HR PRIVACY NOTICE

1. Introduction

1.1 Superdry holds and processes data on all current and former employees, workers, contractors, applicants, interns, agency workers, consultants and directors. Your personal data will be treated in a secure and confidential manner. This Privacy Notice describes the categories of personal data we may process, how your personal data may be processed, and for what purposes we process your data. It does not form part of your contract of employment or engagement.

1.2 Superdry plc will be the data controller of your personal data, or (if you are an employee or contractor) Superdry plc or the subsidiary company named in your employment contract or contract for services.  

1.3 If you have any questions about this Privacy Notice please contact your HR representative

2. What data do we process?

2.1 We may collect the following types of personal data:

2.1.1 Personal details: title, name, gender, nationality, civil/marital status, date of birth, age, contact details, national ID number, immigration and eligibility to work, driving licence, next‑of‑kin and emergency contact information, any disability and any reasonable adjustments required, professional status. 

2.1.2 Recruitment: skills, experience, qualifications, references, CV, application, interview and assessment, vetting, right to work, outcome, offer.

2.1.3 Engagement: contract and terms of employment or engagement, work contact details, employee number, photograph, location, hours, system IDs, department, manager, start/end dates, job title and description, grade.

2.1.4 Remuneration, benefits: remuneration, bank details, social security number, tax code, benefits, expenses, salary sacrifice, childcare vouchers, share scheme.

2.1.5 Leave, absence: attendance records, fit notes, incapacity, work impact and adjustments, treatment and prognosis, return to work, health reports.

2.1.6 Performance, training: feedback, performance reviews, objectives, succession plans, training record.

2.1.7 Disciplinary, grievance: allegations, complaints, investigations, proceedings.

2.1.8 Health and safety: audits, results, risk assessments, incident reports.

2.1.9 Monitoring: CCTV, system/building login and access records, keystroke, download/print records, call/meeting recordings, IT security programmes and filters, substance testing data, credit checking.

2.1.10 Employee claims: litigation and complaints, pre‑claim conciliation, settlement discussions, claim proceedings records.

2.1.11 Equality and diversity: data regarding gender, age, race, nationality, religious belief and sexuality.

2.2 Where permitted by law, we may collect a limited amount of personal data falling into special categories, sometimes called "sensitive personal data". This term means information including to: racial or ethnic origin; religious or philosophical beliefs; physical or mental health; trade union membership; sexual orientation; biometric and genetic data; and criminal records and information regarding criminal offences or proceedings.

3. How do we collect data?

3.1 We collect most information directly from you when you complete new starter forms and when you enter data into our systems. Some information comes from your manager or HR.

3.2 We may collect some information from third parties: for example, references from a previous employer or client, medical reports from external professionals, information from tax authorities, or a third party carrying out a background check.

3.3 Data may be collected from monitoring devices, and this data may be collected by us or by the company providing the service. 

4. Purpose and legal basis for processing 

4.1 We process your personal data for various business purposes. Whenever we process your personal data we should have a legal basis or justification for that processing. Normally our processing will be justified by one of the following:

4.1.1 Compliance with a legal obligation.

4.1.2 Performance of your employment contract (or other agreement).

4.1.3 Legitimate interests pursued by us or a third party.

4.1.4 Consent.

4.2 We have identified the purposes for which we process your personal data. These are set out in Appendix 1 together with the legal basis for processing.

4.3 We have also identified the purposes for which we process your special category data. These are set out in Appendix 2 together with the additional legal basis for processing.

5. Automated decision making and profiling

5.1 We undertake a limited amount of automated decision making in our recruitment process to screen out applicants who do not meet our published role requirements and who do not meet our required minimum score.

5.2 We may carry out profiling from time to time related to recruitment, and assessment of performance and potential as part of our appraisal process or other career development programmes. This is not used as the sole basis for any decision.

6. Retention of personal data

6.1 We retain personal data for as long as is required for the purpose we collected it for.  This will usually be the period of your employment/contract with us plus the length of any limitation period, although some data may need to be kept for longer. We may keep some specific types of data (e.g. tax records) for different periods of time required by law. Please see our document retention policy.

