The purpose of this document is to provide a concise policy statement regarding the General Data Protection obligations of BE Hospitality Solutions Ltd [“the Agency”]. This includes obligations in dealing with personal data, in order to ensure that the organisation complies with the requirements of the relevant Irish legislation, namely the Irish Data Protection Acts 1988 – 2018 and the General Data Protection Regulations (2016/679) [“GDPR”].
The Agency acknowledges that it must comply with the Data Protection principles set out in the relevant legislation. This Policy applies to all Personal Data collected, processed and stored by The Agency in relation to the recruitment of workers from Ireland, service providers and clients in the course of its activities. The Agency makes no distinction between the rights of Data Subjects. All are treated equally under this Policy.
This Privacy Statement sets out how the Agency uses and processes any information that you give to us. We respect your privacy and are committed to protecting your personal information. This Privacy Statement explains how we collect, transfer, process, use and disclose your data and sets out our security practices.
The Agency will take appropriate legal, organisational, and technical measures to protect the personal data which it obtains and processes.
In the course of its daily organisational activities, the Agency acquires, processes and stores personal data in relation to:
In accordance with the Irish Data Protection legislation, this data must be acquired and managed fairly. The Agency is committed to ensuring that all workers recruited shall have sufficient awareness of the legislation and the data points processed and retained by the Agency.
Due to the nature of the services provided by the Agency, there is regular and active exchange of personal data between the Agency and its Data Subjects. The data points required will be determined by the relevant client. In addition, the Agency exchanges personal data with its Data Processors on the Data Subjects’ behalf. Data processors include Zoho Apps and Criteria Corp. Significantly, the Agency is required to collect relevant data for their clients as part of the recruitment process. The information collected is determined by the Client. Whilst certain elements of the data is retained by the Agency in accordance with Employment Agency Act 1971-2019, the Client shall be deemed to be the Data Controller thereafter as they shall be the primary carer for the same.
This is consistent with the Agency’s obligations under the terms of its contract with its Data Processors. This policy provides the guidelines for this exchange of information, as well as the procedure to follow in the event that an employee is unsure whether such data can be disclosed. In general terms, the Data Subject should consult with the relevant person to seek clarification.
The Agency may collect and process the following applicant personal data:
This information is used to form part of the recruitment service so as to enable the Agency to secure employment for the workers with our clients. In addition, due to passports being the most widespread form of ID worldwide, we retain passport details such as numbers and expiry dates for the purposes of securing visas (if applicable),
The Agency uses, as permitted by law, the personal data relating to its candidates and where necessary their dependents or other contacts provided by them. This includes activities such as:
The legal basis for obtaining and processing the personal data set out above is that it is necessary for the performance of the employment contract with the Agency’s clients and further it is necessary to ensure that the Agency complies with the legal obligations placed upon it by various pieces of legislation.
In the course of its role as Data Controller, the Agency engages a number of Data Processors to process Personal Data on its behalf. In each case, a formal, written contract is in place with the Processor, outlining their obligations in relation to the Personal Data, the specific purpose or purposes for which they are engaged, and the understanding that they will process the data in compliance with the Irish Data Protection legislation.
A processor is defined under the GDPR as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, i.e. the Agency in this instance.
The Agency may also engage the services of external medical professionals to examine and issue reports on the health and fitness to work of workers. The personal data disclosed in this regard may include name, address and medical reports. The Agency recognises that any medical history is deemed to be a special category of data. As part of the relationships with their clients, the Agency is required in certain circumstances to furnish copies of any medical statements to the client, if the candidate is deemed to be successful so as to demonstrate that the candidate is in fact fit to perform the services required.
The Agency confirms that any third-party processors engaged will be carefully selected and will be contractually required to use appropriate measures to protect the confidentiality and security of personal data being processed.
Subject to other applicable legal requirements, Please see Schedule 1 for table of retention periods.
Owing to the provisions of the GDPR and the Data Protection Acts 1988- 2018, employees enjoy the following rights -
Right of access – owing to and subject to the limits as set out in the GDPR and the Data Protection Acts, employees have the right to request a copy of the personal data that the Agency holds about them. Any requests in this regard should be addressed to the Agency John Fingleton.
Right of rectification – owing to and subject to the limits as set out the GDPR and in the Data Protection Act 2018, employees have a right to correct data that the Agency holds about them that is inaccurate or incomplete.
Right to erasure – owing to and subject to the limits as set out in the GDPR and the Data Protection Act 2018, in certain circumstances employees can ask for the data we hold about them to be erased from our records.
Right to restriction of processing – owing to and subject to the limits as set out in the GDPR and the Data Protection Act 2018, where certain conditions apply employees have a right to restrict the processing of their personal data.
Right of portability – subject to certain restrictions employees have the right to have the data we hold about them transferred to another organisation where we hold it in electronic form. This right of data portability applies to:
Right to make a complaint -In the event that you wish to make a complaint about how your personal data is being processed by us or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority: Data Protection Commissioner: Office of the Data Protection Commissioner. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 (0761) 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 | email [email protected].
The following key principles are enshrined in the Irish legislation and are fundamental to the Agency’s Data Protection policy. In its capacity as Data Controller, the Agency ensures that all data shall:-
1. Data to be obtained and processed fairly and lawfully.
For data to be obtained fairly, the data subject will, at the time the data are being collected, be made aware of:
The Agency will meet this obligation in the following way.
