Introduction to this document

GDPR privacy notice - employees, workers and contractors

The GDPR sets out a list of detailed information that must be included in a privacy notice. Our GDPR privacy notice complies with this.

Privacy notice requirements

A compliant privacy notice for the processing of personal data under the EU General Data Protection Regulation (GDPR) is essential. The GDPR says that the information you provide to individuals in your privacy notices must be concise, transparent, intelligible, easily accessible, written in clear and plain language and free of charge. In the context of employment, the groups who will need a privacy notice will be both employees, workers and self-employed contractors and job applicants. Our GDPR Privacy Notice - Employees, Workers and Contractors is for the former category. Our notice provides these individuals with information about how their personal data will be used and is drafted to reflect the types of employee data that employers will typically process and the reasons for processing them. However, it’s not intended to be exhaustive and you will need to adapt it so that it’s relevant to your own specific data processing activities. You need to issue the privacy notice at the point you collect employees’ personal information from them. You must provide it in writing, but an electronic version is acceptable. Make it easily available to all staff, e.g. in a staff handbook, on the work intranet or by e-mail.

Right to be informed

The GDPR generally requires you to provide the following information in your privacy notice:

  • the identity and contact details of the business (as data controller), if you have one, your representative and, where applicable, the data protection officer
  • the purposes for which the personal data will be processed, the legal basis for processing and, where you’re relying on your legitimate interests (or those of a third party) as the legal basis for processing, what those legitimate interests are
  • the categories of personal data and the sources that the personal data originate from, unless they were obtained directly from the data subject
  • the recipients, or categories of recipients, with whom the personal data may be shared
  • details of transfers to non-EEA countries and the suitable safeguards applied
  • the retention period for the data or the criteria to be used to determine the retention period
  • the existence of the data subject’s rights, the right to withdraw consent to processing at any time (where consent is being relied on as a legal basis for processing) and the right to lodge a complaint with the Information Commissioner’s Office
  • whether the provision of personal data is part of a statutory or contractual requirement or obligation, or a requirement necessary to enter into a contract
  • the existence of any automated decision making, including profiling.