Privacy Notices for Applicants and Employees

Last Updated: 09 July 2024

Brazil – Applicant Privacy Notice

I. GENERAL

InComm Brasil Pré Pago Ltda., a company incorporated in São Paulo, Brazil, whose registered office is at Spectrum, Avenida Angélica, nº 2.503, Cj. 46, Consolação, CEP 01227-200, City of São Paulo, State of São Paulo, Brazil (“InComm” or “we” “us” “our”) is committed to protecting and respecting the privacy and security of your personal data. This policy applies to prospective employees (“Applicants”). For the purposes of Law 13,709/2018 (“LGPD”), we act as a controller in the context of the processing of personal data set forth by this policy.

The policy describes the categories of personal data that we collect, how we use your personal data, how we secure your personal data, when we may disclose your personal data to third parties, and when we may transfer your personal data outside of Brazil. This Privacy Policy also describes your rights regarding the personal data that we hold about you and how you can access, correct, and request erasure of your personal data. We will only process your personal data in accordance with this policy unless otherwise required by applicable law. We take steps to ensure that the personal data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.

II. COLLECTION OF PERSONAL DATA

For the purposes of this privacy policy, personal data means any information about an identifiable living individual. Personal data excludes anonymous or de-identified data that is not associated with a particular individual. We may collect, store, and process the following categories of personal data, which are required for us to administer our relationship with you:

• details contained in letters of application and resume/CV (including name, titles, addresses, telephone numbers, personal email address);
• date of birth;
• equal opportunities monitoring information including race, ethnicity and gender (some of which is considered sensitive personal data);
• government identification numbers (including national insurance number, driver license number, or other identification document);
• talent, recruitment and application details;
• education and training details;
• previous employment background and references;
• professional qualifications;
• language and other relevant skills;
• details on performance management;
• ratings;
• personality test results;
• development plan;
• willingness to relocate;
• visa and passport information and all registered;
• publicly available information;
• data relating to criminal records and credit history.

III. USE OF PERSONAL DATA

We only process your personal data where applicable law permits or requires it, for example, where the processing is necessary to take the steps that are required prior to entering into a contract, or where the processing is necessary to comply with a legal obligation that applies to us. We may process your personal data for the following business purposes:

• to assess your skills, qualities, and qualifications for us to determine if we can offer you a job with our company
• to inform you about job openings matching the job profile
• to communicate with you about the recruitment process
• to conduct background checks to ensure a safe and secure working environment, considering the nature of our business. The specific nature and extent of background checks will be determined based on the position and its responsibilities, including possible legal requirements
• to identify potential financial or criminal risks that could affect our business
• to comply with administrative, physical, and technical safeguards implemented to protect the integrity of our business and confidentiality of relevant information

We will only process your personal data for the purposes for which we collected it. If we need to process your personal data for an unrelated purpose, we will provide notice to you and, if required by law, seek your consent. We may process your personal data without your knowledge or consent where required by applicable law or regulation.

We will not be able to process your application if you fail to provide information when requested which is necessary for us to consider your application (such as evidence of qualifications or work history). For example, if we require references to determine your suitability for the role you are applying for and you fail to provide us with relevant details, we will not be able to take your application further.

If we decide to invite you for an interview, we will use all of the information you provide to us, including at the interview, to decide whether to offer you the job position. If we decide to offer you the job position, we may contact additional references, or request additional information before confirming your offer.

You will not be subject to decisions based on automated data processing without your knowledge.

IV. DISCLOSURE OF YOUR PERSONAL DATA TO THIRD PARTIES

We will only disclose your personal data to third parties where required by law or to our employees, contractors, designated agents, IT software providers or other third-party service providers who require such information to assess your application and assist us with taking the steps that are required prior to entering into a contract with you, including third-party service providers who provide services to us or on our behalf.

We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us. We do not permit our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes in accordance with our instructions.

