1.1. In this Data Processing Addendum:
1.1.1. Terms such as “process/processing”, “data subject”, “processor”, “controller”, “personal data”, “personal data breach” and “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.1.2. “Authorised Sub-processors” means (a) those Sub-processors (if any) set out in the Annex to this Data Processing Addendum (Authorised Sub-processors); and (b) any additional Sub-processors consented to in writing by the Controller in accordance with section 6.1;
1.1.3. “EEA” means the UK or the European Economic Area;
1.1.4. “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation);
1.1.5. “Sub-processor” means any data processor (including an affiliate of Shepper) appointed by Shepper to process personal data on behalf of the Controller.
2.1. This Data Processing Addendum shall apply where, in the course of providing the Service, Shepper processes any Personal Data as processor on the Customer’s behalf.
3.1. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set out in the Annex to this Data Processing Addendum.
3.2. The Customer warrants that it has all necessary rights to provide the Personal Data to Shepper for the purposes of the performance of the Service.
4.1. Shepper shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
4.2. Shepper shall take reasonable steps to ensure the reliability of any employee, agent, contractor and Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes of the performance of this Agreement in the context of that person’s or party’s duties to Shepper.
4.3. Shepper shall ensure that all such persons or parties involved in the processing of Personal Data:
4.3.1. are subject to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
4.3.2. have undergone adequate training in the use, care, protection and handling of Personal Data.
5.1. Shepper shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 GDPR.
6.1. Subject to section 6.3, the Customer provides its general authorisation to Shepper to engage any Sub-processor selected by Shepper.
6.2. As at the date of this Data Processing Addendum, Shepper has engaged those Sub-processors set out in the Annex to this Data Processing Addendum (Authorised Sub-processors). Shepper shall give the Customer not less than thirty (30) days’ prior written notice of any intended change concerning the addition or replacement of a Sub-processor, thereby giving the Customer the opportunity to object to such changes. Each such notice shall include details of the processing activities to be undertaken by the additional or replacement Sub-processor and the identity and location of the Sub-processor.
6.3. With respect to each Sub-processor, Shepper shall:
6.3.1. carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Data Processing Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of Data Protection Laws and this Data Processing Addendum;
6.3.2. include terms in the contract between Shepper and each Sub-processor which are equivalent to those set out in this Data Processing Addendum, and shall supervise compliance thereof;
6.3.3. remain fully liable to the Customer for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.
7. DATA SUBJECT RIGHTS
7.1. Shepper shall without undue delay notify the Customer if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in Chapter III of GDPR, and shall provide full details of that request.
7.2. Shepper shall co operate as reasonably requested by the Customer to enable the Customer to comply with any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and to comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or this Agreement.
8. INCIDENT MANAGEMENT
8.1. In the case of a Personal Data Breach, Shepper shall without undue delay notify the Personal Data Breach to the Customer providing the Customer with sufficient information which allows the Customer to meet any obligations to report a Personal Data Breach under Data Protection Laws.
9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
9.1. Shepper shall, at the Customer’s request, provide reasonable assistance to the Customer with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of the Customer or any of its affiliates which are required under Article 36 GDPR, in each case in relation to processing of Personal Data by Shepper on behalf of the Customer and taking into account the nature of the processing and information available to Shepper.
10. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
10.1. Shepper shall promptly and in any event within 90 (ninety) calendar days of the earlier of: (i) cessation of processing of Personal Data by Shepper; or (ii) termination of this Agreement, at the choice of the Customer either:
10.1.1. return a complete copy of all Personal Data to the Customer by secure file transfer in such format as notified by the Customer to Shepper and securely wipe all other copies of Personal Data processed by Shepper or any Authorised Sub-processor; or
10.1.2. securely wipe all copies of Personal Data processed by Shepper or any Authorised Sub-processor,
and in each case provide written certification to the Customer that it has complied fully with this section 10.
11. AUDIT RIGHTS
11.1. Shepper shall make available to the Customer on request all information necessary to demonstrate compliance with this Data Processing Addendum and Data Protection Laws and allow for and contribute to audits, including inspections by the Customer or an independent auditor mandated by the Customer of any premises where the processing of Personal Data takes place.
11.2. Shepper shall permit the Customer or an independent auditor mandated by the Customer during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the Customer may satisfy itself that the provisions of Data Protection Laws and this Data Processing Addendum are being complied with.
