Enigmatic Smile Limited Workplace and Recruitment Privacy Notice

Introduction

Like most businesses, we hold and process a wide range of information, some of which relates to individuals who work for us or apply for roles within our business. This Privacy Notice explains the type of information we process, why we are processing it and how that processing may affect you.

The notice focuses on individuals who work for us, whether employed by us or not, and individuals who apply for roles with us. It also covers information on former employees/workers.

This Privacy Notice is set out in this document (the Core Notice) and Annex 1 - Supplementary Information.

In the Supplementary Information, we explain what we mean by “personal data”, “processing”, “special personal data” and other terms used in the notice. 

In brief, this notice explains:

  • what personal data we hold and why we process it;
  • the legal grounds which allow us to process your personal data;
  • where the data comes from, who gets to see it and how long we keep it;
  • how to access your personal data and other rights;
  • how to contact us.

Personal data - What we hold and why we process it

We process data for the purposes of our business including recruitment, management, administrative, employment and legal purposes. The Supplementary Information provides more specific information on these purposes, on the type of data that may be processed and on the grounds on which we process data. See Legal grounds for processing personal data and Further information on the data we process and our purposes. 

Where the data comes from and who gets to see it

Some of the personal data that we process about you comes from you. For example, you tell us your contact and banking details or employment and education history. 

Other personal data about you is generated in the course of your work if your application is successful, for example, from your managers, colleagues and customers or others outside our organisation with whom you deal. 

Your personal data will be seen internally by managers, anyone undertaking a role related to the HR function and, in some circumstances, other colleagues. We will where necessary and as set out in this privacy notice also pass your data outside the organisation, for example to people you are dealing with and payroll agencies. 

Further information on this is provided in the Supplementary Information. See Where the data comes from and Who gets to see your data? 

How long do we keep your personal data?

We do not keep your personal data for any specific period but will not keep it for longer than is necessary for our purposes. In general, we will keep your personal data for the duration of your employment and for a period afterwards. See Retaining your personal data – more information in the Supplementary Information.

Transfers of personal data outside the UK or EEA

We will where necessary and as set out in this privacy notice transfer your personal data outside the UK or EEA to members of our group and other processors as necessary. 

Further information on these transfers and the measures taken to safeguard your data are set out in the Supplementary Information under Transfers of personal data outside the UK or EEA – more information. 

Your data rights

You have a right to make a subject access request to receive information about the data that we process about you. Further information on this and on other rights is in the Supplementary Information under Access to your personal data and other rights. We also explain how to make a complaint about our processing of your data.

Contact details

In processing your personal data, we act as a data controller. We are registered as a data controller with the Information Commissioner's Office, under registration ZA065001. We can be contacted at:

  • Swift House Ground Floor, 18 Hoffmanns Way, Chelmsford, Essex, England, CM1 1GU 
  • hello@enigmaticsmile.com 

Please note that generally the data controller of your personal data will be your employing/engaging entity but also entities within the Enigmatic Smile Group with which we share data for business administration purposes.  

Status of this notice

This notice does not form part of your contract of employment and does not create contractual rights or obligations. It may be amended by us at any time. Nothing in this notice is intended to create an employment relationship between us and any non-employee providing services to us.

Annex 1- Supplementary information

What do we mean by “personal data” and “processing”?

“Personal data” is information relating to you (or from which you may be identified) which is processed by automatic means or which is (or is intended to be) part of a structured manual filing system. It includes not only facts about you, but also intentions and opinions about you. 

Data “processed automatically” includes information held on, or relating to use of, a computer, laptop, mobile phone or similar device. It covers data derived from equipment such as access passes within a building, data on use of vehicles and sound and image data such as CCTV or photographs. 

"Processing" means doing anything with the data. For example, it includes collecting it, holding it, disclosing it and deleting it. 

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data are subject to special protection and considered by UK and EU privacy law to be “special personal data”. 

References in the Privacy Notice to employment, work (and similar expressions) include any arrangement we may have under which an individual provides us with work or services. By way of example, when we mention an “employment contract”, that includes a contract under which you provide us with services; when we refer to ending your employment, that includes terminating a contract for services. We use the word “you” to refer to anyone within the scope of the notice. 

Legal grounds for processing personal data

What are the grounds for processing?

Under data protection law, there are various grounds on which we can rely when processing your personal data. In some contexts more than one ground applies. We have summarised these grounds as Contract, Legal obligation, Legitimate Interests and Consent and outline what those terms mean in the following table. 