7. Disclosures of personal data

7.1 Within Superdry, your personal data can be accessed on a need‑to‑know basis by HR and those responsible for managing you or your relationship with Superdry (including staff from legal, finance and IT). Certain basic personal data (e.g. name, job title, work contact details) may also be accessible to other employees.

7.2 Your personal data may also be accessed by our third party service providers, such as those hosting, supporting and maintaining our HR and IT systems.

7.3 Examples of third parties with whom your data will be shared include tax and regulatory authorities, insurers, bankers, IT administrators, lawyers, auditors, investors, consultants and other professional advisors, payroll and benefits providers. 

8. International Transfer of Personal Data

8.1 From time to time your personal data will be transferred to other group companies, which may be located within the EU or elsewhere in the world. Personal data may also be transferred to third parties who may have systems or suppliers located
outside the EU.  

8.2 We will ensure that appropriate safeguards are in place to protect your personal information and that transfer of your personal information is in compliance with data protection laws.

9. Your rights

9.1 Right to access, correct and delete: You have the right to request access to your personal data, and correction of inaccurate data. You have the right to request deletion of irrelevant data. To update your information, log into your account in the Superdry Careers Centre. This is the account you created when you registered your details with us initially. Go to settings, select the Delete Account option to delete your account altogether, or update other information or preferences as per the options displayed.

9.2 Data portability: In certain circumstances, you have the right to receive the personal data you have provided to Superdry in a structured, commonly used and machine‑readable format, and also to require us to transmit it to another controller if technically feasible.  (This applies where we are relying on consent, or where processing is necessary for the performance of our contract as the legal basis for processing, and where that personal data is processed automatically.)

9.3 Right to restriction of processing: You have the right to restrict our processing of your personal data where: (i) you query the accuracy of the data; (ii) the processing is unlawful but you do not want us to delete it; (iii) we no longer need the data, but you need it for a legal claim; or (iv) you have objected to our legitimate interest grounds.

9.4 Right to withdraw consent: Where we rely on your consent to process data, you have the right to withdraw consent at any time.

9.5 Right to object to legitimate interest grounds: Where we rely on legitimate interests to process data, then you have the right to object to processing on those grounds.

9.6 Right to complain: You have the right to complain to a supervisory authority if you think that our data processing is unlawful.

10. General

10.1 If you have any questions, comments or requests relating to this policy, please contact our Data Protection Officer at dpo@superdry.com in the first instance.

10.2 We may change this Privacy Notice at any time, and you will be informed of these changes. This Privacy Notice was last updated and reviewed on 25 May 2018.  

 

Appendix 1 

Purpose for processing

The lawful basis we rely on

Recruitment and selection

Compliance with legal obligations, including to ensure we do not unlawfully discriminate.

Necessary for takings steps at your request to enter into a contract with you.

Necessary for the purpose of our legitimate interests - assessing and comparing candidates and making a fair decision.

Pre-employment screening

Compliance with legal obligations, including establishment of the right to work in the country in which you are employed.

Necessary for the purpose of our legitimate interests - ensuring that candidates do not pose an unacceptable risk to our business or consumers. Criminal records checks are necessary to prevent crime and other unlawful acts and to protect the business from fraud, dishonesty or incompetence.

Job offers, employment contract and on-boarding

Compliance with legal obligations, including issuing written terms of employment, and ensuring we do not unlawfully discriminate.

Necessary to take steps to enter into the contract between us and to perform that contract - we need information to make an offer to you and administer your employment contract.

Necessary for the purpose of our legitimate interests - ensuring effective engagement of staff on appropriate terms, transition into employment maintaining information supplied during recruitment.

Future recruitment opportunities

Necessary for the purpose of our legitimate interests - maintaining an appropriate pool of talent who have shown an interest in the last 6 months in working for us, and who are potentially suitable candidates.

Queries on recruitment decisions

Compliance with legal obligations, including ensuring we are able to demonstrate compliance with data protection and anti-discrimination laws.