We may also disclose your personal data for the following additional purposes where permitted or required by applicable law:

• to other members of our group of companies for the purposes set out in this Privacy Policy and as necessary to assess your application and assist us with taking the steps that are required prior to entering into a contract with you;
• as part of our regular reporting activities to other members of our group of companies;
• to the police, regulatory bodies, legal advisors or similar third parties where we are under a legal duty to disclose or share your personal data in order to comply with any legal obligation. When we disclose your personal data to comply with a legal obligation or legal process, we will take reasonable steps to ensure that we only disclose the minimum personal data necessary for the specific purpose and circumstances.
• to any central or local government department and other statutory or public bodies to comply with applicable law;
• to protect the rights and property of InComm, including it’s parent company, and any subsidiaries and/or affiliates;;
• during emergency situations or where necessary to protect the safety of persons;
• where the personal data is publicly available;
• if a business transfer or change in ownership occurs; and
• for additional purposes with your consent where such consent is required by law.

V. RETENTION OF YOUR PERSONAL DATA

Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Personal data may be retained for up to ten years, according to the statute of limitations set forth by the applicable laws. If you apply for another role within such ten-year period, your data will be retained for a further period from the date of your latest application. Under some circumstances we may anonymise your personal data so that it can no longer be associated with you. Where we do this, the data will no longer be considered ‘personal data’ and we will not notify you or seek your consent to use this information.

VI. INTERNATIONAL TRANSFERS OF PERSONAL DATA

The data that we hold about you may be transferred to, accessed from, or stored at, a destination outside Brazil, including the United States, Canada or the European Economic Area. It may also be processed by staff operating outside the Brazil who work for us or for one of our suppliers. Such staff may be engaged to, among other things, administer the recruitment process with you, including data held on our HR recruitment system (ICIMS) with our corporate HR team and other relevant persons within InComm plus any 3rd party suppliers as appropriate and relevant to the provision of support services.

Where your personal data is transferred to, or accessed from, a country or territory outside Brazil, we implement appropriate safeguards to ensure that your personal data continues to be protected to the standards set out in this Privacy Notice. If the country or territory has not been subject to a formal finding of adequacy by the relevant authority in the exporting country, then this may include a formal transfer mechanism such as standard contractual clauses. We assess the data protection regime in all countries or territories outside Brazil to which we transfer personal data to establish whether further safeguards are needed to overcome any law or practice in that jurisdiction that could undermine the effectiveness of the safeguards we have in place, and will implement further safeguarding measures as necessary. We keep these under review and will take steps to remedy any issues that may arise. [If you wish to receive details of the measures we have in place for these transfers, please [contact incommprivacy@incomm.com]].

VII. YOUR RIGHTS IN RESPECT OF YOUR PERSONAL DATA

Under data protection laws in Brazil, you have the following rights in relation to your personal data:

• Access and confirmation: You may request confirmation that we hold personal data about you, as well as access to that information. This right relates to the information we hold about you, and not the documents in which your personal data is contained. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
• Rectification: you may request that we update the personal data we hold about you where it is inaccurate or outdated. It is important that the data we hold about you is accurate and current, so please keep us informed if your personal data changes during your application.
• Erasure: You may request the deletion of the information we hold about you.
• Anonymization, blocking or elimination: If we process your personal data in an unnecessary, excessive way or in noncompliance with the provisions of the LGPD, your personal data may be anonymized, blocked or eliminated,
• Portability: You may request the receipt or transmission to another organisation, in a machine-readable format, personal data that you have provided to us.
• Shared use: You shall receive information regarding the shared use of your personal data with any third party,
• Withdrawal of consent: if we process your data on the basis of your consent, you may withdraw that consent at any time. We will immediately stop processing that data, however the withdrawal of your consent does not affect any prior processing we undertook,
• Refusal of consent: where applicable, you may refuse to give your consent to process your data and shall be informed regarding such possibility and its consequences.
• Complaint: You may lodge a complaint with your local data protection supervisory authority.

Should you wish to exercise any of these rights, please [contact incommprivacy@incomm.com].

We may request specific information from you to help us confirm your identity, and to provide you with the personal data that we hold about you or take the requested action.

VIII. CONTACT US

If you have any questions, comments or requests regarding this policy or how we use your personal data please contact your recruitment liaison at InComm. This is in addition to your right to contact the competent data protection supervision authority. To contact us please email our Data Protection Officer at incommprivacy@incomm.com or contact HR at hr@incomm.com

Last updated: February 2024

EU and UK – Staff Privacy Notice

GENERAL

Incomm is committed to protecting and respecting the privacy and security of your personal data. This Privacy Policy is provided on behalf of the InComm companies listed in the Schedule and applies to current, and former employees, consultants, directors, secondees, casual workers, agency workers, volunteers and individuals on work experience at those companies (“Staff”). References to InComm and “we”, “us”, and “our” in this Privacy Policy refer to the relevant company applicable to your application.

