The following policy details the personal data we collect from you, the purpose it is collected for and which third parties your details may be passed to. This policy applies to all potential job candidates as well as our employees, temporary or agency workers and self-employed contractors both current and former.
Arnold Clark Automobiles Limited (SC036386) takes the issue of security and data protection very seriously and will strictly adheres to the General Data Protection Regulation (EU) 2016/679 (“GDPR”) which is applicable from the 25th May 2018 and all UK data protection legislation. Arnold Clark Automobiles Limited is notified as a Data Controller with the Office of the Information Commissioner under registration number Z6369745, and we are the data controller of any personal data that you provide to us.
All candidate and employee data is held by Arnold Clark Automobiles Limited regardless of which subsidiary you are employed by. We may disclose your personal information to another member of our group where we have a legitimate business interest to do so, which means – Arnold Clark Finance Limited (SC039597) (Z580926X), Arnold Clark Insurance Services Limited (SC192797) (Z7717844), GTG Training Limited (SC290157) (Z5430075), Harry Fairbairn Limited (SC043023) (Z6051177), Assure Alarms Limited (SC139217) (Z6465740) and Towquest Limited (02299882) (Z5554521).
Any questions relating to this policy and our privacy practices should be sent to firstname.lastname@example.org
This policy amounts to a privacy notice for the purposes of the GDPR and contains all of the information which we are required to provide to you under data protection legislation.
What are our Obligations?
The law says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only for as long as is necessary for the purposes we have told you about.
- Kept securely.
Personal information that we collect
We obtain information about you when we employ you. We need this information to carry out the full terms of your application and potential subsequent employment. This section sets out in more detail what information we collect.
During our recruitment process we will collect the following information;
- Full name
- Date of Birth
- Phone number
- E-mail Address
- NI Number
- Qualifications / Professional Membership Numbers
- Previous employment details
- Driving licence details
If you are unsuccessful in your application then your information will be removed from our physical records within three months and from our electronic records within twelve months. If you are successful then you will be required to provide Arnold Clark with further information as detailed below.
At the start of your employment we will collect the following information;
- Full name (including known as and maiden name)
- Date of Birth
- Job Title and Hours
- Branch Location
- Phone numbers (Home and Mobile)
- Email addresses (Work and Personal)
- NI Number
- Bank details
- Wages Information
- Copy of your passport
- Copy of a bank statement
- Previous employment details
- Next of kin details / Emergency contact details (Please be aware it is your obligation to ensure that your contact knows that their details are being held by Arnold Clark)
- Life Assurance information
Also, if applicable, the following information will be added to your People Team file during your employment;
- Driving licence details
- Grievance information
- Disciplinary information
- CCTV Evidence
- Redundancy information
- Apprenticeship information
- Any court orders
- Litigation information (if it involves the Company)
- Uniform Allocation
- Change of terms and conditions
- Maternity/paternity leave information
- Flexible working arrangements
We may also collect the following “special categories” of more sensitive personal information:
- Health information (GP Reports/ Sick Lines/Self-Certificates)
- Diversity information – ethnicity and religion
- Disability information
- Gender identity
- Conviction information
How long we keep your personal information for
We review our data retention periods regularly and will only hold your personal data for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Further information can be found in the Company’s Retention Policy.
If you make a public liability claim then Arnold Clark Insurance Services Limited will have to keep a record of your full name, contact information, DOB, medical information, witness information and 3rd party information. This must be kept for 30 years – in line with regulatory laws.
Finally, we still require to keep a record of your name, date of birth, NI number, and where and when you worked for the Arnold Clark Group, for 25 years.
Disclosing Your Information; why we collect it, how we use it
We will only use your personal information when the law allows us to.
When you are applying for a position with Arnold Clark we will use your details for the application and interview process. If you are unsuccessful then your details will no longer be used unless you have opted to receive job alerts. If you are successful your details will be used in the following ways:
- Where we need to perform the contract we have entered into with you;
- Where we need to comply with a legal obligation; or
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
In particular, the situations in which we may process your personal information are as follows:
- Determining the terms on which you work for us including, where required, making arrangements for the termination of our working relationship;
- Checking you are legally entitled to work in the UK;
- Administering the contract we have entered into with you including identifying education, training and development requirements;
- Paying you and, if you are an employee, deducting tax and National Insurance contributions;
- Providing benefits to you (including liaising with your pension provider and managing any stock or share option schemes which you may be a part of);
- Business management and planning, including accounting and auditing;
- To carry out a disciplinary or grievance investigation or procedure in relation to you or someone else;
- Dealing with legal disputes involving you, or other employees, workers, contractors or third parties, including accidents at work and complying with health and safety obligations;
- Managing your sickness absence, ascertaining your fitness to work and communicating with our providers of private medical cover or other insurance cover;
- Monitoring your use of our information and communication systems;
- Monitoring compliance by you, us and others with our policies and our contractual obligations;
- Prevention and detection of fraud or other criminal offences;
- Equal opportunities monitoring and reporting;
- To provide a reference upon request from another employer;
- To answer questions from insurers or mortgage providers in respect of any policies which relate to you; and
- Dealing with necessary due diligence in connection with any business transfer.
The “special categories” of particularly sensitive personal information listed above require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
- In limited circumstances, with your explicit written consent (which you are entitled to withdraw at any time);
- Where we need to carry out our legal obligations;
- Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme;
- Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
We will use your particularly sensitive personal information in the following ways:
- We will use information relating to absence which may include sickness absence or family related leave to comply with employment and other laws.
- We will use information relative to health where appropriate in the context of our provision of private medical cover.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
- We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
Sharing your Information
While employee with Arnold Clark we may disclose your personal information to third parties under the following circumstances:
- If we sell any business or assets, in which case we may disclose your personal data to the prospective buyer of such business or assets.
