For Colleagues, Workers and Contractors
2.0 Data Protection Principles
3.0 The Kind of Information We Hold About You
4.0 How is Your Personal Information Collected?
5.0 How We Will Use Information About You
6.0 Situations in Which We Will Use Your Personal Information
7.0 If You Fail To Provide Personal Information
8.0 Change of Purpose
9.0 How We Use Particularly Sensitive Personal Information
10.0 Our Obligations As An Employer
11.0 Do We Need Your Consent?
12.0 Information About Criminal Convictions
13.0 Automated Decision-Making
14.0 Data Sharing
15.0 How Secure is My Information With Third-Party Service Providers?
16.0 When Might You Share My Personal Information With Other Entities In The DFS Group?
17.0 What About Other Third Parties?
18.0 Transferring Information Outside the EU
19.0 Data Security
20.0 How Do We Store Your Data?
21.0 Rights of Access, Correction, Erasure, and Restriction
22.0 Your Interests
23.0 Data Retention
24.0 Legal Obligations
25.0 Changes To This Privacy Notice
26.0 Contact Us
Sofology Limited takes the privacy of its Sofologists very seriously and the security of your personal information is extremely important to us.
This way of working sets out what information we collect about you, and how it will be used and stored by us when you apply for a role at Sofology, accept a role at Sofology, become a Sofologist and if you choose to leave Sofology.
When we say ‘we’, ‘our’, ‘us’ or ‘Sofology’ in this way of working we are referring to Sofology Limited, and our Registered Office is at Golborne Point, Ashton Road, Golborne, WA3 3UL. Registered number 1778734 (England and Wales).
For the purpose of the General Data Protection Regulation (EU 2016/679), we are a data controller in respect of the personal data of all colleagues, workers and contractors (“colleagues”). This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice applies to current and former colleagues, workers and contractors. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information. We have included detail in relation to different scenarios later on in this document.
2.0 Data Protection Principles
We will comply with data protection law. This says that the personal information we hold about you must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.
3.0 How We Will Use Information About You
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
1. Where we need to perform the contract we have entered into with you.
2. Where we need to comply with a legal obligation.
3. Where it is necessary for our legitimate interests. Legitimate interests means that we can process your personal information if we have a genuine and legitimate reason and we are not harming any of your rights or interests in doing so. This means that when you provide your personal details we use your information for our legitimate business interests to ensure we can provide you with the best service possible and help us ensure you only receive relevant information from us. We will process the personal information you have supplied to us to conduct and manage our business to enable us to give you the most appropriate marketing, information, service and products and provide the best and most secure experience.
However, before doing this, we will also carefully consider and balance any potential impact on you and your rights. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
We may also use your personal information in the following situations, which are likely to be rare:
1. Where we need to protect your interests (or someone else’s interests).
2. Where it is needed in the public interest (or for official purposes).
4.0 The kind of Information We Hold About You
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are special categories of more sensitive personal data which require a higher level of protection and justification for processing, such as information about a person’s health or sexual orientation.
We may collect, store and use special categories of personal information in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
We will collect, store, and use the following categories of personal information about you:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
- Date of birth.
- Marital status and dependants.
- Next of kin and emergency contact information.
- National Insurance number.
- Bank account details, payroll records and tax status information.
- Salary, annual leave, pension and benefits information.
- Start date and, if different, the date of your continuous employment.
- Leaving date and your reason for leaving.
- Location of employment or workplace.
- Copy of passport.
- Copy of driving licence.
- Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
- Employment records (including job titles, work history, working hours, holidays, training records and professional memberships).
- Compensation history.
- Performance information.
- Disciplinary and grievance information.
- CCTV footage, telephone recordings and other information obtained through electronic means such as swipe card records.
- Information about your use of our information and communications systems.
- Results of HMRC employment status check, details of your interest in and connection with the intermediary through which your services are supplied.
We may also collect, store and use the following “special categories” of more sensitive personal information:
- Information about your health, including any medical condition, health and sickness records, including:
- where you leave employment and under any share plan operated by a group company, the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision;
- details of any absences (other than holidays) from work including time on statutory parental leave and sick leave; and
- where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions and permanent health insurance purposes.
- Information about criminal convictions and/or offences, in particular, motoring offences where you have the use of a company car or are required to drive as part of your job.
- Information about any attachment of earnings order made against you.
