Data Protection and GDPR Policy
We support small and medium sized businesses with all aspects of their HR function, including those related to their staff. As such, we are in receipt of various personal data from our clients, as well as other information to enable us to carry out the consultancy work required of us. It is in the nature of our work that client information, including any employee personal data, is kept confidential.
All data is held in a secure location, accessible only by Evolutionhr. All electronic data is held in a secure location, accessed via one of two laptops each with an encrypted hard drive, and only by Evolutionhr and our accredited IT consultant.
As a general rule, it is not our policy to process or hold the personal data of our client’s employees longer than is necessary to fulfil an immediate need, project or process. However, we set down below our procedure for the different types of data which we may receive in the course of our work:
Mailing list/Contact list:
This list exists for two purposes: invitations to our HR-related seminars and receipt of our e-newsletter. Access to the list is limited to the Director and Senior Consultant. The lawful basis for processing and holding the information regarding those upon this list is their consent. Each individual data subject is listed with a clear indication as to which form of contact they have consented to. All such data subjects are provided with the opportunity to unsubscribe from either or both forms of contact on each occasion that they receive such a communication. In any event, the data held is within the public domain.
The lawful basis for processing this information is our contract with the client in question and also the legitimate interests for doing so.
All information held regarding a client who has not used our services for more than two years is deleted. All information held regarding irregular ad hoc clients or one-off clients is deleted after six months. All information held regarding current retained clients or regular ad hoc clients is held so long as it is required to fulfil our client contract or in their legitimate interests.
Client employee information, including personal data:
The lawful basis for processing such information is legitimate interests. As a rule, we do not hold client employee information. The exception to this would be during an ongoing process, when we may be provided by the client with information regarding an employee within correspondence relating to an incident or issue about which our consultancy is required. Such an activity and related data processing would be at the specific request of the client and with the legitimate interest of carrying out an HR related procedure or to act in the role of their HR consultant. If we are engaged in an ongoing process, any related data is held on our secure electronic location and any paper records held in a secure location. Once the project has been completed this information will be deleted or destroyed. All information will be reviewed before destruction to determine whether there are any special factors that mean destruction should be delayed, such as potential litigation, complaints or grievances. In which case, the information will be forwarded to the client for keeping.
Evolutionhr employee information:
All employee information is held with the lawful purposes of fulfilling the contract of employment, such as payroll and benefits administration; or with the lawful purpose of legitimate interests such as emergency contact information to ensure the health and safety of the employees or annual reviews to ensure the ongoing performance and ability to fulfil their role and provide sufficient qualify of service to clients. The information held is accurate, relevant and for legitimate purposes, such as payroll and benefits administration. In the event of an employee leaving, their data will be retained for as long as legally required and destroyed thereafter.
Consultant or supplier held information regarding our employees:
We have contacted all our consultants and suppliers to gain their assurance that their policies and procedures with regard to our employee data have been updated to comply with GDPR.