11.3. Shepper shall provide reasonable co operation to the Customer in respect of any such audit and shall at the request of the Customer, provide the Customer with evidence of compliance with its obligations under this Data Processing Addendum and Data Protection Laws.
12. INTERNATIONAL TRANSFERS
12.1. Shepper shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Sub-processor to (permanently or temporarily) process the Personal Data in a country outside of the UK or the EEA without an adequate level of protection unless Shepper provides appropriate safeguards (such as entering into (or procuring that any relevant Sub-processor of Shepper enters into) an agreement with the Customer on Standard Contractual Clauses (as adopted by the European Commission)), and on condition that enforceable data subject rights and effective legal remedies for data subjects are available in accordance with Article 46 GDPR.
13.1. Shepper shall be entitled to charge the Customer reasonable costs based on its standard billing rates for providing any support or carrying out requests made under this Data Processing Agreement.
|Subject-matter of the processing||Processing for the purposes of provision of the Service|
|Duration of the processing||For the term of this Agreement|
|Nature and purpose of the processing||Processing for the purposes of provision of the Service|
1.1 Shepper Limited and its group companies (“we”, “our” or “us”) provide this Data Privacy Statement to inform our contractors of our policy relating to the processing of their personal information.
1.2 This statement sets out the basis on which we will process your personal information. Please read it carefully to understand our practices regarding your personal information and how we will use it.
1.3 This statement does not form part of any contract of employment or contract to work or provide services and may be amended at any time.
2. About us
2.1 We are the data controller of the personal data of contractors, and are subject to applicable data protection laws.
If you have any questions about this data privacy statement or your Information, or wish to exercise any of your rights as described in this statement or under applicable data protection laws, you can contact our Operations team:
By email: email@example.com
By phone: 0345 3194535
3. What types of data are protected
3.1 Personal data
This Data Privacy Statement applies to your “personal data”, which is any information relating to you as an identified or identifiable person. This data is referred to in this Data Privacy Statement as “Information”).
3.2 Special categories of personal data
Within the broad range of personal data, the following are “special categories of personal data” which are subject to a greater degree of protection:
- physical or mental health;
- racial or ethnic origin;
- political opinions;
- trade union membership;
- religious beliefs;
- sexual life; and
- genetic and biometric data.
4. What information we collect
4.1 Information you give us
4.1.1 You may give us Information by filling in forms online or by corresponding with us by phone, email, in person, or otherwise. This includes Information you provided when you first applied to work with us.
4.1.2 To assist us in complying with our obligation to maintain accurate Information, you should immediately notify the Operations team in writing of any changes to your personal details. Such changes may include, but are not limited to:
- your name, change of address, phone number or mobile phone number;
- your nationality or immigration status;
- any change of address, phone number etc.;
- your bank details.
Failure to comply with this requirement may constitute a disciplinary offence.
4.1.3 Where you have notified us or we otherwise become aware of an inaccuracy in Information, we will take steps to ensure that Information is erased or rectified without delay.
4.2 Information we collect about you
4.2.1 We collect Information to operate our business and manage your work (where applicable), to meet service level agreements (SLA’s) and to comply with our legal and regulatory obligations as a contracting party.
4.2.2 We may collect, store and use Information relating to your use of our IT systems.
4.2.3 The Information that we may collect about you includes, but is not limited to, the following:
- home address;
- contact details (such as phone numbers and email addresses);
- copies of your passport, driving licence and similar documents;
- languages spoken and level of proficiency;
- IP addresses.
4.3 Using your information to target online advertising at other prospective Shepherds
When we advertise on the internet for the recruitment of Shepherds, we may share your information with our advertising partners, so that they can target our ads at their other users who have a similar profile to you. For example, when we use social media for marketing purposes, your name and other identifier such as email address may be shared with the social media platform, so that they can check if you also hold an account with them. If you do, we may ask the advertising partner or social media network:
- to exclude you from receiving our adverts (as you are already a Shepherd!)
- To advertise to people who have a similar profile to you, e.g. if we believe that the idea of becoming a Shepherd will appeal to people with similar interest to the ones on your social media profile, we may ask our advertising partner to send our adverts to people who share your interests.
You can contact us to object to us sharing your personal data in this way for online advertising. Social media platforms also allow you to indicate your preferences to them about the advertising you receive on their platforms. Please contact your social media platforms for more information.
