Like most businesses, we hold and process a wide range of information, some of which relates to individuals who work for us. This Privacy Notice explains the type of information we process, why we are processing it and how that processing may affect you.
This Privacy Notice focuses on individuals who work for us, whether they are employees or freelancers/contractors. It also covers information on those who apply to work for us, and former employees.
This Privacy Notice comprises this document (the Core Notice) and the Supplementary Information in the Annex to this document.
The Supplementary Information section contains a Glossary, in which we explain what we mean by “personal data”, “processing”, “sensitive personal data” and other terms used in this Privacy Notice.
In brief, this Privacy Notice explains:
We hold various types of data about the individuals who work for us, including their personal details, information about the work they do for us, their salary and other contractual terms, and so on. Further examples of the types of data we hold are given in the Supplementary Information.
We process this data for the purposes of our business, including management, administrative, employment and legal purposes. The Supplementary Information provides more specific information on these purposes.
Under data protection law, there are various grounds on which we can rely when processing your personal data. In some contexts, more than one ground applies. We have summarised these grounds as Contract, Legal Obligation, Legitimate Interests and Consent, and you can find further information on each in the Supplementary Information. See Legal grounds for processing personal data.
Some of the personal data that we process about you comes from you. For example, you tell us your contact and banking details.
Other personal data about you is generated in the course of your work, for example, from your managers, colleagues and customers or others outside our organisation with whom you deal.
Your personal data will be seen internally by managers, HR and, in some circumstances, where appropriate, other colleagues. We may also pass your data outside the organisation, for example to people you are dealing with (e.g clients of third-party suppliers), to our group payroll service, employee benefits insurers and our group qualifying pension provider.
We do not keep your personal data for any specific period, but we will not keep it for longer than is necessary for our purposes. In general, we will keep your personal data for the duration of your employment and for a period afterwards in compliance with applicable law.
See Retaining your personal data – more information in the Supplementary Information.
We may transfer your personal data outside the EEA to members of our group and processors in the United States.
Further information on these transfers and the measures taken to safeguard your personal data are set out in the Supplementary Information under Transfers of personal data outside the EEA – more information.
You have a right to make a subject access request to receive information about the personal data that we process about you. Further information on this and on other rights is in the Supplementary Information under Access to your personal data and other rights. We also explain how to make a complaint about our processing of your data.
In processing your personal data, we act as a “data controller”. Our contact details are as follows:
CPM Field Marketing
47 Aylesbury Road, Thame, Oxon, OX9 3PG
The contact details of the CPM Group Data Compliance & Privacy Officer are as follows:
This Privacy Notice does not form part of your contract of employment and does not create contractual rights or obligations. It may be amended by us at any time.
“Personal data” is information relating to you (or from which you may be identified) which is processed by automatic means or which is (or is intended to be) part of a structured manual filing system. It includes not only facts about you, but also intentions and opinions about you.
Personal data “processed automatically” includes information held on, or relating to use of, a computer, laptop, mobile phone or similar device. It covers data derived from equipment such as access passes within a building, data on use of vehicles and sound and image data such as CCTV or photographs.
“Processing” means doing anything with the data. For example, it includes collecting it, holding it, disclosing it and deleting it.
“Sensitive personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data. These types of data are subject to special protection under the law.
References in the Privacy Notice to “employment”, “work” and similar expressions include any arrangement under which an individual works for us or provides services to us. This includes individuals who are our employees and also those who provide services under a freelance or independent contractor arrangement. Similarly, when we mention an “employment contract”, this should be taken to include any contract with an employee, a freelancer or a contractor; and when we refer to ending your “employment”, that includes terminating a freelance engagement or a contract for services.
We use the word “you” to refer to anyone within the scope of this Privacy Notice.
What are the grounds for processing?