- If Arnold Clark or substantially all of our assets are acquired by a third party, in which case personal data held by us about our employees will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or to protect the rights, property, or safety of the Arnold Clark Group, our customers, or others. This includes exchanging information with governmental agencies, such as HMRC and DVLA; trade unions; local councils; and the police or courts.
- We work with various third party providers to help us complete our obligations to you as employees. We will only disclose your information as far as is necessary to complete our obligations. Where we have contracts with third party suppliers we will have completed necessary due diligence and security checks and will include contractual obligations to ensure that your data is kept safe once passed to the third party. All third parties only have the right to use your data to complete the prescribed task, they are not permitted to use your data for any other purpose.
- Before beginning your contract, you will have to have a check either through Disclosure Scotland or DBS in England; your personal information will be provided to these organisations in order to complete these checks.
- Your information will be passed to any company providing payroll processing services to us.
- Your monthly pay will be put through the BACS automated banking payment system.
- Your details may be shared with our uniform supply contractor to enable them to provide your staff uniform.
- If you require to travel for your role, your information may be provided to our accommodation provider to enable them to provide you with a discount card. Where alternative accommodation is organised by the Arnold Clark Group for you, your details may also be passed to the relevant provider.
- If you are entitled to a company mobile phone, then your information will be provided to our mobile phone provider.
- If you are given a pre-paid credit card, your information will be provided to the supplier to allow them to meet their obligations under the money laundering regulations.
- Your name, employee ID and location information will be given to TMS provider to enable them to activate and monitor the TMS and swipe card systems.
- Your information may be given to our Occupational Health provider in the event of any occupational health referrals, the information shared may include data concerning your health.
- External solicitors litigate all of our employee disputes and amendments to employee contracts – if necessary your information may be provided to them.
- Once over the age of 21 your name, contact information, position, number of years’ service, pension contribution and salary, will be given to our pension provider to allow us to comply with our legal obligation to provide you with a workplace pension scheme. This will be provided unless you object to the scheme.
- Again under the same legal obligation as above all the same information minus your salary will be sent to the Peoples Pension.
- Your information may be passed to external employers either at your request or under a regulatory obligation.
- Employee information and nominee names are passed to the life insurance company who underwrite our life assurance scheme.
- If at any time you are required to attend a meeting with the People Team, recordings of the meetings, which may contain personal information, will be transcribed by our external transcription service provider.
If you don’t provide Information
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers). Any failure may result in a contract with you being terminated or the taking of disciplinary action.
Your rights in relation to Your Information
You may request, at any time, a copy of the personal information the Company holds about you, at no cost. Should you wish to access or update the personal information that we hold, please contact us by sending a written request to The People Team, 454 Hillington Road, Hillington Park, Glasgow, G52 4FH or email@example.com
If you wish to have the information the Company holds on you restricted, corrected, transferred or deleted, please request this in writing to The People Team, 454 Hillington Road, Hillington Park, Glasgow, G52 4FH or firstname.lastname@example.org - as long as your information is not pertinent to the completion of a contract or required for any legal reason it will be removed.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).
If you are concerned that we are not using your information in accordance with the law, or are not satisfied with our response to a request made above, then you can complain to the Information Commissioner’s Office.
The Information Commissioner in Scotland can be reached by the following means;
The Information Commissioner's Office - Scotland
45 Melville Street
0303 123 1115
The Information Commissioner in England can be reached by the following means;
Information Commissioner's Office
0303 123 1113
Once we have received your information, we will use strict procedures and security features to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees and third parties who have a business need to know.
Data Storage and Use of Data Outside of the European Economic Area
We store your data on secure servers inside the European Economic Area (EEA).
Some of our third party contractors are based outside of the EEA. However, we have strict control over how and why your data can be accessed. All of the processing is necessary for all the functions detailed above. If we transfer your data outside the EEA we will take steps to ensure that appropriate security measures are put in place with the aim that your rights continue to be protected as set out in this policy.
We are required to notify the ICO in the event of the loss or unauthorised access, disclosure or acquisition of the personal information we hold.
As a company we allow our employees to align their social media pages with the company. However, staff may not create their own posts concerning deals and competitions, they may only share posts created by the Arnold Clark social media team.
We offer this functionality in order to generate interest in us, the website and our services among the members of your social networks, and to permit you to share and follow opinions, news and recommendations about us with your friends. However, you should be aware that sharing personal or non-personal information with a social network may result in that information being collected by the social network provider or result in that information being made publicly-available, including through Internet search engines.
Once employed with us you are responsible for helping the Company to keep your personal data up to date. You should let email@example.com know if personal information you have provided to the organisation changes, for example if you move house or change bank details.
You may have access to the personal information of other individuals, customers and clients in the course of your working relationship with us. Where this is the case, we rely on you to help us meet our data protection obligations to staff, customers and clients.
In particular, if you have access to the personal information of others, you are required:
- To only access personal information that you have authority to access and only for authorised purposes.
- To only disclose personal information to individuals (whether inside or outside the organisation) who have appropriate authorisation.
- To keep such personal information secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction).
- Not to make unnecessary copies of personal data and should keep and dispose of any copies securely.
- Not to remove personal information, or any devices which contain or which can be used to access personal information, from our premises without adopting appropriate security measures (such as encryption or password protection) to secure the information and the device.
- Not to store personal information on local drives or on personal devices that are used for work purposes.
Failure to observe these requirements may amount to a disciplinary offence, which will be dealt with under the Company’s disciplinary procedure.
This policy was last updated: 10 July 2018