- Information about any testing for prohibited substances conducted during employment or prior to an offer of employment being made.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance. We need to process this information to exercise rights and perform obligations in connection with your employment.
- If you leave employment and under any share plan operated by a group company the reason for leaving is determined to be ill-health, injury or disability, we will use information about your physical or mental health, or disability status in reaching a decision about your entitlements under the share plan.
- If you apply for an ill-health pension under a pension arrangement operated by a group company, we will use information about your physical or mental health in reaching a decision about your entitlement.
- We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
- We will use trade union membership information to pay trade union premiums, register the status of a protected colleague and to comply with employment law obligations.
- We will use information relating to driving offences to ensure you are able to perform your job lawfully and to comply with the terms of our fleet insurance policy.
- We will use information relating to attachment of earnings orders to comply with our legal obligations under such orders
5.0 How is Your Personal Information Collected?
We collect personal information (including sensitive personal information) about colleagues, workers and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.
We may also collect personal information from the trustees or managers of pension arrangements operated by a group company.
We will collect additional personal information in the course of job-related activities throughout the period of you working for us.
6.0 Situations in Which We Will Use Your Personal Information
The situations in which we will process your personal information are listed below:
Making a decision about your recruitment or appointment:
Sofology use a variety of methods to find the right candidate for all job roles. You can apply directly to Sofology for any advertised roles that you feel are suitable for you. When you apply directly with Sofology, we will request that you complete an online application via our careers site. This application will then be used internally and may lead to an invite to interview for a role. This application will be stored securely at all times and may be shared with DFS Group Companies, if they have vacancies we think you may be suitable for. The information you provide to us will only be used for the purposes of matching you to current vacancies and we will store this for 12 months.
Sofology uses Tribepad, which is an Applicant Tracking System (ATS) and has been carefully selected to help the Sofology Talent team and Line Managers to effectively manage applications and the candidate experience. When you submit your application via the Sofology careers site, the information you provide means you are consenting to Sofology to use your information in order to consider you for a role within Sofology. The information that we collect about you will be used only for the purpose of matching you to a vacancy within Sofology or DFS Group Companies. If you are offered a role within Sofology, your details will then be retained on Tribepad. Once you have submitted your application, the Sofology Talent team will contact you.
In some cases, Sofology will advertise vacancies on job boards websites, however when applying for an advertised role via these job boards you will always be redirected to the Sofology Careers site to complete your application.
If your application is considered suitable, your application details will be shared internally with the Line Manager responsible for recruiting that vacancy.
Sofology have a ‘Recommend a Friend’ scheme. If a candidate recommends a role to a friend and they are offered and accept that role, the current Sofologist is entitled to an agreed payment. When the candidate completes their application, they must enter details for their ‘friend’. The information provided is only used to track the application and to make a payment if required. This will be retained for three months after your final payment for the purpose of query resolution.
If you are invited for an interview with Sofology:
Once you have been invited for an interview a decision will be made as to your suitability for the role. If you are accepted for the role, the Sofology Talent team will contact you to make you aware of this and they will send out a formal offer letter.
If you are not accepted for the role, your details will be stored for 6 months and if an alternative role becomes available we will contact you to discuss this.
If you accept a role at Sofology:
On your application form, we request you provide us with the details of two referees. Once you have accepted the role, we will contact these individuals for references. Employment may be terminated if we fail to gain receipt of satisfactory references.
Every successful applicant is required to complete a Basic Criminal Records (BCR) check. Your information will be shared with GBG group who are the providers used to complete BCR checks. Once completed we will not complete any further BCR checks once you are in the employment of Sofology unless we make you aware of this. The information will be held on our systems for the duration of your employment and for six years after you have left the company.
You will also be added to the Sofology Learning Management System (LMS). This LMS system will record details of all courses attended and modules completed. You will have access to this system once you start employment with Sofology.
When you start work at Sofology:
When you start to work at Sofology, your details on Tribepad will be transferred onto our People Platform, ‘Cascade’. This platform will store all personal information that you provide to us. You will be provided with a login for this system and it is your responsibility to ensure that the contact details, home address, bank details and next of kin information is correct and kept up to date. We do this so that we can provide our contractual requirements to you that may include sharing some personal information to our payroll team to ensure that you receive your salary.
Sofology will store on Cascade records of performance reviews, internal Sofologists transfers, welcome back forms and any disciplinary and grievance action. It may be necessary in some instances to share personal information about you with insurers if a claim has been made, or solicitors if legal advice is required.