Under data protection law, there are various grounds on which we can rely when processing your personal data. In some contexts, more than one ground applies. We have summarised these grounds as Contract, Legal obligation, Legitimate Interests and Consent and outline what those terms mean in the following table.
|Term||Ground for processing||Explanation|
|Contract||Processing necessary for performance of a contract with you or to take steps at your request to enter a contract||This covers carrying out our contractual duties and exercising our contractual rights.|
|Legal obligation||Processing necessary to comply with our legal obligations||Ensuring we perform our legal and regulatory obligations. For example, providing a safe place of work and avoiding unlawful discrimination|
|Legitimate Interests||Processing necessary for our or a third party’s legitimate interests||We (and third parties) have legitimate interests in carrying out, managing and administering our respective businesses. Part of managing a business will involve the processing of your personal data.
Your data will not be processed if, in processing your data, your interests, rights and freedoms related to the data override the business’ interests in processing the data for business purposes.
|Consent||You have given specific consent to processing your data||In general processing of your data in connection with employment is not conditional on your consent. But there may be occasions where we do specific things such as provide a reference, deduct union dues or obtain medical reports and rely on your consent to do so.|
If we process sensitive personal data about you, as well as ensuring that one of the grounds for processing mentioned above applies, we will make sure that one or more of the grounds for processing sensitive personal data applies. In outline, these include:
The purposes for which we process your personal data, examples of the personal data that may be processed, and the grounds on which we process it, are set out in the table below.
The examples in the table cannot, of course, be exhaustive. For example, although the table does not mention personal data relating to criminal offences, if we were to find out that someone working for us was suspected of committing a criminal offence, we might process that information if relevant for our purposes.
|Purpose||Examples of personal data that may be processed||Grounds for processing|
|Recruitment||Information concerning your application and our assessment of it, your references, any checks we may make to verify information provided or background checks and any information connected with your right to work in the Spain. If relevant, we may also process information concerning your health, any disability and in connection with any adjustments to working arrangements.||Contract
|Your employment contract including entering into it, performing it and changing it.||Information on your terms of employment from time to time including your pay and benefits, such as your participation in pension arrangements, life and medical insurance; and any bonus or share schemes.||Contract
|Contacting you or others on your behalf||Your address and phone number, emergency contact information and information on your next of kin||Contract
|Payroll administration and other financial benefits (including life assurance)||Information on your bank account, pension contributions and on tax and national insurance
Information on attendance, holiday and other leave and sickness absence
|Supporting and managing your work and performance and any health concerns||Information connected with your work, anything you do at work and your performance including records of documents and emails created by or relating to you and information on your use of our systems including computers, laptops or other device.
Management information regarding you including notes of meetings and appraisal records.
Information relating to your compliance with our policies.
Information concerning disciplinary allegations, investigations and processes and relating to grievances in which you are or may be directly or indirectly involved.
Information concerning your health, including self-certification forms, fit notes and medical and occupational health reports.
|Changing or ending your working arrangements||Information connected with anything that may affect your continuing employment or the terms on which you work including any proposal to promote you, to change your pay or benefits, to change your working arrangements or to end your employment.||Contract
|Physical and system security||CCTV images.
Records of use of swipe and similar entry cards.
Records of your use of our systems including computers, phones and other devices and passwords.