Necessary for the purpose of our legitimate interests - to provide feedback to candidates and to be able to defend any challenge or claim made in connection with our recruitment decision.

Providing and administering remuneration, benefits, incentive schemes; reimbursement of business costs and expenses; making tax and social security deductions and contributions

Compliance with legal obligations, including the provision of statutory payments and benefits and complying with the requirements of the tax authorities.

Necessary to perform your contract, to provide and administer the payments and benefits we have agreed to provide to you.

Necessary for the purpose of our legitimate interests – to manage our workforce and operating our business.

Allocating and managing duties and responsibilities

Necessary to perform your contract, to ensure that you carry out the role under your contract of employment.

Necessary for the purpose of our legitimate interests - managing our workforce and operating our business, including effective allocation and organisation of work; ensuring employees have clearly defined duties/responsibilities, and undertake duties with appropriate procedures.

Identifying and communicating effectively with staff; directories and skills databases

Necessary for compliance our legal obligations, including communication with you as required by employment laws or under our duty of care.

Necessary to perform our contract, so we can operate your contract of employment.

Necessary for the purpose of our legitimate interests: managing our workforce and operating our business, including effective communication; business protection by ensuring that employees can be identified; facilitating effective communication and collaboration between staff.

Conduct, performance, capability, absence and grievance related reviews; allegations, complaints, investigations and processes

Compliance with our legal obligations, including our duty of care towards you, to avoid unlawful dismissal and comply with anti-discrimination laws.

Necessary to perform our contract, where we have committed to comply with certain procedures.

Necessary for the purpose of our legitimate interests in managing our workforce and operating our business - implementing policies and procedures; standards of attendance, behaviour and performance; addressing employee related concerns.

Performance reviews; talent programmes

Necessary for the purpose of our legitimate interests - setting objectives, measuring their achievement; assessing development needs and potential; ensuring an appropriate performance related measure to support fair, consistent, objective performance related reward.

Training, development, promotion, career and succession planning and business contingency planning

Necessary to perform our contract.

Necessary for the purpose of our legitimate interests – managing our workforce and operating our business, including proper training; succession and contingency plans in place; supporting and developing our personnel in their careers.

Consultations or negotiations with staff and representatives

Compliance with our legal obligations, including statutory consultation obligations as required by employment laws.

Necessary for the purpose of our legitimate interests - seeking the views of our workforce on proposals which will impact them.

Conducting surveys for benchmarking and identifying improved ways of working and employee relations and engagement at work

Necessary for the purpose of our legitimate interests - seeking the views of our workforce and giving them the opportunity to raise concerns or suggest improvements.

Absence / medical information regarding physical or mental health for incapacity / permanent disability related remuneration or benefits; fitness for work; return to work; adjustments to duties or the workplace; related management decisions; conduct related management processes

Necessary for the compliance with our legal obligations, including health and safety laws, duty of care to staff, providing statutory incapacity benefits, avoiding unlawful dismissal and compliance with disability discrimination laws.

Necessary to perform our contract, including provision of payments and benefits relating to absence or incapacity.

Necessary for the purpose of our legitimate interests - managing and supporting our workforce, managing health and safety risks, supporting the welfare of staff and taking steps to identify and mitigate risks, ensuring fitness for work, managing absence and incapacity.

Restructuring, redundancies, change programmes

Necessary for the compliance with our legal obligations, including redundancies and other terminations, consultation, selection and other procedural steps.

Necessary for the purpose of our legitimate interests - making decisions relating to the future of its business in order to preserve its business operations or grow or modernise its business; ensuring appropriate employee engagement in transformation or change proposals.

References

Necessary for the purpose of our legitimate interests and those of potential new employers – provision and receipt of basic employment details for the purposes of confirming a former employee's employment history. including dates of employment, role and reason for leaving.

Email, IT, internet, social media, HR related and other company policies and procedures

Necessary for the purpose of our legitimate interests - managing our workforce and business and protecting them various risks; putting in place policies and procedures for employees, measuring compliance, detecting breaches and taking action; protection of the IT network, systems and business devices to maintain the integrity and security of data and business information.