4.4 Special categories of personal data
Information includes such “special categories of personal data” (see the description provided above).
5. Information provided by third parties
5.1 We may also collect Information from external sources, such as those that are commercially available to us.
5.2 Some of the Information we collect (as described in section 4), and additional Information, may be provided to us by recruitment agencies with whom you have registered an interest. Such recruitment agencies support our recruitment processes under a duty of confidentiality.
5.3 We may also receive Information from organisations such as credit reference agencies, fraud prevention agencies and referees.
6. Data relating to criminal convictions & offenses
6.1 We may also collect and store personal data relating to criminal convictions and offences. This data is only processed:
- if you have given your consent to the processing; or
- if it is necessary for the purposes of performing or exercising our or your obligations or rights under law; or
- if it is necessary for the prevention or detection of an unlawful act and it is necessary for reasons of substantial public interest; or
- in connection with any legal proceedings (including prospective legal proceedings) and/or the obtaining of legal advice.
7. What we do with your information and on what basis
7.1 We process Information (other than special categories of personal data) for the reasons listed below. The legal justification for the processing of the Information is, in each case, one or more of these reasons. Specific examples are given – some of which may overlap, as there may be more than one reason for processing Information.
7.2 Processing is necessary for the performance of your contract
We have obligations towards you under the terms of your contract (for example, we are contractually obliged to pay you any money due under your contract). Equally, you have contractual obligations to us, both as part of entering into your contract and in the ongoing performance of it. In order for us to ensure that both we and our contractors can perform our contractual obligations, we may process Information for the following purposes (where applicable):
- onboarding processes (e.g. communicating with you in relation to your application);
- considering your suitability for work, taking up your references and conducting appropriate checks;
- induction processes;
- complying with our legal and regulatory obligations;
- training and training records;
- payment processes and administration of your contract;
- monitoring SLA’s;
- Shepper’s Strike Policy;
- criminal records checks;
- undertaking business analysis activities.
7.3 Where we have a legal or regulatory obligation
UK and EU law and certain rules and regulations require us to process Information in order to comply with our legal or regulatory obligations. In order for us to do so, we may process Information for the following purposes (where applicable):
- preventing illegal working;
- complying with health and safety obligations;
- ensuring the safety and security of our systems;
- carrying out equal opportunities monitoring;
- responding to government statistical monitoring (Office for National Statistics);
- assessing Fitness and Propriety of individuals for regulatory purposes;
- providing regulatory references; and
- communicating with the PRA, FCA or other public or regulatory bodies.
7.4 Where we have a legitimate interest
7.4.1 Data protection law allows us to process Information where it is necessary for the purposes of our legitimate interests. We consider it to be in our legitimate interests to process Information for the following purposes:
- onboarding processes (including negotiation and communicating with you in relation to your application);
- considering your suitability for work, taking up references, and conducting appropriate checks;
- administering our IT system including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- dealing with any legal disputes involving you or other current, prospective or former contractors;
- improving our IT system to ensure that content is presented in the most effective manner for you and for your computer, mobile device or other item of hardware through which you access our IT system;
- ensuring the safety and security of those working for us;
- as part of our efforts to keep our IT system safe and secure and to monitor compliance with our related policies;
- reporting to government entities.
7.5 If you do not agree with the processing of Information on the basis that it is in our legitimate interests to do so, please inform us using the contact details at the beginning of this Data Privacy Statement, following which we shall cease to process Information for that purpose, unless certain exceptions apply: see “Right to object to processing in certain circumstances” under “Your rights” below.
7.6 Special categories of personal data
7.6.1 We may process “special categories of personal data” for the purposes of:
- performing or exercising our or your obligations or rights under law, including for assessing suitability for particular jobs and considering whether adjustments may need to be made to accommodate an individual with a disability;
- where it is in the public interest, such as for equal opportunities monitoring;
- establishing, bringing or defending legal claims.
7.6.2 We may also process “special categories of personal data” in other limited circumstances, with your explicit written consent. We do not need your consent to process “special categories of personal data” in circumstances where we already have a legal right to do so and we carry out such processing in accordance with this statement. If we do ask you for your written consent, we will provide you with full details of the information we are seeking from you and the reason why, in order for you to make an informed decision. It is not a condition of your contract that you agree to any such request by us.