|Providing references in connection with your finding new employment||Information on your work for us and on your performance.||Consent
|Providing information to third parties in connection with transactions that we contemplate or carry out||Information on your contract and other employment data that may be required by a party to a transaction such as a prospective purchaser, seller or outsourcer.||Legitimate interests|
|Monitoring of diversity and equal opportunities||Information on your nationality, racial and ethnic origin, gender, sexual orientation, religion, disability and age.||Legitimate interests|
|Monitoring and investigating compliance with policies and rules – both generally and specifically||We expect our employees to comply with our policies and rules and may monitor our systems to check compliance (e.g. rules on accessing pornography at work). We may also have specific concerns about compliance and check system and other data to look into those concerns (e.g. log in records, records of usage and emails and documents, CCTV images).||Legitimate interests|
|Disputes and legal proceedings||Any information relevant or potentially relevant to a dispute or legal proceeding affecting us.||Legitimate interests
|Day to day business operations including marketing and client relations||Information relating to the work you do for us, your role and contact details including relations with current or potential clients. This may include a picture of you for internal or external use or where we use a contact app such as Names & Faces.||Legitimate interests|
|Maintaining appropriate business records during and after your employment||Information relating to your work, anything you do at work and your performance relevant to such records.||Contract
|Operation of active directory/authentication||Information on your name, job title, managers, contact details, and other information from time to time.||Legitimate interests|
|IT technical support, back up and disaster recovery||Any information required to notify you of and/or to resolve the technical difficulty experienced.||Legitimate interests|
|Back office services, including staff passes, mailroom, catering, cashless vending, and reception||Information including your name, job title, work location, contact details, and other information from time to time.||Legitimate interests|
Your personal data may be disclosed to your managers, HR and administrators for employment, administrative and management purposes as mentioned in this document. We may also disclose this to other members of our group and to Omnicom for the same purposes.
We will only disclose your personal data outside our group if disclosure is consistent with one or more of our legal grounds for processing and if doing so is lawful and fair to you.
We may disclose your personal data if it is necessary for our legitimate interests as an organisation or the interests of a third party, such as when we provide you employment benefits we may need to use a third party to provide these which will involve disclosing your personal data to them (but we will not do this if these interests are over-ridden by your interests and rights in particular to privacy).
We may also disclose your personal data outside the group:
Specific circumstances in which your personal data may be disclosed include:
Although there is no specific period for which we will keep your personal data, we will not keep it for longer than is necessary for the purposes described in this Privacy Notice.
In general, we will keep your personal data for the duration of your employment and for a period afterwards, in compliance with applicable law. In considering how long to keep it, we will take into account its relevance to our business and your employment.
If your personal data is only useful for a short period (for example, CCTV footage or a record of a holiday request), we may delete it.
Personal data relating to job applicants (other than the person who is successful) will be deleted in compliance with applicable law.
In connection with our business and for employment, administrative, management and legal purposes, we may transfer your personal data outside the EEA to members of our group and processors in the United States. We will ensure that the transfer is lawful and that there are appropriate security arrangements.
Although there is no decision by the European Commission that the United States provides an adequate level of protection, we are drafting and will enter into an agreement ensuring appropriate and suitable safeguards with our group members in and processors in the United States. These will be on standard terms adopted by the Information Commissioner and approved by the Commission.
We try to be as open as we reasonably can about personal data that we process. If you would like specific information about your data, just ask us.
You also have a legal right to make a “subject access request”. If you exercise this right and we hold personal data about you, we are required to provide you with information on it, including:
If you make a subject access request and there is any question about who you are, we may require you to provide information from which we can satisfy ourselves as to your identity.
As well as your subject access right, you may have a legal right to have your personal data rectified or erased, to object to its processing or to have its processing restricted. If you have provided us with data about yourself (for example your address or bank details), and the ground for processing is Consent or Contract, you have the right to be given the personal data in machine readable format for transmitting to another data controller.
If we have relied on consent as a ground for processing, you may withdraw consent at any time – though if you do so that will not affect the lawfulness of what we have done before you withdraw consent.
If you choose to exercise your right to make a “subject access request”, we encourage you to do so by completing a webform at the following link: https://privacyportal-eu.onetrust.com/webform/12e0cd13-1eac-4cbd-8fbd-8e3ed7bc5769/b173013c-2df0-4ab8-b31e-5151ffe27a1a
If you have complaints relating to our processing of your personal data, you should raise these with HR in the first instance. You may also raise complaints with the Information Commissioner who is the statutory regulator. For contact and other details ask HR or see: https://ico.org.uk/