Employee Privacy Notice
This notice outlines:
- how Flagstone Group Limited (FGL) and Flagstone International Limited (FIL) use your personal information
- how and when we share your information
- how you can exercise your rights when it comes to your information
Who collects and uses your information?
Flagstone collects, processes, and stores your information in the ways outlined in this notice. FGL is registered as a data controller with the Information Commissioner’s Office (registration number ZA033774). FIL is registered as a data controller with the Jersey Office of the Information Commissioner (“JOIC”) (registration number 71026).
At times, FGL and FIL act as joint controllers of your information, especially information about FIL employees, as FGL provides back-office support to FIL.
What information do we collect and hold?
The information we may collect (directly from you or from third parties) and store includes:
- your name, signature, employee number, photo, business email address, business address, business landline, citizenship, passport/visa, driving licence, National Insurance Number, and other government identifiers
- date and place of birth, emergency contact, and gender
- contact details, including your home address, telephone number, and personal email address
- job position, job title, working time information, work location, start and end dates, job history, education history and qualifications, performance, grievance and disciplinary records, and reasons for leaving
- your salary, any bonus, salary increases, allowances, benefits, pension plans, tax codes, bank account details, accrued salary information, and details of any beneficiaries for benefits
- dates of leave, absence, holiday, maternity, paternity, adoption, shared parental leave, confirmation of birth of child, study leave, family leave, medical leave, and any other absence information
- time, systems/building access monitoring information, including CCTV images, internet, email and telephone usage data, and any other data generated on our systems in the course of your employment
- employee references and company details
- images of you recorded at events, or as part of promotions (both internal and external)
Flagstone also processes the following sensitive information:
- number of sick days and the information on a doctor’s certificate/occupational health report information on work-related incidents
- information on disability, for the purposes of workplace accommodations
- information on maternity, adoption, and shared parental leave
- criminal records – where we’ve carried out pre-employment screening, or as part of our ongoing screening, we’ll receive results of your criminal background checks
- pre-employment and ongoing credit reference, right-to-work, and adverse media checks
- race, ethnicity, religion, including information on your passport or other citizenship and right-to-work documentation
- information you’ve voluntarily provided us for the purposes of equal opportunities and diversity initiatives
- sexual orientation, marital status, and information on your marriage or civil partnership certificate, for the purposes of administrating name changes
How do we use your information?
We collect and use your information for several purposes, including:
- providing compensation, including payroll, expenses and other applicable incentives
- calculating and paying any taxes, student loans and other government contributions, plus managing any attachment of earnings orders
- providing applicable benefits, shares and other work-related allowances, including reporting of benefit entitlements and take-up of benefits
- managing the employment relationship and work activities
- providing performance evaluations and promotions
- producing and maintaining organisational charts
- managing and monitoring business travel
- carrying out workforce planning
- conducting talent management and career development
- manging holiday and other approvals for leave
- providing references
- administering mandatory training
- providing IT systems and support to enable you and others to perform your work, so that our business can operate, identify, and resolve IT issues, and to keep our systems secure
- complying with applicable laws, regulatory (including FCA) and employment related requirements, including health and safety, employment and immigration laws and sanction laws
- monitoring and ensuring compliance with applicable policies, procedures, and laws to enable internal and external investigations
- communicating with you and other Flagstone employees and third parties, including existing or potential business partners, suppliers, customers, end-customers or government officials
- communicating with you or your designated contacts in case of an emergency
- responding to and complying with requests and legal demands from law enforcement agencies and regulators
- complying with corporate financial responsibilities, including audit requirements (both internal and external) and cost/budgeting analysis, and controls
- promoting our business by sharing images and stories in internal and external articles
Why do we use your information?
We use your information lawfully for the purposes we’ve outlined above, where one of the following applies:
For non-sensitive information, our legal bases are:
- performance of the contract of employment with you
- compliance with legal obligation, especially labour and employments law, social security and protection law, tax law, and corporate compliance law
- the legitimate interests of Flagstone or other third parties (such as existing or potential business partners, suppliers, customers, end-customers, or governmental bodies and/or courts)
- your consent
For sensitive information, our legal bases are:
- to carry out the obligations and to exercise the specific rights of Flagstone or you in the employment field, social security, and social protection law as permitted
- to protect the vital interests of you or another individual where you’re physically or legally incapable of giving consent
- to establish, exercise, or defend a legal claim, or whenever courts are acting in their judicial capacity
- for the assessment of the working capacity of the employee, as permitted by local data protection law
- your explicit consent
Flagstone needs to process your personal information to enter into our contract of employment with you and to continue to perform crucial aspects of your contract of employment, such as paying you and providing you with benefits.