The Privacy Policy describes the categories of personal data that we collect, how we use your personal data, when we disclose your personal data to third parties, and when we transfer your personal data outside of the UK or European Economic Area (“EEA”). This Privacy Policy also describes your rights regarding the personal data that we hold about you and how you can access, correct, and request erasure of your personal data. We will only process your personal data in accordance with this Privacy Policy unless otherwise required by applicable law. We take steps to ensure that the personal data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.

COLLECTION AND USE OF PERSONAL DATA

For the purposes of this Privacy Policy, personal data means any information about an identifiable living individual. Personal data excludes anonymous or de-identified data that is not associated with a particular individual. To carry out our activities and obligations as an employer, we may collect, store, and process the following categories of personal data, which are required for us to administer our relationship (whether as employer, prospective employer or otherwise) with you:

• personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
• date of birth;
• diversity and inclusion information (some of which is considered sensitive personal data, such as information about racial or ethnic origin, information about your health, and sexual orientation);
• emergency contact information;
• location of employment or workplace;
• details about marital status and dependents (to administer relevant benefits);
• government identification numbers such national insurance number, driver’s license number or other identification card number;
• bank account details and payroll information;
• wage, annual leave and benefit information;
• performance information, including but not limited to appraisal documentation, performance management information;
• pension enrolment information;
• start date and job title;
• leaving date, and the reason for leaving;
• education and training records;
• disciplinary and grievance records;
• employment records (including professional memberships, references, work history, and proof of work eligibility);
• other personal details included in an application form, C.V. or other information that you otherwise voluntarily provide to us;
• data relating to employee absence, sickness or maternity (to comply with employment and other laws, such as our statutory sick leave and parental leave obligations);
• physical or mental health or condition or disability status (to ensure employee safety in the workplace and provide appropriate workplace adjustments);
• data relating to criminal records and credit history to comply with legal requirements (if applicable) and for the purposes of administrative, physical, and technical safeguards implemented to protect the integrity of our business and confidentiality of relevant information;
• CCTV footage and other information obtained through electronic means such as entry card records; and
• information about your use of our information and communication systems; including, but not limited to:

o your activity on InComm devices, including geolocation; and
o your activity on applications tied to the InComm network.

We collect your personal information directly from you (e.g. through the application and recruitment process, or any information that we collect during the course of job-related activities throughout the period of you are engaged by us). Additionally, we may also collect personal data about you from the following third parties:

• recruitment agencies and recruitment platforms that we work with, or through which you had made you application for a job with us;
• background check providers, such as the Disclosure and Barring Service in England and Wales;
• credit rating agencies;
• your named employment references; and
• publicly available sources, including professional networking and social media sites (such as LinkedIn).

PURPOSES OF PROCESSING PERSONAL DATA

We only process your personal data where applicable law permits or requires it. This includes where the processing is necessary for the performance of our employment contract with you, or where the processing is necessary to comply with a legal obligation that applies to us as your employer. We may also process your personal data for the following business purposes:

 

Processing Activity Legal Basis
employee administration (including payroll and benefits administration) Performance of employee contract; Consent
enrolling you in a pension arrangement in accordance with out statutory obligations Legal obligation (where required by statute); Performance of employee contract
business management and planning Legitimate business interest in administering corporate strategy and company policies
processing employee work-related claims (for example, insurance claims) Performance of employee contract
administering the contract we have with you Performance of employee contract
accounting and auditing Legitimate business interest in internal administration
conducting performance reviews and determining performance requirements Performance of employee contract; Consent
absence monitoring Performance of employee contract; Consent
assessing qualifications for a particular job or task Consent
carrying out investigations into potential disciplinary or grievance matters Performance of employee contract; Consent
making arrangements for the termination of our working relationship Performance of employee contract
complying with applicable law Legal obligations
education, training, and development requirements Performance of employee contract; Consent; Legal obligations (where applicable)
equal opportunities monitoring Legal obligations
complying with health and safety obligations Legal obligations

 

We will only process your personal data for the purposes for which we collected it. If we need to process your personal data for an unrelated purpose, we will provide notice to you and, if required by law, seek your consent. We may process your personal data without your knowledge or consent where required by applicable law or regulation.

