1.ABOUT THIS DATA PRIVACY NOTICE
1.1This notice is designed to provide information on how Krispy Kreme UK Limited (referred to as "we", "us", "our") processes the personal data of its job applicants, workforce and former employees (referred to as "you" or "your" unless stated otherwise) in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) and, when enacted, the Data Protection Act 2018 (together referred to as the "GDPR"). This notice applies to job applicants who apply to us for a job, as well as current and former members of our workforce, including employees, workers, agency workers, and self-employed consultants.
1.2As a "data controller", we are responsible for deciding how we process personal data about you. We take your privacy seriously and we are fully committed to protecting your personal data at all times. We will only process your personal data in accordance with applicable data protection laws, adhering to the principles (as applicable) contained in the GDPR.
1.3This notice does not form part of any offer of employment or your contract of employment and we may amend it at any time to reflect any changes in the way in which we process your personal data. If you are in the application process when any changes or updates are made to this notice, we will bring any such changes to your attention as soon as is practicable. To members of our workforce, we will provide you with a new privacy notice when we make any substantial updates, and we may also notify you in other ways from time to time about the processing of your personal data.
2.THE KIND OF INFORMATION WE HOLD ABOUT YOU
2.1"Personal data" is any information about a living individual from which they can be identified such as name, ID number, location data, any online identifier, or any factor specific to the physical, physiological, genetic, mental, economic or social identity of that person. It does not include data where any potential identifiers have been removed (anonymous data) or data held in an unstructured file.
2.2There are "special categories" of more sensitive personal data which are more private in nature and therefore require a higher level of protection, such as genetic data, biometric data, sexual orientation, race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and health.
2.3When we refer to "processing", this means anything from collecting, using, storing, transferring, disclosing, altering or destroying personal data.
3.RECEIVING YOUR PERSONAL DATA
We may obtain personal data and/or special category personal data about you from third party sources, such as Amris, Element Suite, LinkedIn, recruitment and employment agencies, job boards, occupational health professionals, background check providers, HMRC, the Department for Work and Pensions, brokers and pension providers. Where we receive such information from these third parties, we will only use it in accordance with this notice and in line with our Data Protection Policy. In some cases, they will be acting as a controller of your personal data and therefore we advise you to read their privacy notice and/or data protection policy.
4.HOW WE USE YOUR PERSONAL DATA (EMPLOYEES, WORKERS, AND SELF EMPLOYED CONSULTANTS
4.1We process your personal data for various reasons, relying on a variety of different bases for lawful processing under the GDPR, as set out below.
4.1.1 To comply with our legal obligations. This may include:
eligibility to work in the UK checks as required by immigration laws and formal identification documentation relating to you, such as passport and visa documentation;
payroll records, social security, child maintenance, marital status, student loans and national insurance information, to comply with social security and HMRC (tax) requirements;
information in relation to legal claims made by you or against you, in order to comply with court processes and court orders;
information relating to the occurrence, investigation or prevention of fraud, such as through a whistleblowing complaint;
pension benefits to comply with pension legislation;
information relating to your driving hours to show compliance with EU rules and regulations (for driving roles only); and
DVLA checks to validate driving licence information if you drive our vehicles or if you are required to drive as part of your role.
4.1.2 To prepare for and to perform the contract of employment you have entered in to with us. This may include:
formal identification documentation relating to you, such as a passport or driving licence, to verify your identity (including your gender and date of birth);
your contact details such as your name, address, telephone number and personal email address which will be used to communicate with you on employment matters during your employment;
bank details which are used to send/receive funds to/from you such as payment of your salary, expenses, statutory sick pay, company sick pay, statutory maternity/paternity/ adoption/shared parental leave pay, or to make or repay loans or advances of salary;
information relating to the enrolment or renewal of your employment benefits including pension, private health care, and life assurance in order to provide you with these benefits;
information relating to your past career history;
details of the terms and conditions of your employment.
