Data Privacy Notice – Futur3 You Limited (trading as Employee Health)
Last Updated: 03/09/2020
Data Controller: Richard Turner
Reviewed By: Richard Turner
NOTIFICATION TO CLIENT DATA SUBJECTS TO SATISFY ART. 13/14
1. Data protection under the EU General Data Protection Regulation (EU GDPR)
The EU GDPR aims to harmonise data protection law across EU Member States and introduce higher data protection standards, as well as transparency of personal data collection and processing for our clients.
Futur3 You Limited (trading as Employee Health) takes your privacy seriously. This privacy notice contains general information on what personal data we collect, what is done with this information, and what rights you have.
‘Personal data’ is any information that relates to an identified or identifiable natural person (rather than to a legal entity, such as a company).
As part of our commitment to protect your personal data in a transparent manner, we want to inform you:
• why and how Employee Health collects, uses, and stores your personal data
• the basis on which your personal data is processed; and
• what your rights are, and our obligations are in relation to such processing
2. What types of personal data do we collect?
Depending on service provided, Employee Health (“we”, “our”, or “us”) will collect and process personal data about you including:
• personal details such as:
o data of birth
o Know Your Client (KYC) documents (e.g. copy of a passport or driving licence)
o phone number
o next of kin
• special category data:
o racial or ethnic origin
o medical history
o sensitive information
• any records of communications (phone calls, emails, etc) between you and us;
• identifiers we assign to you, such as your client number, including for accounting purposes;
3. For which purposes do we process personal data?
3.1 Legal basis for processing
Depending on the purpose of the processing activity, the processing of your personal data will be one of the following:
(i) necessary for the legitimate interests of Employee Health, without unduly affecting your interests or fundamental rights and freedoms
(ii) necessary for taking steps to enter into or executing a contract with you for the services you require (based on our discussions), or for carrying out our obligations under such a contract
(iii) required to meet our legal or regulatory responsibilities, including when we conduct checks and make disclosures to authorities and government bodies
(iv) when we use special categories of personal data, necessary for establishing, exercising or defending legal claims or where the processes relates to personal data manifestly in the public domain; and
(v) in limited circumstances, processed with your consent which we obtain from you from time to time (for instance where required by laws other than the EU GDPR), or processed with your explicit consent in the case of special categories of personal data such as your medical information.
Examples for the ‘legitimate interests’ referred to above are:
• meeting our accountability and regulatory requirements
In such cases that provided that such interests are not overridden by your privacy interests.
Where the personal data we collect from you is needed to meet our legal or regulatory obligations or to enter into an agreement with you, in the event that we cannot collect this personal data, there is a possibility we may not be able to on-board you as a client. In such instances, we will inform you accordingly.
3.2 Purpose of processing
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose.
In particular, we process personal data for the following purposes:
a) client on-boarding processes, including verification of your identity and other regulatory compliance checks (e.g. to comply with anti-money laundering regulations, and to prevent fraud);
b) providing services to you and ensuring their proper execution, for instance by ensuring that we can identify you and invoice you correctly;
c) manage our relationship with you, including communicating with you in relation to the services you obtain from us, and form our business partners, handling client service-related queries and complaints.
d) helping us to learn more about you as a client, the services we provide to you and any other services you may be interested in receiving, including profiling based on the processes of your personal data, for instance by looking at the types of services you use from us, how you like to be contacted and so on;
e) taking steps to improve our services and our use of technology and upgrading of systems and processes, and conducting market research to understand how to improve our existing services or learn about other products or services we can provide
f) contacting you for direct marketing purposes about products or services we think will be of interest to you, including those offered by us, and our business partners, and facilitating competitions and promotions;
g) meeting our on-going regulatory and compliance obligations (e.g. anti-money laundering and tax laws), including in relation to recording and monitoring communications, disclosures to tax authorities, other regulatory bodies, and government bodies.
h) ensuring the safety of our clients, employees and other stakeholders
i) any other purposes we notify to you of from time to time
4. Who has access to personal data and with whom the data is shared?
4.1 Within Employee Health
As and when necessary and in order to supply services, personal information may be shared within the business to ensure high client service standards and to provide services to you.