TermGround for processingExplanation
ContractProcessing necessary for performance of a contract with you or to take steps at your request to enter a contractThis covers carrying out our contractual duties and exercising our contractual rights. 
Legal obligationProcessing necessary to comply with our legal obligations Ensuring we perform our legal and regulatory obligations. For example, providing a safe place of work and avoiding unlawful discrimination. 
Legitimate interestsProcessing necessary for our or a third party’s legitimate interestsWe or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data.Your data will not be processed on this basis if our or a third party’s interests are overridden by your own interests, rights and freedoms. 
ConsentYou have given specific consent to processing your dataIn general processing of your data in connection with employment is not conditional on your consent. But there may be occasions where we do specific things such as getting a criminal record check for a role which is regulated and rely on your consent to our doing so. 

Processing and special personal data

Processing special data about you may be necessary in your jurisdiction (for example, storing your health records to assist us in ensuring that we provide you with a healthy and safe workplace, or processing personal data relating to diversity monitoring). If we process your special data we will also make sure that one or more of the grounds for processing special personal data applies. In outline, these include: 

  • Processing being necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorised by law or collective agreement; 
  • Processing relating to data about you that you have made public (e.g. if you tell colleagues that you are ill); 
  • Processing being necessary for the purpose of establishing, making or defending legal claims;
  • Processing being necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity;
  • Processing necessary for the prevention or detection of unlawful acts;
  • Processing for equality and diversity purposes to the extent permitted by law.

The examples in the table cannot, of course, be exhaustive. 

PurposeExamples of how peresonal data may be processedGrounds for processing
RecruitmentStandard data related to your identity (e.g. your name, address, email address, ID information and documents, telephone numbers, place of birth, nationality, contact details, professional experience and education (including university degrees, academic records, professional licenses, memberships and certifications, awards and achievements, and current and previous employment details), financial information (including current salary information) language skills, and any other personal data that you present us with as part of your application related to the fulfilment of the role.We will also collect and process information concerning your application and our assessment of it including any background checks we may make to verify information provided and any information connected with your right to work. This may include as necessary for your role, verifying your ID, (and subject to legislation in your jurisdiction) checks verifying your job history, qualifications and previous renumeration as well as credit, criminal record, social media and adverse media checks.If necessary, we will also process information concerning your health, any disability and in connection with any adjustments to working arrangements.Contract

Legal obligation

Legitimate interest: carry out informed recruitment decisions

Prevention or detection of unlawful acts
Your employment contract or services agreement including entering it, performing it and changing itInformation on your terms of employment from time to time including your hours and working patterns and your pay and benefits such as your participation in pension arrangements, medical insurance and any discretionary bonus schemes.Contract

Legal obligation

Legitimate interest: to have an accurate record of your employment contract for its performance and variation
Contacting you or others on your behalfYour address and phone number, emergency contact information and information on your next of kin.Contract

Legal obligation

Legitimate interest: the ability to contact you, or others on your behalf in an emergency
Payroll administrationInformation on your bank account, pension contributions and on tax and national or social insurance. Your national or social insurance number or other government issued identifier.Information on attendance, holiday and other leave and sickness absence. Contract

Legal obligation

Legitimate interest: the ability to carry out payroll, general HR and business administration in an efficient manner, and to plan around your absence where necessary
Financial planning and budgetingInformation such as your salary and (if applicable) bonus levels.Legitimate interest: the ability to carry out effective financial planning and budgeting for our business
Supporting and managing your work and performance and any health concernsInformation connected with your work, anything you do at work and your performance including records of documents and emails created by or relating to you and information on your use of our systems including computers, laptops or other devices. Management information regarding you including notes of meetings and appraisal records, including information you or our managers enter onto our training or appraisal platforms.  Information relating to your compliance with our policies.Information concerning disciplinary allegations, investigations and processes and relating to grievances or complaints in which you are or may be directly or indirectly involved.Information concerning your health, including medical or doctors’ notes, return to work plans, and medical and occupational health reports.Contract

Legal obligation

Legitimate interest: the ability to support our workforce and help career development, ensure compliance with our policies, and the investigation of grievances where this becomes necessary.
Changing or ending your working arrangements, and conducting data analytics studies to review and better understand employee retention and attrition ratesInformation connected with anything that may affect your continuing or ending employment or the terms on which you work including any proposal to promote you, to change your pay or benefits, to change your working arrangements or to end your employment.Contract

