What is this Notice about?
This Data Privacy Notice explains how we collect and use personal information in a number of different situations.
The Notice consists of this Overview section, and various other sections describing the processing we may undertake dependent on the relationship(s) we may have with you. Words which are underlined have specific definitions. You can find the definitions in the Glossary.
The information in this Notice is important, so we have tried to make it very easy to navigate. Use the links to locate the sections that are relevant to you. These will help you find out more about how we collect, use and share personal information in our relationship or interaction with you.
Who is the data controller of my data?
If you have a contractual relationship with us, ARA Ltd the company identified in that contract (whether issued by us or a third party) will be the data controller of your personal information.
How do you use my personal information?
The sections of this Notice will help you understand how we manage and use your personal information in our relationship or interactions with you.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If the way that personal information will be managed differs from the details provided in this Notice or is incompatible with the original purpose the data was collected for, additional information regarding this processing will be provided to you.
If necessary, we will collect consent from you and advise you of the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your relationship with us that you agree to any request for consent from us.
Please note that we may process your personal information without your knowledge or consent, in compliance with the information set out in this Notice, where this is required or permitted by applicable law.
We may amend the content of the Notice from time to time to keep it up to date with current legal requirements and the way we operate our business.
What is the basis on which you justify processing my personal information?
In order to carry out any processing of your personal information, we need to ensure that we have a particular reason to do so. We have set out the reasons we have for processing your personal information in the various sections of this Notice.
The reasons that we have for processing your personal information directly relate to the legal grounds for processing set out in the GDPR and local laws. We have also identified these legal grounds within this Notice where they apply.
Please contact us if you have any questions or would like more detail regarding our reasons for processing your personal information.
What are the general legal grounds for processing personal information?
The general legal grounds for processing all types of your personal information and what they mean are described further below:
- The processing is needed for a contract with you.
- The processing is needed so that we can comply with our legal obligations.
- The processing is needed for our legitimate interests.
- You have given your consent to the processing.
- The processing is needed for vital interests.
- The processing is needed for a public task.
What are the additional legal grounds on which you justify processing my special categories of personal information?
In order to carry out any processing of your special categories of personal information, we need to ensure that we have a particular reason to do so, in addition to the general legal grounds set out above. This reason needs to relate to one of the additional legal grounds for processing set out in the GDPR and local laws.
We have set out the reasons we have for processing your special categories of personal information in this Notice, along with the relevant general and additional legal ground for processing. These additional legal grounds for processing special categories of personal information and what they mean are described further below:
- The processing is needed for carrying out our employment law obligations.
- The processing is needed for occupational medicine.
- The processing is necessary for substantial public interests.
- The processing is needed to protect your life or the life of another.
- The processing is needed for legal claims.
What if I don’t provide you with my personal information?
In some cases, you will be free to withhold personal information from us, however if you do withhold specific information we may not be able to continue our relationship with you, if we believe we require the relevant information to support the effective and efficient administration and management of that relationship.
For example, for employees, we require your identity information, contact and payroll information in order to pay you. If this is not provided, we may be unable to manage our contractual relationship.
In addition, for representatives of suppliers or customers, if we do not have your identity and contact information, we will not be able to communicate with you regarding the relevant commercial transaction between the Company and that supplier or customer.
How do you keep my information secure?
The Company is committed to protecting the security of the personal information you share with us or we otherwise process about you. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk.
Where do you get my personal information from?
In most cases, we receive the personal information directly from you. You either provide this to us at the outset of our relationship or do so at another time during your interactions with us. This will include personal information that you input into a form or through any self-service function, as well as information that you give to the HR team, your Company contact and to any member of our workforce.
We may create personal information about you during your relationship with us.
In addition to the personal information that you provide to us, we may generate some further personal information internally. This will usually be generated by HR, line management or your Company contact, as appropriate.
In some circumstances, data may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings and email and Internet access logs), if and to the extent permitted by applicable laws. In these circumstances, the data may be collected by us or a third party provider of the relevant service on our behalf.
In some cases, we get personal information about you from third party sources – see external sources in the table below.
We may also obtain some information from third parties.
If you are a representative of a supplier or a customer, we may receive your personal information directly from that company or from your colleagues. We may also use third parties to carry out anti-money laundering, anti-bribery and corruption and Know Your Client checks.
If you are an employee, we may obtain references from a previous employer, medical reports from external professionals, information from tax authorities, benefit providers or from a third party that we engage to carry out a background check (where permitted by applicable law).
When do you share my information with others?
Within the Company, your personal information can be accessed by or may be disclosed internally on a need-to-know basis – see internal recipients below.
Your personal information may also be accessed by third parties, including suppliers, advisers, national authorities and government bodies – see external recipients below. We have sought to identify these parties in this Notice.