4.2 Service Provider Partners
In some instances, we also share personal information with our service providers, including our business partners who provide services on our behalf. When we do so we take steps to ensure they meet our data security standards, so that your personal data remains secure and is used only for the purpose it is intended.
4.4 Public or regulatory authorities
If required to do so, from time to time, we disclose personal data to public authorities, regulators or government bodies including when required by law or regulatory, under a code of practice, or when the authorities require us to do so
• If our business is sold to another organisation or it is re-organised, personal data will be shared so that you can continue to receive services.
• Should you exercise your right to data portability, we will usually disclose your personal data to an intermediary that facilities data portability in accordance with applicable laws and regulations
• We will disclose personal data where we are required to exercise or protect legal rights, including ours and those of our employees and other stakeholders, or i response to requests from representatives acting on your behalf
5. International transfers of personal data
The Recipients referred to in section 4 above can be located outside the European Economic Area (EEA). In those, cases, except where the relevant country has been determined by the European Commission to provide an adequate level of protection, Futur3 You requires such recipients to comply with appropriate measures designed to protect personal data contained within a binding legal agreement.
6. How long do we store your data?
We will only retain personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements. To help us do this, we apply criteria to determine the appropriate periods for retaining your personal data depending on its purpose, such as providing services and relationship management, and responding to legal claims or regulatory requests.
In general, Employee Health will retain personal data for the period of your contact with us plus 6 years, reflecting the length of time for which legal claims may be made following termination of such relationships or contacts
7. Your rights as a Data Subject
You have a right to ask Employee Health to rectify inaccurate personal data we collect and process and the right to request restriction of your personal data pending such a request being considered.
Where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time. Please also note that the withdrawal of consent shall not affect the lawfulness of processing based on the consent before it is withdrawn.
You have a right to ask us to stop processing your personal data or to request deletion of your personal data (commonly known as the ‘right to be forgotten’) – such rights are not absolute under the EU GDPR (as sometimes there may be overriding interests that require the processing to continue or for data to be retained such as anti-money laundering regulations), but we will consider your request and respond to you with the outcome. When personal data is processed for direct marketing purposes, your rights to object extends to direct marketing, including profiling to the extent it is related to such marketing. You may object direct marketing by clicking the “unsubscribe” link in any of our email to you, or by emailing our Data Controller at any time.
Where we process your personal data on the basis of your consent, or where such processing is necessary for entering into or performing our obligations under a contract with you, you have the right to request your data to be transferred to you or to another controller (under EU GDPR this is referred to ‘data portability’ right).
You also have the right to ask Futur3 You for a copy of some or all of the personal data we collect and process about you.
You can exercise the rights set out about using the details in section 8 of this notice
8. Exercising your rights, and complaints
If you are not satisfied with any aspect of the processing of your personal data by Employee Health, we would like to discuss with you to understand how we can rectify the issue. If you would like to speak to us about our use of your personal data, you can do this:
• by contacting the data protection officer by email Richard Turner (email@example.com)
If you are not satisfied with our response, you have the right to make a complaint to the Information Commission Office (https://ico.org.uk)
9. Data Security Note
We have in place appropriate technical and process measures in place to prevent unauthorised or unlawful access to the personal data you have provided. As complete data security cannot be guaranteed for communications via emails, instant messages, or similar means of communication, we would recommend sending any particularly confidential information via an alternative secure means.
10. Changes to personal data
We are committed to keep your personal data accurate and up to date. Therefore, if your personal data changes, please inform us of the change as soon as possible.
11. Status of this privacy notice
This privacy notice was updated in September 2020. It is a notice which explains what Employee Health does, rather than a document that binds Employee Health or any other party contractually. We reserve the right to amend it from time to time. If the notice has been updated, we will take steps to inform you of the updates by appropriate means, depending on how we normally communicate with you.