Privacy Policy - Clients

PRIVACY INFORMATION NOTICE - CLIENTS

We are Peninsula Business Services Ltd (“Peninsula”), part of The Peninsula Group. In accordance with the General Data Protection Regulation (GDPR), Peninsula has implemented this privacy information notice to inform you, our current and former clients, of how Peninsula uses the personal data we collect from you.

When delivering our professional services such as employment law advice, health and safety services and legal representation, we are a Data Controller of the personal data that you supply to us under your contract with us.  When delivering our online platforms, such as BrightSafe, we are a Data Processor.

We take our data protection responsibilities seriously and have data processing terms already in place in the terms and conditions of the BrightSafe product, so we do not need a separate data processing agreement for this platform.

All employees that handle your personal data are trained in ensuring data is processed in line with the GDPR.

DATA PROTECTION PRINCIPLES

We will ensure that we:

• Process all personal data lawfully, fairly and in a transparent manner;
• Collect personal data for a specified, explicit, and legitimate purpose;
• Ensure the personal data we process is adequate, relevant and limited to what is necessary for the purposes for which it was collected;
• Ensure the personal data is accurate and up to date;
• Keep your personal data for no longer than is necessary for the purposes for which it was collected;
• Keep your personal data secure using appropriate technical or organisation measures.

TYPES OF DATA HELD

We hold the following types of data:

• Personal details such as name, address, phone numbers, job title, email addresses for the main contact and other contacts for the delivery of the service.
• Personal details such as name, address, phone numbers, job title, email addresses, job description, salary, disciplinary and grievance records, annual leave records, sickness, family related leave, appraisal, performance information provided to us for the delivery of the service.
• Gender, marital status, race, religion, trade union membership, information of any disability that employees may have or other medical information that is supplied to us for the purposes of delivering the service (advice, litigation etc).
• IT service use including online service access records.

COLLECTING YOUR DATA

You provide several pieces of data to us directly when the contract is signed, during the onboarding process, during the contract and after the contract has ended.

We use a variety of computer systems to store client data, process it and make use of it for the provision of our services.

LAWFUL BASIS FOR PROCESSING

The information below categorises the types of data we process and our lawful basis for doing so.

Activity requiring your data	Lawful basis
Set up your account	Performance of the contract
Carry out the delivery of the services you have on your account	Performance of the contract
Ensuring payments are made under your account	Performance of the contract
Ensuring VAT and insurance premium tax is paid	Legal obligation
Carrying out checks in relation to your company status and validating the information supplied to us	Legal obligation
Making financial decisions in relation to entering both initial and subsequent contracts	Our legitimate interests
Making decisions about service delivery methods	Our legitimate interests
Ensuring efficient administration of contractual services to you	Our legitimate interests
Effectively monitoring the service provided including adherence to commitments and service entitlements	Our legitimate interests
Maintaining up to date records about you to ensure, amongst other things, effective correspondence can be achieved and appropriate contact points in place	Our legitimate interests
Dealing with legal claims made against us	Our legitimate interests
Preventing fraud	Our legitimate interests
Ensuring our administrative and IT systems are secure and robust against unauthorised access	Our legitimate interests
Recording of calls for training, monitoring & dispute resolution	Our legitimate interests

SPECIAL CATEGORIES OF DATA

Special categories of data are data relating to:

• Health
• Sex life
• Sexual orientation
• Race
• Ethnic origin
• Political opinion
• Religion
• Trade union membership
• Genetic and biometric data

We process special categories of data when:

• you have given explicit consent to the processing;
• we must process the data in order to carry out our legal obligations;
• to protect your vital interests or for reasons of substantial public interest;
• you have already made the data public.     

SOURCE OF DATA

The personal data that we hold about you will be received from yourself or others in your business during the onboarding process and during the lifetime of your account.

Peninsula receives referrals from other clients and purchases marketing lists from 118 Data Resource Ltd. More details about the data handling practices for 118 Data Resource Ltd are available on their website http://www.118information.co.uk/privacy/

CRIMINAL CONVICTION DATA

We will only collect criminal conviction data where it is appropriate to the provision of the services that you are contracted to receive.

WHO WE SHARE YOUR DATA WITH

Peninsula Business Services Ltd is one of several companies in The Peninsula Group. Several parts of The Group might be involved in delivering services to you. Data will be shared with these other companies to facilitate the delivery of all the services you are contracted to receive.

We will occasionally contact you regarding new and existing services that you do not currently receive that we think may help you. You have the right at any time to stop us contacting you regarding other products and services. Please email [email protected] and ask for your contact details to be suppressed, and we will opt you out of marketing contact, or click on the ‘unsubscribe’ option on the bottom of our emails.

Data leaves the ROI in the following circumstances:

1) We offer a transcription service, currently provided by a trusted third party. Some of the transcribers are in the EEA and some are outside the EEA. If you do not use the optional transcription service, your data will not be sent to the transcribers.

2) We make use of offsite servers (“cloud service providers”).

PROTECTING YOUR DATA

We have an Information Security Team dedicated to protecting our IT assets, which includes ensuring all our systems are robustly secured.

RETENTION PERIODS

Record	Recommended Retention Period
Assessments under health and safety regulations and records of consultations with safety representatives and committees	Permanently
Money purchase details	Six years after transfer or value taken
Health data	30 or 50 years
Litigation cases	Seven years from the conclusion of the litigation case
All other data	Seven years from the date the service contract with us terminates

CLIENT RIGHTS

You have the following data protection rights:

1. To be informed via Privacy Information Notices such as this;
2. Withdraw consent – if we rely on your consent to process your data then you can remove that at any point;
3. Request access to the data we hold on you;
4. Request rectification of any inaccuracies in the data we hold on you, however they come to light, to be corrected;
5. Request erasure of data in certain circumstances;
6. Restrict the processing of the data;
7. Request a transfer of the data we hold on you to another party;
8. You may object to your information being used for marketing purposes;
9. And finally, to regulate any automated decision-making and profiling of personal data. Please note, however, that no decisions will be made about you by Peninsula solely on the basis of automated decision making.

MAKING A COMPLAINT

If you have a concern regarding data protection or your GDPR rights, please contact us in the first instance so that we can investigate. Our address and email address are above. Please set out the nature of your concerns, provide your client account number and we will investigate.

If you are unhappy with our response to your request, the regulator of data protection in Ireland is the Data Protection Commission (DRC).

You can find more information about your rights at https://www.dataprotection.ie

The DPC can be contacted on +353 761 104 800.