In addition, there are circumstances where we may need to disclose your personal information to third parties, to help manage our business and deliver our services. We may disclose your personal information to third parties if:
- We sell or buy any business, in which case we may disclose your personal information to the prospective seller or buyer of such business;
- ARA Ltd or substantially all of its assets are acquired by a third party, in which case personal information held by it about you will be transferred to that third party;
- We are under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation, or in order to enforce or apply our legal rights, in which case we may share your personal information with our regulators and law enforcement agencies in the EEA and around the world, or to our legal advisers;
- It is necessary to protect the rights, property, or safety of ARA Ltd plc or any member of ARA Ltd, our customers, suppliers or others, in which case we may disclose your personal information to our legal advisers and other professional services firms; and
- They provide services to us connected with your relationship with us.
Where these third parties (or any others) act as a data processor (for example, a benefits provider), they carry out their tasks on our behalf and upon our instructions for the reasons that we have set out in this Notice. In this case your personal information will only be disclosed to these parties to the extent necessary to provide the required services.
Internal recipients of your personal information may include:
- local, and global departments, including line management and team members;
- local and executive management responsible for managing or making decisions in connection with your relationship with the Company or when involved in a process concerning your relationship with the Company (including, without limitation, staff from Compliance, Legal, Audit and Security);
- system administrators; and
- where necessary for the performance of specific tasks or system maintenance by staff in teams such as the Finance and IT departments.
Personal information may also be shared inside of the Company between certain interconnecting IT systems.
- In addition, where relevant, certain basic personal information (which may include your name, location, job title, contact information and any published skills and experience) may also be accessible to the Company’s employees for the purposes set out in this Notice.
External recipients of your personal information may include:
- service providers;
- tax authorities,
- regulatory authorities,
- our insurers,
- IT administrators,
- consultants and other professional advisors,
- payroll providers
- administrators of our benefits programs, and
- our Customers
Personal information contained in our IT systems may be accessible by providers of those systems, their associated companies and sub-contractors (such as those involved with hosting, supporting and maintaining the framework of our HR information systems).
We expect these third parties to process any data disclosed to them in accordance with the contractual relationship we have with them and applicable law, including with respect to data confidentiality and security.
In addition, we may share personal information with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.
Is any of my personal information transferred overseas?
We share your personal information within ARA Ltd as set out in this Notice. Some of the people who access your personal information may not be in the same country as you and may be outside of the EEA.
Any transfers within ARA Ltd will be covered by an intra-group agreement which gives specific contractual protections to ensure that your personal information receives an adequate and consistent level of protection wherever it is transferred within ARA Ltd.
In addition, some of the external organisations we share your personal information with may be located outside of the EEA. We will always take steps to ensure that any transfer of information outside the EEA is carefully managed to protect your privacy rights:
- we will only transfer personal information to countries which are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights,
- transfers to service providers and other third parties will be protected by contractual commitments (such as the European Commission-approved Standard Contractual Clauses), certification schemes (for example, the EU – U.S. Privacy Shield for the protection of personal information transferred from within the EU to the United States of America) or other legally acceptable mechanisms that ensure an adequate level of protection, and
- any requests for information we receive from law enforcement or regulators will be carefully checked before personal information is disclosed.
If you have any questions regarding overseas transfers, please contact us for further details.
How long do you retain my personal information?
We will retain your personal information for as long as is reasonably necessary for the purposes explained in this Notice.
In some circumstances we may retain your personal information for longer periods of time than is needed for those purposes described in this Notice. For instance: where we are required to do so in accordance with legal, regulatory, tax or accounting requirements; to ensure that we have an accurate record of your dealings with us in the event of any complaints or challenges; or if we reasonably believe there is a prospect of litigation relating to your relationship with us.
We maintain policies governing the creation, retention and disposal of records in our care. These policies set out our requirements for the management of records, including guidance on keeping personal information as current as possible, securely deleting records and irrelevant or excessive data, and storing information anonymously or in a manner which no longer identifies you.
How do you manage the personal information about other individuals, other than myself?
Apart from personal information relating to you, you may also provide us with personal information of third parties, for instance, your family or dependants, or your colleagues. Where this may be the case, we have set this out in this Notice.
Before you provide information about others to us, you must first inform these individuals that you intend to provide their details to us and of the processing to be carried out by us, as detailed in this Notice.
What are my rights?
Right to access and correct your personal information
The Company aims to ensure that all personal information is correct. You also have a responsibility to ensure that changes to your personal information are notified to the Company as soon as possible so that we can ensure that your data is up-to-date.
You have the right to request access to any of your personal information that the Company may hold, and to request correction of any inaccurate data relating to you.
You should note that we do not always need to comply with your requests, but we will ensure that this is explained to you if this is the case.
Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the reason or legal ground for processing, and that personal information is processed by automatic means, you have the right to receive all such personal information which you have provided to the Company in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
Right to rectify or erase personal information
You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it.
You can also request that we erase your personal information in limited circumstances where:
- it is no longer needed for the purposes for which it was collected; or
- you have withdrawn your consent (where the data processing was based on consent); or
- you have made a successful objection (see right to object); or
- it has been processed unlawfully; or
- it is necessary to comply with a legal obligation to which we are subject.
We are not required to comply with your request to erase personal information if the processing of your personal information is necessary:
- for compliance with a legal obligation; or
- for the establishment, exercise or defence of legal claims.
Right to restriction of processing
You have the right to restrict our processing of your personal information but only where:
- you contest the accuracy of the personal information, pending us taking sufficient steps to correct or verify its accuracy;
- the processing is unlawful but you do not want us to erase the data;
- we no longer need the personal information for its original purpose, but we require it for the establishment, exercise or defence of legal claims; or
- you have objected to processing justified on legitimate interest grounds (see below), pending verification as to whether the Company has compelling legitimate grounds to continue processing.
Where personal information is subjected to restriction in this way, we will only process it with your consent; for the establishment, exercise or defence of legal claims; or to protect the rights of another natural or legal person.
Right to withdraw consent
Where you have provided us with your consent to process data, you have the right to withdraw such consent at any time. You can do this by (i) in some cases deleting the relevant data from the relevant IT system (although note that in this case it may remain in back-ups and linked systems until it is deleted in accordance with our policy) or (ii) contacting us.
Right to object to processing justified on legitimate interest grounds
Where the reason for processing your personal information is our legitimate interests, you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or where we need to process the data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as the legal ground for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
Right to object to automated decision making
You have the right to object to any decision that significantly affects you being taken solely by a computer or other automated process. In such a case, you have the right to obtain human intervention, to express your point of view, and to contest the automated decision.
Right to object to how we use your personal information for direct marketing purposes
You can request that we change the manner in which we contact you for marketing purposes. You can request that we not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.
Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction
You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the EEA. We may redact data transfer agreements to protect commercial terms.
Right to complain to a supervisory authority
You also have the right to lodge a complaint with a supervisory authority, in particular in your country of residence, if you consider that the processing of your personal information infringes applicable law.
For further information regarding your rights, or to exercise any of your rights, please contact us.
How do I exercise my rights?
If you wish to exercise your rights, you should contact us or make contact with your usual ARA Ltd contact or manager.
We may ask you for proof of identity when making a request to exercise any of these rights. We do this to ensure we only disclose information or change account details where we know we are dealing with the right individual.
We will not ask for a fee, unless we think your request is unfounded, repetitive or excessive. Where a fee is necessary, we will inform you before proceeding with your request.
We aim to respond to all valid requests within one month. It may however take us longer if the request is particularly complicated or you have made several requests. We will always let you know if we think a response will take longer than one month. To speed up our response, we may ask you to provide more detail about what you want to receive or are concerned about.
We may not always be able to fully address your request, for example, if it would impact the duty of confidentiality we owe to others, or if we are otherwise legally entitled to deal with the request in a different way.
What if I want more information?
If you are not satisfied with the level of information provided in this Notice, you can ask us about your personal information using the details provided.
How do you manage changes to this Notice?
We may amend this Notice from time to time, for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business.
This notice should be read in conjunction with the Overview
We will process personal information that you provide to us through your use of www.ara.co.uk (the Website).
Generally, you can visit the Website without revealing who you are, or disclosing any personal information about you. However, there may be times when we require personal information about you or when you wish to disclose such personal information to us. Such personal information is obtained only when voluntarily submitted by you.
Use of the Website
What processing activities do you undertake that include my personal information?
If you use provide us with personal information through the Website, we will process your personal information in order to:
- allow you to participate in the registration-only features of the Website and to download relevant brand content, when you choose to do so
- ensure that content from the Website is presented in the most effective manner for you and for your computer
- provide you with information that you request from us or which we feel may interest you
- notify you about changes to the Website and branding which may be relevant to you
- serve you with relevant advertising on third party websites, such as Google, YouTube and LinkedIn
What categories of personal information are included in these processing activities?
We process Website information in connection with this activity.
What is the reason for these processing activities?
We use this personal information to provide services that you request under an agreement between us or take steps you request prior to entering into such an agreement.
In addition, this personal information is necessary for to improve the Website and provide a better service and source of information to you.
What are the legal grounds you rely on to carry these out?
This processing is necessary to take steps at your request to enter a contract with you.
This processing is necessary for the purpose of the legitimate interests pursued by the Company.
(See “What are the legal grounds for processing personal information?” in the Overview section.)