We may also process your personal data for our own legitimate interests, including for the following purposes:

• to prevent fraud;
• to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution;
• for monitoring of employees (including monitoring through CCTV and employee use of our information and communication systems) and assessing compliance with our policies and procedures; and
• to support internal administration with our affiliated entities.

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our Staff).

You will not be subject to decisions based on automated data processing that have a significant effect on you without your prior consent.

 

DISCLOSURE OF YOUR PERSONAL DATA TO THIRD PARTIES

We will only disclose your personal data to third parties where required by law or to our employees, contractors, designated agents, IT software providers or other third-party service providers who require such information to assist us with administering the employment relationship with you, including third-party service providers who provide services to us or on our behalf. Third-party service providers may include, but not be limited to, payroll processors and benefits administration providers.

We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us as your employer. We do not permit our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes in accordance with our instructions.

We may also disclose your personal data for the following additional purposes where permitted or required by applicable law:

• to other members of our group of companies for the purposes set out in this Privacy Policy and as necessary to perform our employment contract with you;
• as part of our regular reporting activities to other members of our group of companies;
• our professional advisors, such as lawyers, accountants and auditors, for example, in order to obtain legal advice or as part of our regular auditing and business management practices;
• to the police, regulatory bodies, law enforcement agencies or similar third parties where we are under a legal duty to disclose or share your personal data in order to comply with any legal obligation. When we disclose your personal data to comply with a legal obligation or legal process, we will take reasonable steps to ensure that we only disclose the minimum personal data necessary for the specific purpose and circumstances;
• to any central or local government department and other statutory or public bodies (such as HMRC, DWP) to comply with applicable law;
• to a prospective employer of yours who requests a reference;
• to protect the rights and property of InComm;
• during emergency situations or where necessary to protect the safety of persons;
• where the personal data is publicly available;
• if a business transfer or change in ownership occurs; and
• for additional purposes with your consent where such consent is required by law.

DATA SECURITY

All information you provide to us is stored on our secure servers. We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorised access, use, alteration or disclosure. In addition, we limit access to personal data to those employees, agents, contractors and other third parties that have a legitimate business need for such access.

INTERNATIONAL TRANSFERS OF PERSONAL DATA

The data that we collect from you may be transferred to, and stored at, a destination outside the UK [or the EEA], including the United States or Canada. It may also be processed by staff operating outside the UK or the EEA who work for us or for one of our suppliers. Such staff maybe engaged to, among other things, administer payroll and for the performance of our employment contract with you, including data held on the HRIS system (Ultipro) and our Learning Management System (Cornerstone), with our corporate HR, Finance, IT teams and other relevant persons within InComm and any third party suppliers as appropriate and relevant to the provision of support services. By submitting your personal data, you acknowledge this transfer, storing or processing.

Where your personal data is transferred to, or accessed from, a country or territory outside the UK or the European Economic Area, we ensure that appropriate safeguards are in place to ensure that your personal data continues to be protected to the standards set out in this Privacy Policy. If the country or territory has not been subject to a formal finding of adequacy by the relevant authority in the exporting country, then this may include a formal transfer mechanism such as the UK International Data Transfer Agreement or Addendum, or the European Commission’s standard contractual clauses. In certain circumstances, for example, where it is necessary for us to transfer your personal data to another jurisdiction to defend a legal claim, then we may rely on a derogation that exempts us from putting in place such a mechanism. If you wish to receive further details of the measures we have in place for these transfers, please [contact incommprivacy@incomm.com].

RETENTION OF YOUR PERSONAL DATA

Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. This will not usually exceed 6 years after the termination of your employment or engagement after which the personal data will be securely destroyed. Under some circumstances we may anonymise your personal data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.