8. Disclosure of your information to third parties
8.1 For the purposes set out in section 7 above, we may share Information with:
- our group companies;
- professional advisors (including lawyers, accountants and auditors);
- legal and regulatory authorities such as the PRA and FCA; and
- HM Revenue & Customs and other government/state related entities.
8.3 We may also disclose Information to third parties where it is in our legitimate interest to do so, including for the following reasons:
- in the event that we sell or buy any business or assets, in which case we may disclose Information to the prospective seller or buyer of such business or assets; or
- if we are under a duty to disclose or share Information in order to comply with any legal obligation.
8.4 Save as set out in this Data Privacy Statement, or as required by law, we do not sell Information or disclose it to any third parties without your consent.
9. Policies and procedures
9.1 We have a number of additional policies, which are updated from time to time, in relation to data privacy and data security. Please familiarise yourselves with these additional policies. If you have any questions about such policies and procedures, you should speak to the Operations team.
9.2 Any new or updated policies or manual will be communicated to you by email, or any other appropriate method.
10. Security of your information
10.1 We are committed to ensuring that your Information is safe and we will take all steps reasonably necessary to ensure that your Information is treated securely and in accordance with this Data Privacy Statement.
10.2 All Information you provide to us electronically is stored on our secure servers within the United Kingdom and the U.S.A.
10.3 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our IT system, you are responsible for keeping this password confidential. We ask you not to share your passwords with anyone.
10.4 Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Information, we cannot guarantee the security of your Information transmitted to or stored on our IT system, and any transmission is at your own risk. Once we have received your Information, we will use strict procedures and security features to try to prevent unauthorised access.
11. How long we keep your information
We will keep your Information for as long as necessary to fulfil the purposes described in this Data Privacy Statement or in the terms of your contract, or for as long as we are required to do so by law or in order to comply with a regulatory obligation.
12. Your rights
12.1 Access to your Information and updating your Information
- You have the right to access Information that we hold about you, subject to certain limited exceptions provided by law. If you so request, we shall provide you with a copy of Information which we are processing and hold about you (“data subject access request”). Further details about data subject access requests can be found in our Data Protection Policy. For any further copies which you request, we may charge a reasonable fee based on administrative costs.
- You also have the right to receive such Information in a structured and commonly used format so that it can be transferred to another data controller (“data portability”).
- We want to make sure that your Information is accurate and up to date. You may ask us to correct or remove information which you think is inaccurate.
12.2 Right to object to processing in certain circumstances
You also have the right to object, on grounds relating to your particular situation, at any time to the processing of your Information which is based on our legitimate interests. Where you object on this ground, we shall no longer process your Information unless:
- the processing is nevertheless necessary for the performance of your contract or contract to work or provide services; or
- the processing is necessary for the establishment, exercise or defence of legal claims; or
- we have a legal or regulatory obligation for which the processing of the Information is necessary; or
- we can demonstrate that our legitimate interest is sufficiently compelling to override your fundamental rights and freedoms.
12.3 Your other rights
12.3.1 You also have the right to request that we rectify your Information if it is inaccurate or incomplete.
12.3.2 In certain limited circumstances, you have the right to request the erasure of your Information (‘right to be forgotten’).
13. Exercising your rights
13.1 You can exercise any of your rights as described in this Data Privacy Statement and under data protection laws by contacting us via the details given in the “Contacting us” box above.
13.2 Save as described in this Data Privacy Statement or provided under data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee, taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.
13.3 Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity.
14. International transfers
14.1 As an international organisation, authorised personnel may access your Information in any country in which we operate. Therefore, it may be necessary to transfer your details to members of our group located in countries that may not offer equivalent data protection or privacy laws to those in the UK or the EU.
14.2 Regardless of where your Information is transferred, we shall ensure that your Information is safe and shall take all steps reasonably necessary to put in place appropriate safeguards to ensure that your Information is treated securely and in accordance with this statement and applicable law. Details regarding these safeguards can be obtained from the Operations team, whose details are given above.
You also have the right to complain to the Information Commissioner’s Office (https://ico.org.uk/) about our data processing activities. The Office has a dedicated helpline at 0303 123 1113.
16.1 This Data Privacy Statement may be amended by us at any time in our sole and absolute discretion. Any changes which may be made to this Statement in the future will be notified to you by email and on our intranet.
16.2 This Data Privacy Statement was last updated on 02nd September 2019.