When Fine Futures Ltd processes your personal data, it is required to comply with the Data Protection Act 2018 (“DPA”) and the UK GDPR (the DPA and UK GDPR are together referred to as the “Data Protection Legislation”).
Your personal data includes all the information we hold that identifies you or is about you, for example, your name, email address, postal address, date of birth, location data and in some cases opinions that we document about you; as well as special categories of data, including but not limited to, medical and health records, Care Plans and information about your religious beliefs, ethnic origin and race, sexual orientation and political views.
Everything we do with your personal data counts as processing it - including collecting, storing, amending, transferring and deleting it. We are, therefore, required to comply with the Data Protection Legislation to make sure that your information is properly protected and used appropriately.
This privacy policy provides information about the personal data we process, why we process it and how we process it.
Our responsibilities
Fine Futures Ltd is the data controller of the personal data you provide. We have appointed Declan Smith as Data Protection Officer and they will have day to day responsibility for ensuring that we comply with the Data Protection Legislation and for dealing with any requests we receive from individuals exercising their rights under the Data Protection Legislation.
What personal data do we process about you?
We process your personal data in order to provide you with the services you have requested, to fulfil the contract we have entered into with you and/or to receive/provide services or goods from/to you. We may also process your personal data to respond to any queries or comments you submit to us and to correspond with you on a day-to-day basis.
We may need personal data from you to be able to provide services to you, to meet our legal obligations, to enter into a contract with you and/or to provide you with all the information you need. If we do not receive the personal data from you, we may be unable to fulfil our obligations to you.
More information about the personal data we process is set out below:
Clients: Personal data that we may process about you (depending on the extent of the information you have provided to us) includes:
- Identity data such as your first name, middle names, last name, marital status, title, date of birth and gender
- Contact data such as your address, email address and telephone numbers
- Financial data including your bank account and payment card details
- Special categories of data including information about your medical background and health and diversity/equality information such as your race and ethnicity
- Any data deemed to be essential for providing a health and social care service.
We process most of your information on the grounds of consent from you, legitimate interests (such as research for the business to ensure we can operate effectively to changing climates), performance of a contract we have entered into with you, protection of the vital interests of a Data Subject or, in the case of special categories of data, processing for the provision of health or social care or treatment or the management of health or social care systems or services.
Suppliers/Contractors: Personal data that we may process about you includes:
- Identity data such as your first name, middle names, last name, marital status, title, date of birth and gender
- Contact data such as your billing address and delivery address (whether residential or your company address), email address and telephone numbers
- Financial data including your bank account and payment card details (except to the extent the financial information is company rather than personal information); and
- Transaction data including details about payments made to you (where you are an individual)
We process most of your information on the grounds of our legitimate interests (including a business relationship with you or the company for which you work) and fulfilment of our contract with you (where you are an individual). Any information we process about the company for which you work rather than you as an individual is not covered by this privacy policy.
Candidates: Personal data that we are likely to process about you includes:
- Identity data such as your first name, middle names, last name, marital status, title, date of birth and gender
- Contact data such as your postal address, email address and telephone numbers
- Background data such as your education, career background and work experience
- Personal information such as your skills and qualities
- Any other information that you include on any CV, application or covering letter you send to us. If this information includes special categories of data we will process that information on the grounds of consent, because you have chosen to provide it to us- we deem this as consent.
We process most of your information on the grounds of our legitimate interests to determine whether or not we have a suitable vacancy for you.
If we obtain consent from you to the processing of your personal data, you can withdraw your consent at any time. This will not affect the lawfulness of any processing we carried out prior to you withdrawing your consent.
Who may receive your personal data?
We only transfer your personal data to the extent we need to. Recipients of your personal data may include:
- Peninsula Business Service Limited, where it is in the interest of the business to manage a HR query, consultation, meeting or outcome in relation to our policies and procedures.
- The Access Group, where it is in the interest of the business to coordinate, manage/ operate our day-to-day business needs to its full potential. Additionally, where it is in the business’s interest to evidence compliance in relation to our legislative and regulatory requirements.
- The Care Skills Academy, where it is in the business’s interest to evidence compliance in relation to our legislative and regulatory requirements.
- The Disclosure barring service, where we have a legal obligation to ensure prior to commencement all employees have been subjected to a ‘criminal record check’ also known as a DBS check. This helps us obtain information for your suitability for any employment with us.
- Sussex Payroll Services Limited, for payroll purposes for all employees. This could be, but not limited to payments, NI contributions, Pension contributions, Tax contributions and payroll adjustments.
We do not transfer your personal data outside of the EEA.
How long will we keep your personal data?
We will retain your personal data for specific retention periods, as set out below. The retention period is not limited to if: We provide a service to you, work collaboratively together or you work for us.
Identity data such as your first name, middle names, last name, date of birth and gender
Contact data such as your postal address, email address and telephone numbers
Immigration Checks
Financial data including your bank account details, payroll records and tax status information
National Insurance Number
Next of kin and emergency contact information
Information about your dependents
Background data such as your education, career background and work experience
Personal information such as your skills and qualities
Benefits information including life assurance and ill health cover
Start date and, if different, the date of your continuous employment
Leaving date
Location of employment or workplace
Copy of passport
Employment records including job titles and work history
Training records
Information about working hours and holidays
Maternity and paternity leave information
Performance information
Disciplinary and grievance information
Accident records
Information about your ethnicity/racial background
Special categories of data to the extent we need such information to make sure you are comfortable and safe at work including information relating to your health and medical conditions
Any other information included on any CV, application or covering letter you provided to us
Legal Obligation
Legitimate Interests
Legal Obligation
Legal Obligation
Legal Obligation
Legitimate Interests
Contractual Requirement
Legitimate Interests
Legitimate Interests
Contractual Requirement
Legal Obligation
Legal Obligation
Legal Obligation
Legal Obligation
Legitimate Interests
Legal obligation or legitimate interests, depending on the type of training
Legal Obligation
Legal Obligation
Legitimate Interests
Legal Obligation
Legal Obligation
Provision of this information is voluntary and therefore collected on the grounds of your consent.