4.1.3 To pursue our (or a third party's) legitimate interests as a business. This may include:
For job applicants specifically:
your contact details such as your name, address, telephone number and personal email address which will be used to communicate with you in relation to the recruitment process;
your CV, any education history, employment records, professional qualifications and certifications in order for us to consider your suitability for the job you are applying for;
details of the role you are applying for any interview notes made by us during or following an interview with you, in order to assess your suitability for that role;
pay and benefit discussions with you to help determine whether a job offer may be made to you;
voicemails, emails, correspondence and other communications created, stored or transmitted by you on or to our computer or communications equipment in order to progress the application through the recruitment process; and
CCTV footage of you onsite, within the Company's Head Office and within all the Company's stores, for security reasons, for the protection of our property and for health and safety reasons.
For employees, workers, and self-employed consultants
training records, appraisals and 1:1 meeting notes about you in order to assist/assess your career development and training needs and/or to ensure that you are properly managed and supervised;
information relating to the performance of your employment duties, such as disciplinary records, as this is relevant to your ability to carry out your job and for us to assess and identify areas in which we may need to help you improve;
information relating to the performance of your duties may also be used to conduct an investigation if circumstances warrant it and to take appropriate action either for conduct or capability reasons in accordance with our Disciplinary Policy;
information relating to any grievance process involving you, in order that an investigation may be conducted and appropriate action taken (if any) [in accordance with our Grievance Procedure and Disciplinary Policy;
management reports (including statistical and audit information) to ensure workplace efficiencies are maximised;
health, safety and environmental information (including records and information relating to your next of kin and (for driving roles) any driving penalties or fines incurred) to ensure that we are complying with relevant policies and procedures. This allows us to implement any training where applicable;
work related contact details on our intranet and/or internal systems to facilitate efficient communication within the business;
capturing photographs/images for internal and external normal business purposes (i.e. email accounts, intranet, external marketing, HR platform etc.) in order to assist employee engagement and harmonisation of the business;
voicemails, emails, correspondence and other work-related communications created, stored or transmitted by you using our computer or communications equipment for the purposes of the efficient management of the business in accordance with our Email, Internet and IT Policy;
non-medical absence records and details including holiday records, appointments, jury service, maternity, paternity, adoption and parental leave in order to monitor attendance levels and to comply with our policies;
CCTV (operated within the Company's Head Office and within all the Company's stores) to ensure business efficiencies, for security reasons, for the protection of our property and for health and safety reasons as set out in more detail in our CCTV Policy;
network and information security data in order for us to take steps to protect your information against loss, theft or unauthorised access; and
data relating to tracking devices/technologies and activities in respect of our vehicles you drive, in order to maximise efficiencies within the business.
4.1.4 Where you have consented to specific processing. This may include:
information disclosed to a third party agency relating to your pay details for the purposes of providing tenancy references;
information disclosed to a mortgage provider relating to your employment history and pay details for the purposes of a mortgage application; and
information disclosed to a prospective future employer relating to your employment details for the purposes of providing a reference.
4.1.5 Where it is in your vital interests. This may include:
information about allergies or any medical conditions so as to prevent any unnecessary accidents, and advise medical professionals in the event of an emergency.
4.2Where you have consented to specific processing of your personal or special categories data, you have the unequivocal right to withdraw your consent at any time by indicating your withdrawal in a written format to a member of the HR team.
4.3Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
4.4We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
5.HOW WE USE YOUR SPECIAL CATEGORY PERSONAL DATA
5.1We also collect, store and use your special category personal data for a range of reasons, relying on a variety of different bases for lawful processing under the GDPR.
5.1.1 To enable us to perform our legal obligations in respect of employment, social security, and social protection law, in line with our Data Protection Policy. This may include:
information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws;
information gathered as part of a whistleblowing investigation;
information relating to you involving allegations of unlawful discrimination, in order that an investigation may be conducted and appropriate action taken (if any) under our Disciplinary Policy or Grievance Procedure; and
health information to assess and/or to comply with our obligations under employment, equal opportunities and health and safety legislation (for example a requirement to make reasonable adjustments to your working conditions).
5.1.2 For occupational health reasons or where we are assessing your working/driving capability, subject to appropriate confidentiality safeguards. This may include:
information about your physical or mental health, or disability status, to assess whether any reasonable adjustments are required for you during the recruitment process, to ensure your health and safety in the workplace, to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits;
sickness absence records, such as statement of fitness to work, reasons for absence and self-certification forms; and
records of return to work interviews/meetings.
