Courier Facilities Limited (CFL) collects, holds and processes personal data relating to its employees, which is essential for it to manage its operations and their employment fairly and effectively. These activities are carried out in accordance with the General Data Protection Regulation 2016 (GDPR) and CFL’s Data Protection Policy.
The data held by the Human Resources team at CFL is primarily taken from the details that employees provide during the application and recruitment process and will be added to during the course of their employment, as necessary and appropriate.
During the recruitment process and any contractual change events during employment, employees give their consent for Courier Facilities Limited to process and retain their personal data, with a legitimate interest for doing so.
Courier Facilities Limited provides this Privacy and Fair Processing Notice to inform employees of how their personal data will be processed by the Human Resources team and the purposes for which the data has been collected.
As a general guide, anything that was classed as personal data under the Data Protection Act also qualifies as personal data under GDPR. Under GDPR, personal data is data which relates to a living/natural individual who can be identified from that data or from other information which is in the possession of, or is likely to come into the possession of, the data controller. In this case, the data controller is Courier Facilities Limited. It includes any expression of opinion about the individual as well as statements of fact.
IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information. ‘Pseudonymised’ personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
The processing of data includes obtaining, recording, storing, organising, maintaining, updating, retrieving, using, disclosing, transferring, and deleting.
For the purposes of data protection law, the “data controller” means the person or organisation who determines the purposes for and the manner in which any personal data are processed. The data controller is Courier Facilities Limited, a company incorporated and registered in England and Wales under company number 01705359 and having its registered office address at Building 580/1, Sandringham Road, Heathrow Airport, TW6 3SN, United Kingdom (referred to as “CFL”, or as “we” and related words such as “us” and “our”). Our registered VAT number is GB226287359.
As data controller we are responsible for, and control the processing of, your personal data. We are registered as a data controller with the Information Commissioner’s Office (ICO): www.ico.org.uk.
If you would like to contact us about this notice, including if you wish to receive further information about any aspect of it, please contact the Company Secretary.
According to Article 9, S.2(b) of the GDPR:
Consent is not required where “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment …. for appropriate safeguards for the fundamental rights and the interests of the data subject;” provided the connection is conferred or imposed by Law.
Types of personal data that Courier Facilities Limited may process, although not an exhaustive list, are:
Data concerning criminal offences, health, disability, ethnicity, sexual orientation and religion, constitutes sensitive personal data and is afforded an extra level of security and confidentiality.
The Regulation requires Courier Facilities Limited to process personal data in line with its 7 principles:
How your personal data will be used within the company
The official purposes for which Courier Facilities Limited processes personal data are notified to the Information Commissioner’s Office (ICO) on an annual basis and can be viewed on the ICO’s website at www.ico.org.uk.
To manage its operations effectively, provide services to employees and meet certain legal requirements, Courier Facilities Limited will process and maintain the personal data of its employees. This personal data may include all or any of the above listed data types.
In addition to this, Courier Facilities Limited may process some sensitive personal data about employees, such as details about health in order to provide care, and information concerning ethnicity, sexual orientation, gender identity, domicile and disability for planning and monitoring purposes. Also, for security reasons, information about past criminal convictions will be processed.
Personal data may be shared by Courier Facilities Limited to provide employees with services and support, such as to our Occupational Health provider, health cash plan provider, critical illness insurance provider, as well as with our partner HR and Employee Assistance organisation, Strategi Solutions Group.
Data management and protection agreements are in place with these partner organisations, and personal data shared will be done so with affirmative consent from the individual at the recruitment stage and again prior to any Occupational Health referral being made.
For example, the Occupational Health provider will need an employee’s name, address, phone number, sickness absence details, basic medical information, and any other relevant information as necessary, in order to offer a consultation and support to the employee.
Courier Facilities Limited may also use employee personal data to produce non-identifiable statistical data for analysis to fulfil monitoring commitments for purposes such as equality & diversity, and to provide a more targeted response to improving working lives and in working towards becoming an employer of choice.
Courier Facilities Limited may disclose appropriate personal data, including sensitive personal data, to third parties where there is a legitimate need or obligation, during or after an individual’s employment. Such disclosure is subject to procedures to ensure the identity and legitimacy of such agencies. These third parties may include the following:
This is not an exhaustive list and such third parties may have access to employee data only for the purpose of performing their function.
Any disclosures to third parties not listed here will be made only where there is a legitimate reason to do so and in accordance with the law and with prior affirmative consent from the individual.
Courier Facilities Limited may also use third party companies as data processors to carry out certain administrative functions on the CFL’s behalf. If so, a written contract will be put in place to ensure that any personal data disclosed will be held in accordance with GDPR.
Spouses, partners, parents and other family members are considered to be third parties and no employee personal data will be disclosed unless express consent is received from the employee or the disclosure is in accordance with the GDPR. The same applies for landlords, sponsoring employers or sponsoring governments.
Employees have certain rights and responsibilities regarding their personal data, including:
Employees have a responsibility to ensure that the personal information they provide to Courier Facilities Limited is accurate and up to date.
Employees wishing to receive a copy of their own personal data can do so by making a Subject Access Request to the HR team.
Employee files will normally be held for six years after an employee has left Courier Facilities Limited. Basic information (including full name, job title and employment dates) about the former employee will be retained indefinitely after they have left Courier Facilities Limited. Individuals can withdraw consent for this information to be retained, and for it to be erased. Such requests must be made in writing to the Company Secretary, who will then notify HR Support.
Where you take the view that your personal data are processed in a way that does not comply with the GDPR, you have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then inform you of the progress and outcome of your complaint. The supervisory authority in the UK is the Information Commissioner’s Office (ICO): www.ico.org.uk.
For any queries regarding the General Data Protection Regulation and how this affects your recruitment or employment, please contact the Company Secretary in the first instance, who may refer your query to HR Support.