If we plan to use personal data for a new purpose (Other than a legal obligation or function set out in law), we will check that this is compatible with our original purpose or get specific consent for the new purpose.
Our contact details:
Name: Good Growth Ltd
Address: 80-83 Long Lane, London EC1A 9ETP
hone Number: +44 (0) 207 183 0964
You are permitted to directly communicate to the DPO verbally, email or through our messaging platform provided to employees.
Outside the business (potential employees & customers)
Please use the contact information provided above or use the contact page on our website.
Legal obligation: The processing is necessary to comply with the law.
We must collect specific data/information about you in accordance with TAX and HMRC legislation. Further detail can be found at https://www.gov.uk/personal-data-my-employer-can-keep-about-me
Potential new employees
Legitimate Interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Website (contact information)
Legitimate interests: processing is necessary to keep in contact with potential customers or anyone who want to get in touch with Good Growth.
SC (Special Category) data
As a business who employs people, we may be subject to Health Special Category data. This comes in the form of employees disclosing physical or mental disabilities to Good Growth, as well as documented sick days. We do not ask for any form of health information to be disclosed to Good Growth within onboarding or employment. However, we do realise that employees have legal rights to disclose said information if they wish and as an employer we must comply with the Equality Act within the UK.
Article 6 UK GDPR
Data concerning health | Legal obligation: We do not directly ask for any form of health information, however if an employee wishes to disclose any physical or mental disability information, we must act in accordance with Applicable legislation e.g. Equality Act.
Article 9 UK GDPR
(b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
Data Protection Act 2018
Schedule 1 Special Categories of Personal Data and Criminal Convictions etc data | Part 1 Conditions relating to employment, Health and Research etc.
16. Support for individuals with a particular disability or medical condition (1.c)
An example of processing is a member of staff wishing to disclose any mental or physical disability or medical condition towards the business. We as a business has a legal obligation to act in accordance with The Equality Act and provide support where possible to said member of staff.
Who has access to your data?
The authorised individuals/teams allowed to process your PII are.
• HR (known as RevOps)
• Senior Management Team
Retention of your PII
The retention of your PII can be found within our ISMS.online Policies and Controls A.18.1.3: Protection of records.
Generally, this is set at 6 years after you have left the business but is subject to change. If you would like the current retention period then please email your Rev Ops employment contact.
Your rights as a data subject
Informed: Individuals have the right to be informed about the collection and use of their personal data.
Access: Individuals have the right to access and receive a copy of their personal data, and other supplementary information.
Rectification: The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
Erasure: The UK GDPR introduces a right for individuals to have personal data erased in specific circumstances. Please click the link to find out more.
Restrict Processing: Individuals have the right to request the restriction or suppression of their personal data.
Data Portability: Allows individuals to obtain and reuse their personal data for their own purposes across different services.
Object: Allows individuals the right to object to the processing of their personal data in certain circumstances.
Automated decision-making including profiling: Automated individual decision making (making a decision solely by automated means without any human involvement); and
Profiling (automated processing of personal data to evaluate certain things about an individual).
Your right to lodge a complaint with the ICO
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO. So please contact us through one of the ways above, or perhaps speak to your account manager in the first instance.
Protection of your personal data is important so we will only process and use this information for the purposes of your employment which includes meeting our information security obligations.
APD (Appropriate Policy Document)
Description of data processed:
We process special category (SC) data about our employees (should they wish to disclose said data, we do not formally ask for it) that is required from us as an employer. This includes information about their health (reported and non-reported sick days off work), physical and/or mental disabilities that our employees wish to disclose. As an employer we must comply with the Equality Act 2010 and will not discriminate or demonstrate unfair treatment on the basis of certain personal characteristics, such as:
• Gender reassignment
• Religion or belief
• Sexual orientation
• Marriage or civil partnership
• Pregnancy and maternity
Special Category Data (SC)
We process special category data in relation to the following purposes in Part 1 of Schedule 1:
– Paragraph 1(1) employment, social security and social protection
SC data is processed following purposes listed within this documented.
We have appropriate technical and organisational measures which meet the requirements of accountability. These include:
– An appointed DPO who reports directly to our highest management level.
– Taking a ‘data protection by design and default’ approach to our activities
– ROPA (Record of Processing Activity) track
– Appropriate technical security controls in relation to the personal data we process
– DPIAs (Data Protection Impact Assessments) are carried out for our high-risk processing e.g. for the SC data mentioned above.
Principle (a): Lawfulness, fairness and transparency
Processing personal data must be lawful, fair and transparent. This is achieved by ensuring processing falls in line with relevant legislation (UK GDPR & DPA Schedule 1 conditions).
We provide clear and transparent information about why we process personal data including our lawful basis for processing in this document and within our Privacy information policy for staff.
Our processing for the purposes of employment relates to our obligations as an employer.
Principle (b): Purpose limitation
We only process PII and SC within the limitations set out legally and contractually.
We are authorised by law to processes certain PII such as first name, last name, legal evidence of right to work in the UK (Normally collected through an official ID such as a British Passport), to comply with UK right to work and taxation laws.
We will not process personal data for purposes incompatible with the original purpose it was collected for.
Principle (c): Data minimisation
We only gather personal data that is essential for the objectives at hand and that is not excessive. The data we collect is both required and relevant to our goals. We shall delete personal data that has been supplied to us or received by us but is not relevant to our stated objectives.
Principle (d): Accuracy
When we become aware that personal data is erroneous or out of date, we shall take all reasonable steps to ensure that the data is destroyed or corrected as soon as possible, considering the purpose for which it is being processed. We shall publish our decision if we decide not to erase or correct it, for example, because the legitimate basis we depend on to handle the data precludes these rights.
Principle (e): Storage Limitation
All HR related data is processed in relation of employment and must be stored in line with A.18.1.3: Protection of records within our ISO 27001:2013 certification.
Prinicple (f): integrity and confidentiality (security)
They systems that we use allow authorised users (i.e. HR or Finance) to processes, edit or erase data at any time.
Integrity and confidentiality are part of the core requirements of ISO 27001 in how we handle information and by extension data, through the systems we use and the processes and procedures we as a company carry out.
This can be found in A.18 Compliance within our PIMS (Privacy Information Management System)