5.1.3 Where it is needed for statistical purposes in the public interest, such as for equal opportunities monitoring, in line with our Data Protection Policy. To ensure meaningful equal opportunities monitoring and reporting, we may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, and your sexual orientation. This information will be anonymised to the effect that you will not be identifiable and will not be used in relation to your application for employment with us.
5.1.4 To establish, defend or exercise legal claims in an employment tribunal or any other court of law.
5.1.5 Where you have given explicit consent to the processing of special categories of data, such as capturing photographs/images for exceptional business purposes (i.e. external media activities).
6INFORMATION ABOUT CRIMINAL CONVICTIONS
6.1 We envisage that we will hold information about criminal convictions.
6.2 We will only collect this information if it is appropriate given the nature of your role and where the law allows us to do so. This will usually be where such processing is necessary for reasons of substantial public interest, provided that we do so in line with our Data Protection Policy. We may collect this information as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us.
6.3 We will use information about criminal offences and convictions in the following ways:
To prevent or detect unlawful acts;
To protect the public against dishonesty; and/or
To prevent fraud.
6.4 Where we process criminal convictions information about you, whether as part of any application process or otherwise, we will retain it in accordance with our Data Retention Policy.
7AUTOMATED DECISION MAKING / PROFILING
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
8.1 We may share your personal data and special category personal data internally. In particular, it may be shared with: HR employees involved in the recruitment process, employee relations and/or in the administration of your employment; line managers; consultants; advisers; or other appropriate persons who may be involved in the recruitment process for the job you are applying for.
8.2 We may share your personal data and special category personal data with other companies within our Group. They may use your personal data as part of our regular reporting activities on succession planning. They may also use your personal data if you have submitted an application for a job vacancy within the wider Group.
8.3 We may share your personal data and special category personal data with third parties, agents, subcontractors and other organisations (as listed below) where it is necessary to administer the working relationship with you or where we have a legitimate interest in doing so:
occupational health providers;
payroll and providers of HR services (including but not limited to Fourth and Element Suite);
providers of driver system analysis (including but not limited to Tachomaster, Drive Hire and Tom Tom);
financial product/services providers (including auditors);
psychometric testing and training providers;
recruitment and employment agencies;
employee benefits providers (including but not limited to Reward Gateway, BUPA, Standard Life, Canada Life);
insurance providers (including but not limited to Allianz and Blue Fin);
providers of IT services; and
providers of legal services.
8.4When we disclose your personal data to third parties, we only disclose to them any personal data that is necessary for them to provide their service. We are in the process of putting contracts in place with these third parties in receipt of your personal data requiring them to keep your personal data secure and not to use it other than in accordance with our specific instructions.
8.5We only disclose your personal data to third parties who we are sure have adequate policies/procedures in place in relation to data security.
8.6We may also share your personal data and special category personal data with other third parties for other reasons. For example, in the context of the possible sale or restructuring of the business; to provide information to a regulator; or to otherwise comply with the law. To comply with our legal obligations we may share your data with the following:
HMRC for tax purposes;
Home Office for immigration purposes;
DVLA to validate driving licence information if you drive company vehicles or if you are required to drive as part of your role; and
student loan agencies to ensure that appropriate reductions are made from your salary.
8.7We may share your personal data with third parties such as mortgage providers, property rental providers or prospective future employers with your consent.
9TRANSFERRING INFORMATION OUTSIDE THE EEA
9.1 We do not envisage that we will transfer job applicants personal data outside of the EEA however we will update this notice if this position changes.
9.2We may transfer the personal data we collect about members of our workforce to the following country outside the EEA:
to Krispy Kreme's Parent Company, Krispy Kreme Doughnuts Inc. located in the USA (the "Parent Company").
9.3 There is not an adequacy decision by the European Commission in respect of that country because the Parent Company is not registered with Privacy Shield. This means that the country to which we transfer your data are not deemed to provide an adequate level of protection for your personal data.
9.4To ensure that your personal information does receive an adequate level of protection we have put in place model contractual clauses as an appropriate measure to ensure that your personal information is treated by the Parent Company in a way that is consistent with and which respects applicable laws on data protection.
10 DATA STORAGE AND SECURITY
10.1Your personal data and special category personal data is stored in a variety of locations, including: electronically on our secure servers/in hard copy form in access- restricted, rooms or locked filing cabinets.