2. Data to be obtained only for one or more specified, legitimate purposes.
The Agency will obtain data for purposes which are specific, lawful and clearly stated. A Data Subject will have the right to question the purpose(s) for which the Agency holds their data, and the Agency will be able to clearly state that purpose or purposes.
3. Data not be further processed in a manner incompatible with the specified purposeS.
Any use of the data by the Agency will be compatible with the purposes for which the data was acquired.
4. Data to be kept safe and secure.
The Agency will employ high standards of security in order to protect the personal data under its care. Appropriate security measures will be taken to protect against unauthorised access to, or alteration, destruction or disclosure of any personal data held by the Agency in its capacity as Data Controller.
5. Data to be kept accurate, complete and up-to-date where necessary.
The Agency will:-6. Data to be adequate, relevant and not excessive in relation to the purposeS for which the data were collected and processed.
The Agency will ensure that the data it processes in relation to Data Subjects are relevant to the purposes for which those data are collected. Data which are not relevant to such processing will not be acquired or maintained.
7. Data not to be kept for longer than is necessary to satisfy the specified purposes.
The Agency has identified an extensive matrix of data categories, with reference to the appropriate data retention period for each category. The matrix applies to data in both a manual and automated format. Once the respective retention period has elapsed, the Agency undertakes to destroy, erase or otherwise put this data beyond use.
8. Data to be managed and stored in such a manner that, in the event a Data Subject submits a valid Subject Access Request seeking a copy of their Personal Data, this data can be readily retrieved and provided to them.
The Agency has implemented a Subject Access Request procedure by which to manage such requests in an efficient and timely manner, within the timelines stipulated in the legislation.
Any formal, written request by a Data Subject for a copy of their personal data will be referred, as soon as possible, to the relevant person, and will be processed as soon as possible. Where a formal request is submitted by a Data Subject in relation to the data held by the Agency, such a request gives rise to access rights in favour of the Data Subject. There are specific time-lines within which the Agency must respond to the Data Subject, depending on the nature and extent of the request. These are outlined in the attached Subject Access Request process document.
The Agency will ensure that, where necessary, such requests are forwarded to the relevant person in a timely manner, and they are processed as quickly and efficiently as possible, but within not more than one month from receipt of the request. An extension to process said request, depending on the complexity of the request, may be applied for.
For the avoidance of doubt, and for consistency in terminology, the following definitions will apply within this Policy.
Data |
This includes both automated and manual data. Automated data means data held on a computer or stored with the intention that it is processed on the computer. Manual data means data that is processed as part of a relevant filing system, or which is stored with the intention that it forms part of a relevant filing system. |
Personal Data | Information which relates to a living individual, who can be identified either directly from that data, or indirectly in conjunction with other data which is likely to come into the legitimate possession of the Data Controller. (If in doubt, the Agency refers to the definition issued by the Article 29 Working Party and updated from time to time.) |
Processing |
Means performing any operation or set of operations on data, including: -obtaining, recording or keeping data. -collecting, organising, storing, altering or adapting the data. -retrieving, consulting or using data. -disclosing the information or data by transmitting, disseminating or otherwise making it available. -aligning, combining, blocking, erasing or destroying the data. |
Sensitive Personal Data | Sensitive Personal Data A particular category of Personal data, relating to: Racial or Ethnic Origin, Political Opinions, Religious, Ideological or Philosophical beliefs, Trade Union membership, Information relating to mental or physical health, information in relation to one’s Sexual Orientation, information in relation to commission of a crime and information relating to conviction for a criminal offence. |
Data Controller | Data Controller A person or entity who, either alone or with others, controls the content and use of Personal Data by determining the purposes and means by which that Personal Data is processed. |
Data Subject | A living individual who is the subject of the Personal Data, i.e. to whom the data relates either directly or indirectly. |
Data Processor | A person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract, but who is not an employee of the Data Controller, processing such Data in the course of his/her employment. |
Relevant Filing System | Any set of information in relation to living individuals which is not processed by means of equipment operating automatically (computers), and that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that specific information relating to an individual is readily retrievable. |
This may include contact details, date of birth, curriculum vitae, work and educational history, referee names, interview notes, photo, behavioural assessments & related documentation etc. Under Employment Equality Acts, 1998 to 2018, For business purposes, for successful applicants retain for two years from termination of employment.
In accordance with S.I. No. 255/1972 - Employment Agency Regulations 1972, all licensed agencies are required to retain the following records:
Whilst no time period is specified under those provisions, such information, which is only analytical in nature, shall be retained by the Agency for up to 3 years, after such information shall be deleted and destroyed.
This may include personal data contained in contracts of employment and all related compensation and benefit documentation. Under Breach of Contract – Statute of limitations 1957, retain for seven years from date of termination where the Agency believes the records may be required to defend litigation. After which duration destroy or else retain for two years for business purposes and after which time destroy.
Proof of residency and legibility to work for the Client. Employment Permit Act 2004 to 2014 provides that employment permit records must be retained for 5 years
These will include duration of employment, remuneration details, and employment permit details. Employment Permit Act 2004 to 2014 provides that employment permit records must be retained for 5 years or a period equal to the duration of employment
These may include medical exam results and occupational health assessments. These will include details regarding date, address, Date of Birth, employee signature. Documents relating to the above are stored on our ATS system Zoho Recruit. There is no statutory period for retention; therefore, the period of retention for such documents will be 36 months.