclosed. In addition, SDL limits access to your personal data to the persons and organisations described above who have a need to access it. In any case, SDL will ensure that any person or organization who have access to your personal data is subject to a strict duty of confidentiality. For further information on security generally, visit the SDL Information Security page on the hub. 

SDL has also put in place procedures to deal with any suspected personal data security breach and will notify you and any applicable regulator within the time periods in applicable law of a suspected or an actual breach where legally required to do so.

How long SDL will retain your personal data

SDL must only retain your personal data for as long as necessary to fulfil the purposes for which it was collected and to satisfy any legal, regulatory, accounting or reporting requirements. 

Specific retention periods are applied to each category of personal data that we may process about you. In setting these retention periods, the Company has taken into account: 

  • the nature, sensitivity and volume of the personal data 
  • the potential risk of harm to you arising from the Company’s continued retention of the personal data 
  • the purposes for which the Company may process your personal data 
  • whether the Company is required to retain any personal data by law or in accordance with its legitimate interests

Your rights as a data subject

The company which employs you is the Data Controller of your personal data and responsible for all processing of the data. 

However, SDL PLC when acting as a Joint Data Controller of the personal data of employees of SDL Sheffield Ltd, and SDL Tridion Ltd is solely responsible for all personal data processing. 

You are in control of the Personal Data SDL processes and you have a number of rights under the data protection laws in relation to the way we process your personal data. You can: 

• Request confirmation your Personal Data is being processed and a copy of the Personal Data being processed. SDL will respond to any request to the extent required by law and may charge a reasonable fee as provided by applicable law; 

• Obtain rectification of any inaccurate Personal Data; 

• Obtain the erasure of any Personal Data as provided by applicable law and SDL will erase unless required or entitled to preserve the Personal Data; 

• Request SDL to temporarily restrict its processing of your Personal Data while we are investigating a complaint you have; 

• Withdraw your consent where we have relied upon your consent to process your personal data or object to processing by SDL as provided by applicable law; and 

• In certain circumstances limited to certain types of data request the portability of your data. 

Your right to object to processing is balanced by SDL’s obligations to process your data for legal reasons or compelling legitimate grounds. Each request will be considered on an individual basis. 

The accuracy of the information that we hold about you is important to us. However, it is your responsibility to update us should your personal details (such as name, address, bank details) change. Some data can be updated by yourself via HRGlobal, but for other changes please contact your local HR contact. If you believe that personal information we hold about you is incorrect, incomplete or inaccurate, then we firstly ask you update the data on HRGlobal or you may request us to amend it. 

If you have any questions about how your personal information is used, or wish to exercise any of your rights please also contact your local HR contact. 

If you need further assistance please contact SDL’s Data Privacy Officer at privacy@sdl.com. You also have the right to lodge a complaint with the supervisory authority which for the UK is the Information Commissioner (www.ico.org.uk).