YOUR RIGHTS IN RESPECT OF YOUR PERSONAL DATA

Under data protection laws in the UK and the EEA, you may have the following rights in relation to your personal data – the specific rights available to you will depend on our reason for processing for personal data:

• Access: You may request confirmation that we hold personal data about you, as well as access to that information. This right relates to the information we hold about you, and not the documents in which your personal data is contained. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
• Rectification: you may request that we update the personal data we hold about you where it is inaccurate or outdated. It is important that the data we hold about you is accurate and current, so please keep us informed if your personal data changes during your application.
• Erasure: You may request the deletion of the information we hold about you in certain situations.
• Restriction: In certain situations, for example where you have contested the accuracy of the personal data we hold about you and we are in the process of verifying the accuracy or the data, you may ask us to restrict the processing of your personal data.
• Portability: You may request the receipt or transmission to another organisation, in a machine-readable format, personal data that you have provided to us in certain situations.
• Objection: Where we process your personal data for the purposes of our legitimate interests, you may object to that processing at any time. Unless we are able to show that we have compelling legitimate interests that override any objection, then we will stop processing that data.
• Withdrawal of consent: if we process your data on the basis of your consent, you may withdraw that consent at any time. We will stop processing that data, however the withdrawal of your consent does not affect any prior processing we undertook,
• Complaint: You may lodge a complaint with your local data protection supervisory authority. The competent authority in the UK is the Information Commissioner’s Office (ICO), whose contact details are available online at www.ico.org.uk. The competent authority in Austria is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), whose contact details are available online at www.data-protection-authority.gv.at. If you are located elsewhere in the EEA, your local data protection supervisory authority can be found on this list of competent authorities (here).

Should you wish to exercise any of these rights, please [contact incommprivacy@incomm.com].
It is helpful to clearly state the purpose of the request to ensure we can action appropriately.

We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal data that we hold about you or take the requested action.

CHANGES TO OUR PRIVACY POLICY

Any changes we may make to our Privacy Policy in the future will be duly notified to you. We will notify you if there are any changes to this Privacy Policy that materially affect how we collect, store or process your personal data. If we would like to use your personal data for different purposes than those we have notified to you at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your personal data for a new or unrelated purpose. We may process your personal data without your knowledge or consent where required by applicable law or regulation.

CONTACT US

If you have any questions, comments or requests regarding this Privacy Policy or how we use your personal data please contact your HR representative by email to [hr@incomm.com]. Alternatively, we have also appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Policy, who can be contacted by email at [jquincy@incomm.com].

Where you are not satisfied with the way in which we have handled your personal data, you can also complain to the competent data protection supervision authority. However, we would appreciate the opportunity to resolve your query before you reach out to the supervisory authority, so please contact us in the first instance.

Last updated: February 2024

SCHEDULE: INCOMM COMPANIES

INCOMM EUROPE LIMITED, a company incorporated in England and Wales under registration number 05322244, whose registered office is at Spectrum, 1600 Parkway, Solent Business Park, Whiteley, Fareham, Hampshire PO15 7AH.

INCOMM AUSTRIA, GMBH, a company incorporated in Austria with the company number 322903h, whose registered office is at Ernst-Grein-Straße 5, 5026 Salzburg, Austria.

 

EU and UK – Applicant Privacy Notice

GENERAL

InComm is committed to protecting and respecting the privacy and security of your personal data. This Privacy Policy is provided on behalf of the InComm companies listed in the Schedule and applies to prospective employees of those companies (“Applicants”). References to InComm and “we”, “us”, and “our” in this Privacy Policy refer to the relevant company applicable to your application. If your application is successful, and you commence employment with us, the processing of your personal data as an employee is explained in our Staff Privacy Policy, a copy of which will be provided to you when you commence your employment.

The Privacy Policy describes the categories of personal data that we collect, how we use your personal data, when we disclose your personal data to third parties, and when we transfer your personal data outside of the UK or European Economic Area (“EEA”). This Privacy Policy also describes your rights regarding the personal data that we hold about you and how you can access, correct, and request erasure of your personal data. We will only process your personal data in accordance with this Privacy Policy unless otherwise required by applicable law. We take steps to ensure that the personal data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.