If, as part of your employment contract, you are eligible for a company car, your personal details including name, address, contact details, and driving license number will be shared with Hitachi. Hitachi are the selected third party Sofology use to manage their company car fleet. Further information as to how Hitachi use your personal information can be found in their privacy statement that is available on request. They will store this information securely on their systems and will delete it twelve months after resignation for tax accounting purposes. They will be made aware of any road traffic penalties, parking fines and criminal records.
In addition, if it is part of your employment contract, Sofology will share your information with a number of third parties who work with our insurers or benefit providers who will write to you about Healthcare cover you may be entitled to. They will keep this information on their records for the duration of your cover and for seven years after your employment with Sofology has ended. They will only ever contact you concerning the benefits you are entitled to as a Sofologist. This information will be deleted on resignation.
If you are unable to work due to long-term health problems or illness, we may pass your personal information to our Occupational Health provider, Acorn Healthcare. We will only do this after discussions with yourself and if you consent to us doing this.
At Sofology, we take the Health and Safety of all Sofologists very seriously. In some business areas, we will complete random drug and alcohol testing. This will be to ensure the vital interest of you and other Sofologists. These tests are completed by a third party called Randox who will share the results of the test with us via a secure portal. Once the tests have been shared, this information will be retained for ten years for insurance purposes.
During the employment contract we will use your personal data to:
- Determining the terms on which you work for us.
- Checking you are legally entitled to work in the UK.
- Paying you and, if you are a colleague or deemed colleague for tax purposes, deducting tax and National Insurance contributions (NICs).
- Providing benefits to you including: Westfield Health Cash Plan, Sofology Rewards (incl Cycle to Work, Childcare Vouchers and SmartTech) Sharesave scheme, BUPA, Scottish Widows and Peoples Pension and Met Life for the purposes of our life assurance benefit. Personal details are provided to these third party suppliers in order for Sofology to be able to apply company benefits and provide our contractual requirements to you.
- Inviting you to participate in any share plans operated by a group company.
- Granting awards under any share plans operated by a group company with third party administrators, nominees, registrars and trustees for the purposes of administering the share plans.
- We may have to share your data with third parties, including third-party service providers and other entities in the DFS Group of companies. We will share your personal information where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
- We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.
- We will share personal data relating to your participation in any share plans and pension arrangements operated by a group company with other entities in the group for the purposes of administering the share plans.
- We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, disclosures to stock exchange regulators (including a Regulatory News Service) and disclosures to shareholders such as directors’ remuneration reporting requirements.
- Administering your participation in any share plans operated by a group company, including communicating with you about your participation and collecting any tax and NICs due on any share awards.
- Enrolling you in a pension arrangement in accordance with our statutory automatic enrolment duties.
- Liaising with the trustees or managers of a pension arrangement operated by a group company, your pension provider and any other provider of colleague benefits.
- Administering the contract we have entered into with you.
- Business management and planning, including accounting and auditing.
- Conducting performance reviews, managing performance and determining performance requirements.
- To provide the most appropriate marketing, information, service and products including the following:
Workplace: Sofology use Workplace (by Facebook) as a company wide communication and engagement tool. All Sofologists are issued with a Sofology company email address and are therefore able to set up accounts. If any Sofologist is without a company email address they need to contact IT Support who will set this up at [email protected]. Sofology do not pass any information to Workplace without a Sofologists consent. A Sofologist can close their account at any time.
Sofology Rewards: All Sofologists are enrolled onto the platform and encouraged to register their account to give them access to Sofologist benefits. To do this, Sofology are required to share personal information including name, date of birth and colleague number so that Reward Gateway who run the scheme, are able to verify that an individual is a colleague of Sofology and the Rewards scheme is available to them. They store this for the duration of your employment with Sofology, once you leave the business your records will be destroyed immediately.
Expenses: Sometimes at Sofology it will be necessary for you to claim back expenses. Each relevant Sofologist is set up with an account on our Expenses system operated by Concur. Your name, address, and bank account details are passed to a member of our Finance team in order for them to set up your account. Once in place it is your responsibility to keep this information up to date. This information is stored on the Concur system for the duration of your employment at which point your account will be deleted.
Happiness Index colleague Opinion Survey: Sofology participate annually in a colleague opinion survey with a third party company called Happiness Index. Contact details, such as name and company email address will be shared with them to enable them to contact you and ask you to complete the survey. This information is deleted after the survey results have been completed by the process of anonymisation.