What are the ‘legitimate interests’ referred to above?
The Company considers that it has a legitimate interest in managing and operating its business. This includes undertaking promotional activities and managing an online presence.
To the extent that you did not get this personal information from me, how did you collect this information?
We may receive information from other sources as set out in this Notice (see “Where do you get my personal information from?” in the Overview section).
Who do you share this personal information with?
Your personal information is shared internally, as set out in this Notice (see “When do you share my personal information with others?” in the Overview section).
In addition, some of your personal information will be shared externally with our partners as needed and as otherwise set out in this Notice (see “When do you share my personal information with others?” in the Overview section).
Glossary of Terms
Automated decision making
Means a decision made by automated means without any human involvement.
Means a natural or legal person (such as a company) which determines the means and purposes of processing of personal information. For example, ARA Ltd the entity which contracts with you will be your data controller as it determines how it will collect personal information from you, the scope of data which will be collected, and the purposes for which it will be used.
Means a natural or legal person (such as a company) that is responsible for processing personal information on behalf of a controller.
Means the European Economic Area, which includes all EU countries and also Iceland, Liechtenstein and Norway.
Are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.
GDPR and applicable local law
Means the General Data Protection Regulation (GDPR), which is the law governing data privacy in the European Union, and the applicable data protection law in each jurisdiction. These laws apply to our processing and management of your personal information within the EU countries.
Is information that relates to a living individual. It includes information that may identify a person by name and contact details, or refer to associated information such as account activity, or personal preferences that can directly or indirectly identify an individual.
Means any and all actions we take with respect to your personal information, including (without limitation) managing, viewing, holding, storing, deleting, changing, using and saving.
Special category personal information
Means any personal information relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.
Categories of personal information
The following definitions are not exhaustive and are intended to illustrate the types of personal information that we process with reference to the broard categories described below.
Business information: your business contact details (e.g. address, telephone number, e-mail), your job title, your employer and any other relevant information
Contact information: home address, email address and telephone number/s
Data related to your employment with the Company: work contact details (e.g. address, telephone number, e-mail), work location default hours, default language, time zone and currency for location, your worker ID and various system IDs, your performance review information, your work biography, your reporting line, your employee/contingent worker type, your hire/contract begin and end dates, your cost centre, your job title and job description, your working hours and patterns, whether you are full or part time; your termination/contract end date; the reason for termination; your last day of work; exit interviews, references, status (active/inactive/terminated); position title; the reason for any change in job and date of change; your benefit coverage start date
Employment claims, complaints and disclosures data: termination arrangements and payments, subject matter of employment based litigation and complaints, employee involvement in incident reporting and disclosures
Financial data: credit card information, bank account details and other relevant information about your payment information
HR processes data: allegations, investigations and proceeding records and outcomes, colleague and line management feedback, appraisals, talent programmes, formal and informal performance management processes, flexible working processes, restructure and redundancy plans, consultation records, selection and redeployment data, health and safety audits, risk assessments, incident reports, data relating to training and development needs or training received
Identity information: your title, forename and surname, preferred name, photographic images and any additional names
Immigration information: gender, nationality, second nationality, civil/marital status, date of birth, age, national ID number, immigration data, languages spoken and next-of-kin/dependent contact information
Leave information: absence records (including dates and categories of leave/time-off), holiday dates and information related to family leave
Monitoring data (to the extent permitted by applicable laws): Closed Circuit television footage, system and building login and access records, keystroke, download and print records, call recordings, data caught by IT security programmes and filters
Share information:number of shares held, date joined the register, date left the share register, dividends paid/not cashed; bank mandate details; share transactions; nationality and AGM / Proxy voting
Staff related data: your title, forename, middle name(s) and surname, birth name, preferred name, any additional names, gender, nationality, second nationality, civil/marital status, date of birth, age, home contact details (e.g. address, telephone number, e-mail), national ID number, immigration and eligibility to work data, languages spoken, next-of-kin/dependent contact information, passport details, driving licence and car registration details
Recruitment data: qualifications, references, CV and application, interview and assessment data
Regulatory data: records of your registration with any applicable regulatory authority, your regulated status and any regulatory references
Remuneration and benefits data: your remuneration information (including salary/hourly plan/contract pay information as applicable, allowance, bonus and merit plans), bank account details, grade, social security number, tax information, third party benefit recipient information
Vetting data: vetting and verification information, including results of any background or other checks.
Website information: this includes: – data that you provide by filling in forms on the Website, including data provided at the time of registering to use the registration-only sections of the Website (such as our careers and brand sections); any personal information requested from you by the Company (such as when you report a problem with the website); if you contact us, in writing, by email or other electronic means through the Website, we may keep a record of that correspondence; and details of your visits to the website including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access.