COLLECTION AND USE OF PERSONAL DATA

For the purposes of this Privacy Policy, personal data means any information about an identifiable living individual. Personal data excludes anonymous or de-identified data that is not associated with a particular individual. We may collect, store, and process the following categories of personal data, which are required for us to administer our relationship with you:

• details contained in letters of application and resume/CV (including name, titles, addresses, telephone numbers, personal email address);
• date of birth;
• diversity and inclusion information where you volunteer this information (some of which is considered sensitive personal data, such as information about racial or ethnic origin, information about your health, and sexual orientation);
• personal data provided for the purposes of facilitating reasonable adjustments as part of the interview process (which may include data concerning your health conditions and relevant adjustments)
• government identification numbers (including national insurance number, driver/driving license number, or other identification document);
• talent, recruitment and application details;
• education and training details;
• previous employment background and references;
• professional qualifications;
• language and other relevant skills;
• details on performance management;
• ratings;
• personality test results;
• personal data obtained during an interview;
• development plan;
• willingness to relocate;
• visa and passport information and all registered;
• publicly available information;
• data relating to criminal records and credit history to comply with legal requirements (if applicable) and for the purpose of administrative, physical, and technical safeguards implemented to protect the integrity of our business and confidentiality of relevant information (considered sensitive personal data);

We will collect your personal data directly from you (e.g. when you submit your job application, and when you attend an interview). Additionally, we may also collect personal data about you from the following third parties:

• recruitment agencies and recruitment platforms that we work with, or through which you have made your application;
• background check providers, such as the Disclosure and Barring Service in England and Wales;
• credit rating agencies;
• your named employment references; and]
• publicly accessible sources, including professional networking and social media sites (such as LinkedIn).

USE OF PERSONAL DATA

We only process your personal data where applicable law permits or requires it. This includes where the processing is necessary in order to take the steps that are required prior to entering into a contract (such as to communicate with you, and to identify and process your application), or where the processing is necessary to comply with a legal obligation that applies to us (for example, facilitating access requirements and reasonable adjustments). We may also process your personal data for the following legitimate interests:

• to assess your skills, qualities and qualifications in order for us to determine if we can offer you a job with our company;
• to maintain records related to our hiring purposes;
• to carry out background and credit checks;
• to inform you about job openings matching the job profile; and
• to monitor and improve our recruitment processes.

We will only process your personal data for the purposes for which we collected it. If we need to process your personal data for an unrelated purpose, we will provide notice to you and, if required by law, seek your consent. We may process your personal data without your knowledge or consent where required by applicable law or regulation.

You will not be subject to decisions based on automated data processing that have a significant effect on you without your prior consent.

DISCLOSURE OF YOUR PERSONAL DATA TO THIRD PARTIES

We will only disclose your personal data to third parties where required by law or to our employees, contractors, designated agents, IT software providers or other third-party service providers who require such information to assess your application and assist us with taking the steps that are required prior to entering into a contract with you, including third-party service providers who provide services to us or on our behalf.

We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us. We do not permit our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes in accordance with our instructions.

We may also disclose your personal data for the following additional purposes where permitted or required by applicable law:

• to other members of our group of companies for the purposes set out in this Privacy Policy and as necessary to assess your application and assist us with taking the steps that are required prior to entering into a contract with you;
• as part of our regular reporting activities to other members of our group of companies;
• our professional advisors, such as lawyers accountants and auditors, for example, in order to obtain legal advice or as part of our regular auditing and business management practices;
• to the police, regulatory bodies, law enforcement agencies or similar third parties where we are under a legal duty to disclose or share your personal data in order to comply with any legal obligation. When we disclose your personal data to comply with a legal obligation or legal process, we will take reasonable steps to ensure that we only disclose the minimum personal data necessary for the specific purpose and circumstances;
• to any central or local government department and other statutory or public bodies (such as HMRC, DWP) to comply with applicable law;
• to protect the rights and property of InComm;
• during emergency situations or where necessary to protect the safety of persons;
• where the personal data is publicly available;
• if a business transfer or change in ownership occurs; and
• for additional purposes with your consent where such consent is required by law.

RETENTION OF YOUR PERSONAL DATA

Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. This will not exceed 1 year after the submission of your personal data, unless we need to retain the personal data for longer in order to establish, exercise or defend our legal rights (e.g. where there is a dispute about your application). If you apply for another role within that initial year your data will be retained for a further year from the date of your latest application. Under some circumstances we may anonymise your personal data so that it can no longer be associated with you. Where we do this, the data will no longer be considered ‘personal data’ and we will not notify you or seek your consent to use this information.