Legitimate interest: the ability to change or end your working arrangements
Physical and premises securityCCTV images.Records of use of swipe and similar entry cards.Legal obligation

Legitimate interest: the ability to keep our locations secure, provide a safe environment for our personnel
Improving efficiency of IT and business systems and device useRecords of your use of IT and business systems and devices.We will where necessary and as set out in this privacy notice also contract with third parties so you can use third party applications on your company devices which may assist with your work. Such applications will process your personal data. Their own privacy notices will make clear precisely what information will be collected. We may be provided with information on the usage of such applications, for example for the purpose of troubleshooting or assessing overall usage and whether to continue to provide them.Legitimate interest: to ensure and improve efficiency of IT and business systems and device use
Providing references in connection with your finding new employmentInformation on your working for us and on your performance.Consent

Legitimate interest: to maintain good performance and to provide accurate references
Providing information to third parties in connection with transactions that we contemplate or carry outInformation on your contract and other employment data that may be required by a party to a transaction such as a prospective purchaser, seller or outsourcer.Legitimate interest: to provide information to third parties in connection with transactions related to our business that we contemplate or carry out
Monitoring of diversity and equal opportunitiesInformation on your nationality, racial and ethnic origin, gender, sexual orientation, religion, disability and age as part of diversity monitoring initiatives. Such data will be aggregated and used for equality of opportunity monitoring purposes. Please note we may share aggregated and anonymised diversity statistics with regulators if formally required / requested.Legitimate interest: to ensure that we have an equal and diverse workforce

Article 9(2) GDPR condition: processing is necessary for reasons of substantial public interest
Monitoring use of our IT systemsWe may monitor, access, examine, capture or otherwise intercept (by human or automated means) communications or data transmitted through our systems. This may take place for a number of reasons, including to:* maintain the security of our systems; * identify and deter system security threats; * protect personal data;locate deleted messages or messages lost due to system failure;* manage and redistribute the work on an absent employee as needed.Legitimate interest: to maintain the security of our systems
Monitoring and investigating suspicions of misconduct, compliance with policies and rules – both generally and specificallyWe expect our employees and workers to comply with our policies and rules and may monitor our systems to check compliance. We will where necessary and as set out in this privacy notice check systems and other data to look into those concerns (e.g. log in records, records of usage and emails and documents, CCTV images). In appropriate cases if we have suspicions of serious wrong-doing, we may make targeted records in connection with an investigation. Legitimate interest: to ensure that our employees and workers comply with our policies and rules
Disputes and legal or regulatory matter or proceedingsAny information relevant or potentially relevant to a dispute or legal or regulatory matter or proceeding affecting us.Legitimate interest: the ability to respond to and defend against legal claimsLegal obligation
Day to day business operations including marketing and customer/client relations and travel on our behalfInformation relating to the work you do for us, your role and contact details including relations with current or potential customers or clients. This may include a picture of you for internal or external use.Information regarding your travel arrangements and location.Legitimate interests: to allow the effective operation of day to day business, marketing and investor relations and travel
Maintaining appropriate business records during and after your employmentInformation relating to your work, anything you do at work and your performance relevant to such records.Contract

Legal obligation

Legitimate interest: to maintain appropriate business records during and after your employment
Meeting our duty of care and health and safety responsibilitiesWe have a duty of care to ensure a safe place of work, as well as a duty of care to staff. For this reason, where reasonable and necessary, in certain circumstances we may process information about your health, for example sick notes and details of any periods of sickness.Legal obligation

Legitimate interest: to ensure a safe place of work and the safety of our staff

Article 9(2) GDPR condition: processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment

Where we rely on legitimate interests, we have set out above the purposes for processing such data and why such processing is necessary. This Privacy Notice sets out the steps that we take to keep your data safe, and as such we have adequately balanced your data subject rights, with the needs of the business to process this data. This Privacy Notice also serves as our legitimate interests assessment.

Where the data comes from

When you start employment with us, the initial data about you that we process is likely to come from you: for example, contact details, bank details and information on your immigration status and whether you can lawfully work. We will where necessary and as set out in this privacy notice also require references and information to carry out background checks. In the course of employment, you may be required to provide us with information for other purposes such as sick pay (including any statutory right to sick pay) and family rights (e.g. maternity and paternity leave and pay). If you do not provide information that you are required by statute or contract to give us, you may lose benefits or we may decide not to employ you or to end your contract. If you have concerns about this in a particular context, you should speak to the legal team. 