We must also comply with statutory requirements, other contractual requirements regarding your employment, and fulfil business and operational needs. If we’re not able to carry out the processing activities we describe in this notice, we may not be able to comply with your contract of employment. In some cases, we may not be able to continue your employment.
Who may we share your information with?
We may transfer personal information to third parties, including outside the UK and Jersey for processing purposes such as:
- communicating with third parties as necessary to fulfil our business operations. We may transfer work contact details to existing or potential business partners, suppliers, customers, government officials, and other third parties.
- regulators, authorities, and other third parties. We may transfer personal information to regulators, courts, and other authorities (tax and law enforcement authorities), independent external advisers (for example, auditors), insurance providers, pensions and benefits providers, and investigations teams (both internal and external).
- acquiring entities. If the business may be sold or transferred in whole or in part (or if we contemplate a sale), we may transfer your personal information to the new employer or potential new employer as part of the transfer itself, or as part of an initial review for such transfer (for example, due diligence). This is subject to any rights provided by applicable law, including jurisdictions where the new employer or potential new employer are located.
- data processors. To only process personal information in line with our written contract. The data processors may be involved in workforce administration, IT system support, payroll and compensation, training, compliance, and other activities.
Where do we keep your information?
We store your information in the UK/Jersey where possible. In some circumstances, your information may be located elsewhere, which may include a country that does not have the same level of data protection as the UK or Jersey. We’ll always take measures to ensure we’re protecting your information as required by law.
How long do we keep your information for?
We only keep your personal information for as long as necessary. We may, for example, keep your personal information for a reasonable time after you’ve ended your employment to ensure we have the records we need in the event of a dispute or regulatory investigation. Or, to comply with any ongoing contractual obligations.
We also may need to keep personal information to comply with requests from regulators. In the event that we keep your personal information, applicable local law will determine the period. You can find more information in our Records Retention schedule in Standard Fusion.
You have rights when it comes to your personal information, and there are several requests you can make to exercise these rights.
The right to be informed how we're using your information
You can ask us to tell you who we share your information with, how we store your information, and so on.
The right to access your information
You can ask us for a copy of any information we hold on you.
The right to rectify your information
You have the right to ask us to correct information you feel is inaccurate, incomplete, or both.
The right to restrict how we use your information
In some cases, you have the right to restrict us from processing or deleting your information. There are some things we need to use your information for – for example, to help protect you from fraud, and to fulfil legal and contractual obligations. This may mean we’re unable to restrict how we use your information.
The right to object to how we use your information
In some cases, you have the right to object to the way we process your information. For example, when we’re processing your images to promote the business. There are some situations where we will not stop processing your information despite your objection – for example, to meet legal or regulatory obligations, or so we can continue to fulfil our contract with you.
The right to erasure
In some cases, you have the right to have your information erased. We may not be able to agree to your request if it affects our ability to meet our regulatory obligations, or so we can continue to fulfil our contract with you.
The right to data portability
You have the right to ask us to transfer a copy of some of your information to you or to a new data controller – for example, another employer. This applies when you’ve shared your information with us, it’s been collected with your consent, or where collecting it was necessary for the agreement between us.
The right to human intervention
You have the right not to be subject to a decision that's based solely on automated processing, if the decision affects your legal rights (for example, if we automatically reject your application for employment). However, we do not make automated decisions at the moment, so this is not currently applicable.
The right to withdraw your consent
Where we’re relying on your consent to process any of your information, you have the right to withdraw that consent at any time.
Exercising your rights
If you wish to exercise any of these rights, please contact our Data Protection Officer (DPO) at email@example.com. The DPO will fulfil your request within one month (UK) or four weeks (Jersey). We may extend this deadline by up to a further two months (UK) or eight weeks (Jersey).
If you’re concerned with how we've handled your information, please contact our Data Protection Officer at firstname.lastname@example.org.
You also have the right to complain to the Information Commissioner’s Office (UK): ico.org.uk. Or, you can contact the Jersey Office of the Information Commissioner: jerseyoic.org.
Updated January 2024