Employee privacy statement

Introduction

This is the employee privacy notice. If you have engaged with Crisp in a non-employment capacity, the General Privacy Policy is more appropriate for you.

Crisp is committed to protecting the privacy and security of all personal information. This page summarises the nature of the information that is stored by Crisp, why and how it is used, your rights in regard to this data, as well as the protections in place to safeguard it.

There is no need for you to take any action.

In this notice we cover:

  • Personal information we collect, when and why we use it
  • How we use your personal data
  • How Crisp collect information
  • Legal basis for processing your data
  • Data retention
  • Data sharing
  • Your rights as a data subject

We may amend this document from time to time to keep it up to date with legal requirements and the way in which we operate our business. If we make significant changes to this document, we will inform you by notice on the Crisp intranet or email.

This notice does not form part of any contract of employment or other contract to provide services.

Personal information we collect when and why we use it

We may collect the following personal information about you for the purposes described in this notice:

  • Personal details: your title, name, previous or maiden name, gender, nationality, civil/marital status, date of birth, age, personal contact details, national ID number, eligibility-to-work information, passport, driving licence, languages spoken; emergency contact information, details of any disability and any reasonable adjustments required as a result
  • Recruitment and selection information: skills and experience, qualifications, references, CV and application, interview and assessment data, background and verification information related to the outcome of your application, details of any offer made to you
  • Information related to your engagement: contract of employment or engagement, work contact details, employee or payroll number, photograph, work location, your worker ID and various system IDs, your work biography, your assigned business unit or group, your reporting line, your employee/contingent worker type, your termination/contract end date, the reason for termination, your last day of work, exit interviews
  • Regulatory information: records of your registration with any applicable regulatory authority, your regulated status, including any criminal record or credit background checks which may be necessary, and any regulatory certificates and references
  • Remuneration and benefits information: your remuneration information (including salary/hourly plan/contract pay/fees information as applicable, allowances, overtime, bonus and commission plans), payments for leave/, bank account details, grade, tax information, details of any benefits you receive or are eligible for, benefit coverage start date, expense claims and payments, information and agreements
  • Leave and absence management information: attendance records, absence records, holiday dates, requests and approvals and information related to family leave or other special or statutory leave, absence history, fit notes, details of incapacity, details of work impact and adjustments, manager and Human Resources (HR) communications, return to work interviews
  • Performance management information: colleague and manager feedback, your appraisals and performance review information, outcomes and objectives, talent programme assessments and records, succession plans, formal and informal performance management process records
  • Training and development information: data relating to training and development needs or training received or assessments completed
  • Monitoring information (to the extent authorised by applicable laws): closed circuit television footage, system and building login and access records, photo on access card, download and print records, call or meeting recordings, information captured by IT security programmes and filters
  • Health and safety records: any records of accidents or near misses, including details of any injuries sustained, not limited to RIDDOR qualifying accidents or near misses
  • Employee claims, complaints and disclosures information: subject matter of employment or contract-based litigation and complaints, pre claim conciliation, communications, settlement discussions, claim proceeding records, employee involvement in incident reporting and disclosures
  • Equality and diversity information (where authorised by law and consent provided voluntarily): information regarding gender, age, nationality, religious belief, sexuality and race (stored anonymously for equal opportunities monitoring purposes)

How we use your personal data

Subject to applicable law, your personal data may be stored and processed by us for the following purposes:

Recruitment and selection

  • To evaluate applications for employment and make decisions in relation to selection of employees
  • Pre-employment screening including, where relevant and appropriate, identity check, right to work verification, reference check, credit check, financial sanction check, criminal record checks
  • To make job offers, providing contracts of employment or engagement and preparing to commence your employment or engagement where you accept an offer from us
  • To contact you should another potentially suitable vacancy arise
  • To deal with any query, challenge or request for feedback received in relation to our recruitment decisions
  • To monitor programmes to ensure equality of opportunity and diversity