In the course of your work, we may receive personal data relating to you from others.  Internally, personal data may be derived from your managers and other colleagues or our IT systems; externally, it may be derived from our customers or those with whom you communicate by email or other systems. 

Who gets to see your data

Internal use

Where necessary and as set out in this privacy notice, your personal data will be disclosed to your managers, anyone undertaking a HR function role and administrators for employment, administrative and management purposes as mentioned in this document. We will where necessary and as set out in this privacy notice also disclose this to other members of our group.

External use

We will only disclose your personal data outside the group if disclosure is consistent with a ground for processing on which we rely and doing so is lawful and fair to you. 

We will disclose your data if it is necessary for our legitimate interests as an organisation or the interests of a third party (but we will not do this if these interests are over-ridden by your interests and rights in particular to privacy). Where necessary, we will also disclose your personal data if you consent, where we are required to do so by law and/or in connection with criminal or regulatory investigations. 

Specific circumstances in which your personal data may be disclosed include:

  • Disclosure to organisations that process data on our behalf such as our payroll service, identity verification, insurers and other benefit providers, our bank and organisations that host our IT systems and data; 
  • Disclosure to external recipients of electronic communications (such as emails) which contain your personal data;
  • Disclosure on a confidential basis to a potential buyer of our business or company for the purposes of evaluation – but only if we were to contemplate selling;
  • Disclosure to respond to law enforcement agency or government body requests or where required by applicable laws, pursuant to court orders, or arbitral or tribunal orders or rules of procedure, or to government regulations departments or agencies or regulatory bodies (including disclosures to tax and employment authorities),employment and any other regulatory bodies);
  • Disclosure on a confidential basis to our advisers for example to our lawyers for the purposes of seeking legal advice or to further our interests in legal proceedings and to our accountants for auditing purposes;
  • Disclosure to our insurers;
  • Disclosure of aggregated and anonymised diversity data to relevant regulators as part of a formal request;
  • To third parties for the purpose of assessing efficiency of IT or business system device usage. In such cases the data sent to the third party will be anonymised where possible;
  • Your advisors and/or other entities linked with you. 

Retaining your personal data - More information

Although there is no specific period for which we will keep your personal data, we will not keep it for longer than is necessary for our purposes. In general, we will keep your personal data for the duration of your employment and for a period afterwards. In considering how long to keep it, we will take into account its relevance to our business and your employment either as a record or in the event of a legal claim. 

Personal data relating to job applicants (other than the person who is successful) will normally be deleted after 12 months.

Transfers of personal data outside the UK or EEA – more information

In connection with our business and for employment, administrative, management and legal purposes, we will where necessary and as set out in this privacy notice transfer your personal data outside the UK or EEA to members of our group and on occasion other jurisdictions in which we are established. We will ensure that any transfer is lawful and that there are appropriate security arrangements.

Access to your personal data and other rights

We try to be as open as we reasonably can about personal data that we process. If you would like specific information, just ask us.

You also have a legal right to make a “subject access request”. If you exercise this right and we hold personal data about you, we are required to provide you with information on it, including:

  • Giving you a description and copy of the personal data
  • Telling you why we are processing it

If you make a subject access request and there is any question about who you are (for example, if we receive the request from an email address we do not recognise), we may require you to provide information from which we can satisfy ourselves as to your identity.

As well as your subject access right, you may have a legal right to have your personal data rectified or erased, to object to its processing or to have its processing restricted. If you have provided us with data about yourself (for example your address or bank details), you have the right to be given the data in machine readable format for transmitting to another data controller. This only applies if the ground for processing is Consent or Contract. 

If we have relied on consent as a ground for processing, you may withdraw consent at any time – though if you do so that will not affect the lawfulness of what we have done before you withdraw consent.

Complaints

If you have complaints relating to our processing of your personal data, you should raise these with the legal team in the first instance. You may also raise complaints with your statutory regulator. For contact and other details you can email privacy@enigmaticsmile.com.

Status of this notice

This notice does not form part of your contract of employment or service agreement and does not create contractual rights or obligations. It may be amended by us at any time. Nothing in this notice is intended to create an employment relationship between us and any non-employee providing services to us.