Safety and security

Compliance with our legal obligations, including health and safety laws, and our duty of care.

Necessary for the purpose of our legitimate interests – ensuring our business, consumers, employees and systems are protected and that action is taken to mitigate risk. Includes carrying out risk assessments; detecting and preventing crimes or criminal activity or other unlawful or unethical activity; ensuring that only appropriate employees are engaged in our business; providing ways for employees to report compliance issues and the appropriate consideration and investigation of matters drawn to our attention.

Monitoring programmes to ensure equality of opportunity and diversity

Compliance with our legal obligations including anti-discrimination laws.

Necessary for the public interest of ensuring equality of opportunity or treatment between people of different racial or ethnic origins, holding different religious or philosophical beliefs, people with different states of physical or mental health or people of different sexual orientation with a view to enabling such equality to be promoted or maintained.

Necessary for the purpose of our legitimate interests – prevention of discrimination and promotion of an inclusive and diverse workplace.

Undertaking a commercial transaction or service transfer such as a merger/ acquisition or a transfer of employment

Compliance with our legal obligations, including under automatic transfer rules.

Necessary for the purpose of our legitimate interests - making decisions relating to the future of its business in order to preserve its business operations or grow its business or maximise efficiency and effectiveness; ensuring that workforce costs and liabilities are sufficiently understood and ensuring a smooth transition.

Manage and maintain HR records, files and systems

Compliance with our legal obligations including data protection laws.

Necessary to perform our contract including ensuring that the information needed to operate the contract is maintained securely.

Necessary for the purpose of our legitimate interests, including maintaining the integrity and security of data and facilitating records management, ensuring information remains up to date and deleting information when it is no longer required.

Enforcement of legal rights and obligations; legal claims

Compliance with our legal obligations including with employment and health and safety laws and data protection laws.

Necessary to perform our contract including enforcement of our rights under that contract.

Necessary for the purpose of our legitimate interests - protecting our business from breaches of legal obligations owed, and to defend litigation.

Compliance with requests by public authorities, or where required or permitted by applicable laws, court orders, government regulations, or regulatory authorities

Compliance with our legal obligations, where there is a legal obligation to disclose information.

Necessary for the purpose of our legitimate interests in co-operating with relevant authorities, government bodies or regulators for the provision of information where appropriate.

 

Appendix 2 

Purpose for processing

Additional lawful basis for special category data

Work permits, details of residency, proof of citizenship processed to assess eligibility to work

Necessary for the purposes of carrying out the obligations and exercising the rights of you or Superdry under employment law and social protection law. In particular our requirement to check that you are legally permitted to work.

Your racial or ethnic origin, religion, philosophical or political belief, sexual orientation or disability status may be used for the collection of statistical data, or where required to record such characteristics to comply with equality and diversity legal requirements or to keep our commitment to equal opportunity under review

Necessary for the purposes of carrying out the obligations and exercising the rights of you or Superdry under employment law and social protection law. In particular compliance with anti-discrimination legislation.

Necessary for the public interest of ensuring equality of opportunity or treatment between people of different racial or ethnic origins, holding different religious or philosophical beliefs, people with different states of physical or mental health or people of different sexual orientation with a view to enabling such equality to be promoted or maintained.

Health and medical information used to comply with employment, health and safety or social security laws

Necessary for the purposes of carrying out the obligations and exercising the rights of you or Superdry under employment law and social security and social protection law.

To the extent that this data is managed by our occupational health advisers, this processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of treatment.

Trade union membership processed to ensure that your rights connected with trade union membership are complied with

Necessary for the purposes of carrying out the obligations and exercising the rights of you or Superdry under employment law and social protection law. In particular human rights laws relating to freedom of association and assembly, laws relating to our interaction with trade union members.

Dealing with complaints under our grievance, whistleblowing, anti‑bullying and harassment or similar policies and procedures, where such information is relevant

Necessary for the purposes of carrying out the obligations and exercising the rights of you or Superdry under employment law and social protection law. In particular employment laws relating to the effective management of complaints and avoiding unlawful dismissals, anti-discrimination laws and our duty of care to staff.