Privacy Notice Special Category Data

Scope

This Fair Processing Notice (“Notice”) describes how Renault Retail Group UK Ltd collects and uses personal information relating to Renault Retail Group UK Ltd people in the UK and Ireland.

Please note that there may be additional guidance issued in Ireland which may be required to enable compliance with any local law or regulation, if that local guidance is in any respect inconsistent with this document, this document shall only apply to the extent that it is consistent or may be made consistent, with that local guidance from time to time.

Aims

This Notice tells you what Special category data Renault Retail Group UK Ltd collects about Renault Retail Group UK Ltd people, why we need it, how we use it and what protections are in place to keep it secure.

Key Terms

“Renault Retail Group UK Ltd” “we” and “us” mean Renault Retail Group UK Ltd.

“Renault Retail Group UK Ltd People” and “you” mean prospective, present and past employees, contractors, and agency staff and people connected to them (such as the person you nominate to contact in an emergency). “Personal information” means information about you, and from which you could be identified, including information which may be protected under the privacy or data protection laws of the country in which you are employed.

“Special category data” is data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation. NB – not data relating to criminal convictions – this appears to be an individual category of data with special protections in the Regulation.

Privacy at Renault Retail Group UK Ltd

It is Renault Retail Group UK Ltd’s policy to:

  • Process your information fairly and in accordance with applicable laws:
  • Tell you (either directly or in our policies) about how we will use your personal information;
  • Only collect personal information from you when we need it for legitimate purposes, or legal reasons;
  • Ensure that your personal information is adequate, relevant and not excessive for the purpose for which we collect it;
  • Not keep your personal information for longer than we need to;
  • Keep your personal information secure, and limit the people who can access it;
  • Ensure that you know how to access your personal information and exercise your rights in relation to it, including being able to keep it accurate and up to date; and
  • Ensure that any third parties we share your personal information with take appropriate steps to protect it.

More information about Renault Retail Group UK Ltd’s policy to privacy and data protection is outlined in the General Data Protection Regulations Policy available on the company intranet.

What Special Category information does Renault Retail Group UK Ltd collect from and about you?

We collect and use different types of personal information about you, depending on your circumstances, your role and the law, which may include: sick notes, return to work, absence triggers return to work, Mat B1 / Maternity forms, Paternity, Accident reports and Medical reports.

Why do we need to collect and use your information?

We need to collect and use your personal information for a number of purposes. These may include:

Purposes for which we need your personal information Examples
Please note that the examples are illustrative and non-exhaustive
Sick notes To ensure correct payment during periods of sickness. Ensure correct reasons for absence are recorded. Suitability for work. Consideration of adjustments. Also this data may be used to defend any legal claims.
Return to work Ensure correct reasons for absence are recorded. Suitability for work. Consideration of adjustments. Payment purposes and capability performance management. Also this data may be used to defend any legal claims.
Absence triggers return to work This is a report that we hold that records employee name, reason for absence and absence dates. This is kept to support absence management and monitoring.
Mat B1 / Maternity forms To ensure you receive correct maternity payments and leave entitlement.
Paternity forms To ensure you receive correct paternity payments and leave entitlement.
Accident reports To ensure all accidents are recorded for the purposes of accident analysis, prevention and reduction. Also this data may be used to defend any legal claims.
Medical Reports To ensure full consideration of all medical information in the case of suitability to work, capability, performance management and consideration of adjustments. Also this data may be used to defend any legal claims.

If you give us someone else’s personal data

Sometimes, you might provide us with another person’s personal data – e.g. details of your emergency contact or next of kin. In such cases, we require you to inform the individual what personal data of theirs you are giving to us. You must also give them our contact details and let them know that they should contact us if they have any queries about how we will use their personal data.

How do we protect your personal information?

We have security arrangements in place to guard against unauthorised access, improper use, alteration, destruction and accident loss of your personal information. You are required to help with this by ensuring that your own personal information and that of your colleagues and third parties are kept secure. You should not share your (or anybody else’s) personal information unless there is a genuine business reason for doing so.

We make appropriate organisation and technical security measures and have rules and procedures in place to ensure that any personal information we hold on computer systems is not accessed by anyone it shouldn’t be. Information about the IT security standards we use to protect your personal information can be found in the IT Security Policy.