Best Companies Surveys: Sofology participates annually in the Best Companies Survey. Contact details will be shared with them to enable them to contact you and ask you to complete the survey. This information is deleted after the survey results have been completed by the process of anonymisation.
Shopworks: Sofology uses a time and attendance system that is utilised within Sofology stores and depot’s. All Biometric readers within the estate currently use facial recognition or fingerprint technology to record hours of work which is in turn processed via the Shopworks Platform to produce an output file for Payroll hours. If a Sofologist leaves, on Shopworks their data will no longer be displayed in rotas, however their historic records are retained on the system. After 7 years the data is anonymised. This anonymisation means that the data is no longer classified as Personal Information and is therefore GDPR compliant.
Equiniti: provides a shareholder portal to allow colleagues to manage shareholdings
- Making decisions about salary reviews and compensation.
- Assessing qualifications for a particular job or task, including decisions about promotions.
- Gathering evidence for possible grievance or disciplinary hearings.
- Making decisions about your continued employment or engagement.
- Making arrangements for the termination of our working relationship.
- Education, training and development requirements.
- Dealing with legal disputes involving you, or other colleagues, workers and contractors, including accidents at work.
- Ascertaining your fitness to work.
- Managing sickness absence.
- Complying with health and safety obligations.
- To prevent fraud.
- To monitor your use of our information and communication systems to ensure compliance with our IT policies.
- To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
- To conduct data analytics studies to review and better understand Colleague retention and attrition rates.
- Equal opportunities monitoring.
- And any other purpose to fulfill our contractual obligations to you as a colleague.
7.0 If You Fail to Provide Personal Information
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our colleagues).
8.0 Change of Purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
9.0 Information about Criminal Convictions
We do not envisage that we will hold information about criminal convictions save in relation to motoring offences.
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us.
10.0 Automated Design-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
11.0 Data Security
We have put in place measures to protect the security of your information. Details of these measures are available upon request and in our information security policy.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those colleagues, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
12.0 How Do We Store Your Data?
Where we have given you (or where you have chosen) a password which enables you to access certain Sofologist benefits, you are responsible for keeping this password confidential. We ask you not to share passwords with anyone.
In accordance with the General Data Protection Regulations (EU 2016/679), we employ strict physical, electronic and administrative security measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage both on-line and off-line. The transmission of information via the internet is, however, not secure and therefore we cannot guarantee the security of data sent to us electronically by you. Any transmission of such data is therefore entirely at your own risk. If you have any questions relating to security of your data, please contact us using the details set out in the Contact Us section.
13.0 Your Duty to Inform us of Changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
14.0 Your Rights in Connection with Personal Information
The GDPR gives you the right to:
- Access information that we hold about you. If you wish to exercise your right of access, you must submit a written request and provide proof of your identity before we supply the information to you.
- Ask us to prevent processing that is causing - or is likely to cause - you substantial damage or distress;
- Require us not to make certain decisions automatically if they significantly affect you;
- Ask us to make any necessary changes to the personal data we hold about you in order to ensure that it is accurate and up to date;
- Ask us to have your personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
We may refuse to comply with a request for erasure when personal data is processed for the following reasons;
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- the exercise or defense of legal claims.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact [email protected]
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
15.0 Data Retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an colleague, worker or contractor of the company we will retain and securely destroy your personal information in accordance with applicable laws and regulations.
16.0 Legal Obligations:
You should be aware that if we are requested by the police or any other regulatory or government authority investigating suspected illegal activities to provide your personal information, we may be obliged to do so.
Where we sell part or all of our business to a third party, in which case we may disclose your personal data to the prospective or actual seller or buyer of such business or assets.
Where we are legally required to disclose your information or in order to enforce or apply our terms and conditions or other agreements; or to protect our rights, property, or safety or those of our Sofologists, customers or other third parties.
17.0 Changes to this Privacy Notice
We reserve the right to update this privacy notice at any time, and we will publish an updated version on the People Site. We may also notify you in other ways from time to time about the processing of your personal information.
18.0 Contact Us
If you have any questions or are concerned with how Sofology processes your personal information please do not hesitate to contact us the Sofology People Team at [email protected] .
If you are unhappy with how we are processing your personal information, you have the right to refer the complaint to the regulator, the Information Commissioner's Office. You can do this by visiting their website or contacting them at 0303 123 1113.
Last reviewed on 10th February 2020.