DATA SECURITY

All information you provide to us is stored on our secure servers. We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorised access, use, alteration or disclosure. In addition, we limit access to personal data to those employees, agents, contractors and other third parties that have a legitimate business need for such access.

INTERNATIONAL TRANSFERS OF PERSONAL DATA

The data that we hold about you may be transferred to, accessed from, or stored at, a destination outside the UK or the EEA, including the United States or Canada. It may also be processed by staff operating outside the UK or the EEA who work for us or for one of our suppliers. Such staff may be engaged to, among other things, administer the recruitment process with you, including data held on our HR recruitment system (ICIMS) with our corporate HR team and other relevant persons within InComm and any third party suppliers as appropriate and relevant to the provision of support services.

Where your personal data is transferred to, or accessed from, a country or territory outside the UK or the EEA, we ensure that appropriate safeguards are in place to ensure that your personal data continues to be protected to the standards set out in this Privacy Policy. If the country or territory has not been subject to a formal finding of adequacy by the relevant authority in the exporting country, then this may include a formal transfer mechanism such as the UK International Data Transfer Agreement or Addendum, or the European Commission’s standard contractual clauses. In certain circumstances, for example, where it is necessary for us to transfer your personal data to another jurisdiction to defend a legal claim, then we may rely on a derogation that exempts us from putting in place such a mechanism. If you wish to receive further details of the measures we have in place for these transfers, please [contact incommprivacy@incomm.com].

YOUR RIGHTS IN RESPECT OF YOUR PERSONAL DATA

Under data protection laws in the UK and the EEA, you may have the following rights in relation to your personal data – the specific rights available to you will depend on our reason for processing for personal data:

• Access: You may request confirmation that we hold personal data about you, as well as access to that information. This right relates to the information we hold about you, and not the documents in which your personal data is contained. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
• Rectification: you may request that we update the personal data we hold about you where it is inaccurate or outdated. It is important that the data we hold about you is accurate and current, so please keep us informed if your personal data changes during your application.
• Erasure: You may request the deletion of the information we hold about you in certain situations.
• Restriction: In certain situations, for example where you have contested the accuracy of the personal data we hold about you and we are in the process of verifying the accuracy or the data, you may ask us to restrict the processing of your personal data.
• Portability: You may request the receipt or transmission to another organisation, in a machine-readable format, personal data that you have provided to us in certain situations.
• Objection: Where we process your personal data for the purposes of our legitimate interests, you may object to that processing at any time. Unless we are able to show that we have compelling legitimate interests that override any objection, we will stop processing that data.
• Withdrawal of consent: if we process your data on the basis of your consent, you may withdraw that consent at any time. We will stop processing that data, however the withdrawal of your consent does not affect any prior processing we undertook.
• Complaint: You may lodge a complaint with your local data protection supervisory authority. The competent authority in the UK is the Information Commissioner’s Office (ICO), whose contact details are available online at www.ico.org.uk. The competent authority in Austria is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), whose contact details are available online at www.data-protection-authority.gv.at. If you are located elsewhere in the EEA, your local data protection supervisory authority can be found on this list of competent authorities (here).

Should you wish to exercise any of these rights, please contact incommprivacy@incomm.com.

We may request specific information from you to help us confirm your identity, and to provide you with the personal data that we hold about you or take the requested action.

CONTACT US

If you have any questions, comments or requests regarding this Privacy Policy or how we use your personal data please contact your recruitment liaison at InComm. To contact us please email incommprivacy@incomm.com or contact HR on hr@incomm.com . Alternatively, we have also appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Policy, who can be contacted by email at [jquincy@incomm.com].

Where you are not satisfied with the way in which we have handled your personal data, you can also complain to the competent data protection supervision authority. However, we would appreciate the opportunity to resolve your query before you reach out to the supervisory authority, so please contact us in the first instance.

Last updated: February 2024

SCHEDULE: INCOMM COMPANIES

INCOMM EUROPE LIMITED, a company incorporated in England and Wales under registration number 05322244, whose registered office is at Spectrum, 1600 Parkway, Solent Business Park, Whiteley, Fareham, Hampshire PO15 7AH.

INCOMM AUSTRIA, GMBH, a company incorporated in Austria with the company number 322903h, whose registered office is at Ernst-Grein-Straße 5, 5026 Salzburg, Austria.