Who do we share your personal information with?

We will only share your personal data with third parties where we have an appropriate legal ground under data protection law which permits us to do so. Commonly, this could include situations where we are legally obliged to provide the information (e.g. to HMRC for tax purposes), to comply with our contractual duties (e.g. to providers of your contractual benefits such as [occupational pension, health insurance, etc.]), or where it is necessary in our legitimate interest (e.g. to an IT service provider for maintenance of our IT systems).

Consequences of not providing personal data

We only ask you to provide personal data when we have a good reason and there may therefore be consequences if you do not provide particular information to us.

Some of the personal data you provide to us is required by law. For example, if you do not provide your national insurance number, we will not be able to make correct tax/NI deductions on PAYE, and, if you are pregnant, we require a MATB1 in order to pay statutory maternity pay.

We may require you to provide other personal data, where it is necessary for us [or our pensions/benefits providers] to fulfil our contractual obligations to you, or for you to fulfil your contractual obligations to us, or where our use of the data is necessary in our legitimate interests. For example, if you do not provide us with a timesheet, we cannot pay you for the [overtime] hours you have worked / if you do not provide us with your driving licence details we cannot issue you a loan plan or ECOP car, or if you do not provide us with change of address details we cannot accurately communicate with you.

If you choose not to provide us with personal data requested, we will tell you about the particular implications of any such decision at the relevant time.

How long will we keep your personal data?

We will not keep your personal data for longer than we need it for our legitimate purposes.

We take into account the following criteria when determining the appropriate retention period for Employees’ personal data:

  • the amount, nature, and sensitivity of the personal data;
  • the risk of harm from unauthorised use or disclosure;
  • the purposes for which we process your personal data and how long we need the particular data to achieve these purposes;
  • how long the personal data is likely to remain accurate and up-to-date;
  • for how long the personal data might be relevant to possible future legal claims;
  • any applicable legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept.

Given the variety of Employees’ personal data that we use and the varying circumstances in which we use it, it is difficult to specify ahead of time precisely how long we will keep particular items of personal data. Where possible, the HR Retention Policy (available on Connect) identifies retention periods applicable to your personal data, which have been determined on the basis of the above criteria and which represent the longest period for which we will ordinarily keep it. We may often keep particular items of your personal data for less time. However, there may also be circumstances in which it is appropriate for us to keep particular items of your personal data for a longer period than that set out in the HR Retention Policy. In particular, we will always keep your personal data for so long as we are required to do so under legal, accounting, reporting or regulatory requirements.

In addition, for some types of personal data, it is more appropriate to decide retention periods on a case by case basis (also using the criteria described above), and this is indicated in the HR Retention Policy where applicable.

We will base these decisions on relevant circumstances, taking into account the criteria listed above.

Your rights

You have a number of legal rights relating to your personal data, which are outlined here:

  • The right to make a subject access request. This enables you to receive certain information about how we use your personal data, as well as to receive a copy of it and to check that we are lawfully processing it.
  • The right to request that we correct incomplete or inaccurate personal data that we hold about you.
  • The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • The right to object to our processing your personal data where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing
  • The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • The right to request that we transfer your personal data to you or to another party, in a structured format. This right applies in respect of data that you have provided where our legal ground for using the data is that it is necessary for the performance of a contract or that you have consented to us using it (this is known as the right to “data portability”).

If you have any questions about the personal information that we hold about you we suggest that you speak to your line manager or HR in the first instance.

If you would like to exercise any of the above rights or if you have any concerns about how your personal data is being used by Renault Retail Group UK Ltd, please contact your HR Coordinator in writing. Note that these rights are not absolute and in some circumstances we may be entitled to refuse some or all of your request.

Note too that you have the right to make a complaint at any time and in the first instance you are encouraged to use the complaints procedure detailed within the Renault Retail Group UK Ltd GDPR Policy. If however we are unable to satisfactorily resolve your complaint you can complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website: https://ico.org.uk

Further guidance

Further guidance on this notice can be found in the General Data Protection Regulations Policy.

Notice owner

Rachel Manley
Head of HR

Review

Notice to be reviewed at least annually.