10.2More information as to where specific categories of personal data are stored is set out in our Data Retention Policy.
10.3We take appropriate technical and organisational security measures and have rules and procedures in place to guard against unauthorised access, improper use, alteration, disclosure and destruction and accidental loss of your personal data. Information about the IT security standards that we use to protect your personal data is contained in our Email, Internet and IT Policy.
10.4In addition, we limit access to your personal information to those members of our workforce who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
10.5We have put in place procedures to deal with any suspected or actual data security breach and we will notify you and the Information Commissioner's Office ("ICO") of a suspected breach where we are legally required to do so.
10.6Whenever we propose using new technologies, or where processing is construed as 'high risk', we are obliged to carry out a Data Protection Impact Assessment which allows us to make sure appropriate security measures are always in place in relation to the processing of your personal data.
11 DATA RETENTION
11.1 We keep your personal data and special category personal data for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, and in line with our Data Retention Policy.
11.2 When applying for a job with us, we compile and keep both manual and electronic files containing information about you which relates to your application for a job with us. Your information will be kept secure and will be used for the purposes of your job application, as explained above.
11.3 If you are offered and you accept a job with us, your personal data will be transferred to both manual and electronic personnel files. The retention period varies depending on whether you are a job applicant or a member of our workforce. At the expiry of the set retention period, or in other select circumstances, your personal data will be permanently and securely deleted.
11.4 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use and retain such information without further notice to you, as it falls outside of the definition of personal data under the GDPR.
12 YOUR DUTIES
12.1We encourage you to ensure that the personal data that we hold about you is accurate and up to date by keeping us informed of any changes to your personal data. You can update your details by notifying HR.
12.2If you are a member of our workforce, you also have obligations under various data protection laws. Our policy on data protection is set out in our Data Protection Policy (which can be found within the [Employee Handbook/intranet]). You are required to be familiar with and comply with these rules and procedures.
13 YOUR RIGHTS
13.1You may make a formal request for access to personal data and/or special category data that we hold about you at any time. This is known as a Subject Access Request. Such a request must be made in writing and we must respond within a certain time period (being 40 days under the Data Protection Act 1998, reducing to one month under the GDPR from 25 May 2018). Please note that under the GDPR we are permitted to extend the one month time period for responding by an additional two months where in our view your request is complex or numerous in nature. We may also charge a reasonable fee based on administrative costs where in our view your request is manifestly unfounded, excessive or a request for further copies. Alternatively, we may refuse to comply with the request in such circumstances. For further details on subject access requests, please refer to our Data Protection Policy.
13.2Under certain circumstances, by law you also have the right to request:
13.2.1to have your personal data corrected where it is inaccurate;
13.2.2to have your personal data erased where it is no longer required. Provided that we do not have any continuing lawful reason to continue processing your personal data, we will make reasonable efforts to comply with your request;
13.2.3that your personal data be transferred to another person;
13.2.4withdraw your consent to processing where this is our lawful basis for doing so;
13.2.5to restrict the processing of your personal data where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending, or you require us to keep it in connection with legal proceedings; and
13.2.6 to object to the processing of your personal data, where we rely on legitimate business interests as a lawful reason for the processing of your data. You also have the right to object where we are processing your personal information for direct marketing purposes. We have a duty to investigate the matter within a reasonable time and take action where it is deemed necessary. Except for the purposes for which we are sure we can continue to process your personal data, we will temporarily stop processing your personal data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights, we will permanently stop using your data for those purposes. Otherwise, we will provide you with our justification as to why we need to continue using your data.
13.3The way we process your personal data and the legal basis on which we rely to process it may affect the extent to which these rights apply. If you would like to exercise any of these rights, please address them in writing to the HR Department.
13.4We may need to request specific information from you to help us to confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
13.5In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the HR Department. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to. If you withdraw your consent, our use of your personal data before your withdrawal is still lawful.
13.6You may complain to a supervisory body if you are concerned about the way we have processed your personal data. In the UK this is the ICO – www.ico.org.uk
13.7Although you have the right to complain to the ICO, we encourage you to contact us first with a view to letting us help in resolving any queries or questions.
If you have any questions about any matter relating to data protection or the personal data and/or special category personal data that that we process about you, please contact the HR Department.