Privacy policy for the Ekco employer branding and recruitment
Data Controller: Ekco
Data Protection Responsibility: IMS Audit & Risk Committee (IMS ARC) / Data Protection Officer
About this privacy statement
This privacy statement explains how Ekco collects, handles, stores, uses, and shares your personal information. Ekco acts as a ‘data controller,’ meaning we are responsible for determining the purposes and means of processing your personal data. Under data protection legislation, we are required to inform you of the information set out in this privacy statement.
This notice applies to prospective employees, including contractors, interns, and agency workers. It is important to note that this statement does not form part of any contract of employment or any other agreement for the provision of services
What information does Ekco collect?
What information we collect if you have applied to work at Ekco in any capacity:
Basic Information:
• Your name and personal contact details: This is necessary for us to enter into correspondence with
you or when we need to provide you with information relating to the role or contract.
• Financial information: This is necessary information that might affect your pay or benefits, in order to ensure that you are paid correctly and any requested deductions, such as pension contribution, are made.
• National Social Security information: If you are to be paid directly by Ekco, we will need obtain your PPSN/BSN/National Insurance/Social Security number. date of birth and gender as part of our identification process.
• Employment eligibility: We collect copies of evidence, which you provide, of your eligibility-to-work in the location of your application. We are legally required to collect this information.
Recruitment information:
• Suitability: In order to assess your suitability for the role we will collect information relating to your skills, experience and qualifications.
• Background checks: Information relevant to your employment history, including start and end dates, with previous employers. Information about your criminal record, where permitted by law. If you are successful in your application
If your application is successful, we will request the following:
• Confirmation that you consent to us contacting your referees to verify your suitability for the role.
• Records of your education, professional qualifications, and, where relevant, registration with any applicable regulatory authorities.
• Your consent to conduct background checks in compliance with local laws and regulations
If you are unsuccessful in your application
If you are unsuccessful in your application but pass the interview criteria for the role we may keep your details on a reserve list for a period of 12 months for future similar vacancies.
Why does Ekco process personal data?
Ekco processes personal data to fulfil its contractual obligations and to comply with legal requirements. Specifically, personal data is processed for the following reasons:
To fulfil the employment contract: Ekco needs to process personal data in order to establish and manage the employment relationship, such as providing you with an employment contract, paying your salary, and administering benefits, including pensions.
To comply with legal obligations: Ekco is required by law to process certain personal data, such as verifying your right to work in the EU or UK, deducting tax, ensuring compliance with health and safety regulations, and managing statutory leave entitlements. Additionally, for some positions, it may be necessary to perform background checks to ensure suitability for the role, such as verifying against the Sanctions List.
For legitimate business interests: In other situations, Ekco has a legitimate interest in processing personal
data before, during, and after the employment relationship. These interests include:
• Running recruitment, promotion, and career development processes;
• Maintaining accurate and up-to-date employee records, including emergency contact information, and monitoring employee contractual and statutory entitlements;
• Safeguarding Ekco’s reputation, property, and the confidentiality of personal data stored by the organisation;
• Protecting the health and safety of employees;
• Ensuring the efficient administration of HR and business operations;
• Providing references upon request for current or former employees;
• Managing and defending against legal claims; and
• Promoting and maintaining equality and diversity within the workplace.
The legal basis on which we handle, store, use and share your personal information
We will always meet at least one of the following criteria:
1. Consent: We have your explicit consent – Article 6(1)(a) GDPR.
2. Contractual necessity: The processing is necessary to fulfil a contract we have with you – Article
6(1)(b) GDPR.
3. Legal obligation: The processing is necessary for us to comply with a legal obligation – Article
6(1)(c) GDPR.
4. Vital interests: The processing is necessary to protect someone’s vital interests – Article 6(1)(d)
GDPR.
5. Legitimate interests: The processing is necessary for the purposes of our legitimate interests –
Article 6(1)(f) GDPR.
Where Ekco relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of prospective employees and has concluded that they are not. We will not process your personal data for these purposes if to do so would constitute an unwarranted interference with your own interests, rights and freedoms.
Who has access to data?
Your information will be shared internally, including with members of the People (HR) team, Finance (payroll information only), recruiting manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles.
The organisation may share your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks, in line with internal HR policies, local legislation, and with your consent.
Your personal data may occasionally be transferred to, stored at, or accessed from locations outside the European Economic Area (EEA) and the United Kingdom (UK) by the organisation or third parties. It may also be processed by our employees located outside the EEA and UK. The organisation will take all reasonable measures to ensure that your personal data is securely managed in accordance with this Privacy Statement and applicable data protection laws. Safeguards for transferring your data to third parties outside the EEA and UK will include, but are not limited to, entering into appropriate contractual agreements, conducting Data Protection Impact Assessments (DPIAs) and Transfer Impact Assessments (TIAs), and implementing suitable technical safeguards.
International Transfers of this kind will only be considered where there are appropriate safeguards in place:
• Data transfers on the basis of an adequacy decision
• Data transfers on the basis of appropriate safeguards, including;
o Standard contractual clauses (SCCs)
o Binding Corporate Rules (BCRs)
o Sectorial Codes of conduct
The conditions for these transfers must be respected in addition to the general compliance with other GDPR rules. Information on International Transfers outside of the EEA/UK can be found on the European Data Protection Board website.
How does Ekco protect data?
Ekco is committed to ensuring the security of your personal data. We have implemented robust internal policies and controls designed to prevent data from being lost, accidentally destroyed, misused, disclosed, or accessed by unauthorised individuals. Access to your data is restricted to employees who require it in the course of performing their duties. To safeguard your information, we employ both technical and organisational
security measures, including:
Technical security measures:
• Storing personal data in secure systems;
• Encrypting data both in transit and at rest;
• Implementing strict access controls to ensure only authorised staff can access the data;
• Applying the principle of data minimisation, ensuring access to only the necessary personal data;
• Anonymising, pseudonymising, or otherwise de-identifying data whenever possible;
• Conducting regular security testing and assurance processes
Organisational security measures:
• Enforcing internal policies and procedures to protect personal data;
• Providing regular, relevant training to staff who handle personal data;
• Establishing formal agreements, such as contracts or data sharing agreements, with any third parties that process personal data on our behalf;
• Conducting due diligence on suppliers to ensure they have appropriate security measures in placebefore engaging with them.
Automated decision-making
Employment decisions are not based on automated decision-making.
Your rights
As a data subject, you have a number of rights. You can:
• access and obtain a copy of your data on request;
• require the organisation to change incorrect or incomplete data;
• request the organisation to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
• object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing;
• the right not to be subject to a decision based solely on automated processing, including profiling; and
• ask the organisation to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the organisation's legitimate grounds for processing data.
If you would like to exercise any of these rights, please email dataprotection@ek.co
If you believe that the organisation has not complied with your data protection rights, you can complain to the Data Protection Commission in Ireland at www.dataprotection.ie, in the UK the Information Commissioner’s Office www.ico.org.uk, in the Netherlands at https://www.autoriteitpersoonsgegevens.nl/, in Malaysia at http://www.pdp.gov.my, or in South Africa https://inforegulator.org.za/
Maintaining the Privacy Statement
We will make changes to this statement from time to time, particularly when we change how we use your information, and change our technology, services and products. The most up to date version can be found on the Ekco careers site: https://careers.ek.co/.