Required for us to meet our obligations and exercise our rights as your employer
Consent on the basis that the information was provided voluntarily
6 Months - 1 Year
6 Months - 1 Year
3 Years
3 Years
3 Years
3 Years
3 Years
6 Months - 1 Year
6 Months - 1 Year
3 Years
6 Years
6 Years
6 Years
3 Years
6 Years
6 Years
6 Years
3 Years
6 Years
6 Years
6 Years
12months, unless we provide a service to you.
3years
6months - 1year
Your information will be kept securely at all times.
Following the end of the relevant retention period, your files and the personal data covered by the retention period will be permanently deleted or destroyed.
What are your rights?
You benefit from a number of rights in respect of the personal data we hold about you. We have summarised the rights which may be available to you below, depending on the grounds on which we process your data. More information is available from the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide- to-the-general-data-protection-regulation-gdpr/individual-rights/). These rights apply for the period in which we process your data.
- Access to your data
You have the right to ask us to confirm that we process your personal data, as well as having the right to request access to/copies of your personal data. You can also ask us to provide a range of information, although most of that information corresponds to the information set out in this privacy policy.
We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.
We will provide the information you request as soon as possible and in any event within one month of receiving your request. If we need more information to comply with your request, we will let you know. To request access to your data, you must complete a Data Access Request which can be requested from the Data Protection Officer. (Mr Declan Smith). Please note we will require proof of identity upon any requests to access your personal data.
- Rectification of your data
If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it unless we do not feel it is appropriate, in which case we will let you know why. We will also let you know if we need more time to comply with your request. To enable you to rectify your data you must submit a request with the reasoning(s) as to why you feel this data may be incomplete or inaccurate to our Data Protection Officer (Mr Declan Smith) via email on Declan.smith@finefutures.com
- Right to be forgotten
In some circumstances, you have the right to ask us to delete personal data we hold about you. This right is available to you:
- Where we no longer need your personal data for the purpose for which we collected it
- Where we have collected your personal data on the grounds of consent and you withdraw that consent
- Where you object to the processing and we do not have any overriding legitimate interests to continue processing the data
- Where we have unlawfully processed your personal data (i.e. we have failed to comply with UK GDPR); and
- Where the personal data has to be deleted to comply with a legal obligation
There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we will let you know.
- Right to restrict processing
In some circumstances, you are entitled to ask us to suppress processing of your personal data. This means we will stop actively processing your personal data but we do not have to delete it. This right is available to you:
- If you believe the personal data we hold is not accurate – we will cease processing it until we can verify its accuracy
- If you have objected to us processing the data – we will cease processing it until we have determined whether our legitimate interests override your objection
- If the processing is unlawful; or
- If we no longer need the data but you would like us to keep it because you need it to establish, exercise or defend a legal claim
- Data portability
You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the personal data to another data controller. This right only applies to personal data you provide to us:
- Where processing is based on your consent or for performance of a contract (i.e. the right does not apply if we process your personal data on the grounds of legitimate interests); and
- Where we carry out the processing by automated means
We will respond to your request as soon as possible and in any event within one month from the date we receive it. If we need more time, we will let you know.
- Right to object
You are entitled to object to us processing your personal data:
- If the processing is based on legitimate interests or performance of a task in the public interest or exercise of official authority
- For direct marketing purposes (including profiling); and/or
- For the purposes of scientific or historical research and statistics
In order to object, you must have grounds for doing so based on your particular situation. We will stop processing your data unless we can demonstrate that there are compelling, legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
Automated decision making
Automated decision making means making a decision solely by automated means without any human involvement. This would include, for example, an online credit reference check that makes a decision based on information you input without any human involvement. It would also include the use of an automated clocking-in system that automatically issues a warning if a person is late a certain number of times (without any input from HR, for example).
We do not carry out any automated decision making using your personal data.
Your right to complain about our processing
If you think we have processed your personal data unlawfully or that we have not complied with UK GDPR, you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website: https://ico.org.uk/concerns/.
How to opt out of our privacy policy
As an individual, you have a statutory right to opt out of our privacy policy if we use or process your data as set out in this policy.
We will always communicate with you where possible, in relation to processing your data for the above reasoning(s). We will not process any data in relation to the above, without notifying you first.
There are no specific words that you must use to opt out, however you may find it useful to use the template below. Please provide any evidence of why you’d like to opt out based on any of the above reasons for processing your data.
[Your full address] [Phone number] [The date] [Name and address of the organisation] Right to object [Your full name and address and any other details to help identify you] I wish to exercise my right under data protection law to object to the processing of my personal data. [Give details of what use of your personal data you are objecting to, explaining clearly and simply the specific reasons why you are objecting.] You can find guidance on your obligations under information rights legislation on the Information Commissioner’s Office website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take. Please send a full response within one calendar month confirming if you will comply with my request. If you cannot respond within that timescale, please tell me when you will be able to respond. If there is anything you would like to discuss, please contact me. Yours faithfully |
Any questions?
If you have any questions or would like more information about the ways in which we process your data, please contact Declan Smith, GDPR Lead/Data Protection Officer on Declan.Smith@finefutures.com
Note: All QCS Policies are reviewed annually, more frequently, or as necessary.