Ongoing management of all aspects of employees' relationships with Crisp

  • To manage and maintain HR hard copy records, files and systems, including technical support and maintenance of HR systems and managing electronic and hard copy records in line with Crisp's retention schedules
  • Providing and administering remuneration, benefits, pensions and incentive schemes
  • To make appropriate tax and national insurance deductions and contributions
  • To set and change building and system access permissions
  • Identifying and communicating effectively with employees
  • Where appropriate, publishing appropriate internal or external communications or publicity material, including via social media
  • Managing and operating performance reviews, capability, attendance and talent programmes
  • Managing grievances, allegations (e.g. whistleblowing, harassment), complaints, investigations and disciplinary processes, and making related management decisions
  • Training, development, promotion, career and succession planning
  • Business contingency planning and response to active incidents
  • Processing details with employee consent of membership of trade unions, works councils and other employee representative bodies and to administer any associated subscriptions paid direct from salaries
  • Sharing data with customers or third party suppliers where necessary in connection with the performance of your role. Crisp will only share the minimum amount of personal information necessary and ensure it has written agreements in place to protect your personal information.

Absence management and health and safety

  • Processing information about absence
  • Processing medical information regarding physical or mental health or condition to assess eligibility for incapacity or permanent disability related remuneration or benefits:
    • determine fitness for work
    • facilitate a return to work
    • make adjustments or accommodations to duties or the workplace
    • make management decisions regarding employment or engagement or continued employment or engagement or redeployment
    • conduct related management processes

Compliance monitoring, security and systems use

  • Measuring the performance of Crisp's IT systems by monitoring employee usage of Crisp systems; this includes analysing times, locations and activities whilst users are logged into the network.
  • Logging user actions or interactions with systems for the purposes of auditing or in order to allow the use of such systems.
  • Auditing, monitoring, investigation and compliance monitoring activities in relation to Crisp policies, the Crisp Code of Conduct, applicable law, the prevention and detection of criminal activity and to protect Crisp's assets and premises

Responding to legal and regulatory requests

  • Comply with lawful requests by public authorities or law enforcement, disclosure requests, or where otherwise required or authorised by applicable laws, court orders, government regulations, or regulatory authorities (including without limitation data protection, tax and employment), whether within or outside your country

Termination of employment and managing post-employment relationships

  • Complying with reference requests where Crisp is named by the individual as a referee
  • Administering termination and post-termination matters, e.g. outplacement services, liaison with employee legal representatives, enforcing restrictive covenants, loan repayments, overpayments, expense reimbursements, employee benefits, conduct termination and post-termination litigation

To the extent authorised by local laws, Crisp may collect and process a limited amount of personal information falling into special categories, sometimes called 'sensitive personal information'. This term means information relating to:

  • health-related details, including any special dietary requirements and any reasonable adjustments that the Crisp may be required by law to make to your working arrangements. Health data may also include data on your mental as well as physical health.
  • information revealing racial or ethnic origin
  • criminal convictions and offences information, including the results of criminal or police records checks which can include details of offences, alleged offences and sentences and information from other intelligence sources (subject to relevant local laws and record retention periods)
  • marital status and next of kin
  • political opinions or contributions, religious beliefs or other similar beliefs and sexual orientation, should you choose to provide any such information to the Crisp
  • biometric data to the extent that the Crisp uses any biometric access systems for buildings or systems.

Crisp has in place appropriate technical and organisational measures to protect your personal data, including protecting personal data within an Information Security Management System which complies with ISO27001. If you require any further information on the security measures in place, please speak to the VP of Operational Security.

How Crisp collect information

We collect your personal information from a variety of sources, but in most circumstances directly from you. You will usually provide this information directly to your managers or local HR contact, or enter it into our systems for example, through our Employee Self Service Portal (ESSP), your participation in HR processes (including recruitment), emails and instant messages which may be recorded electronically or manually. In addition, further information about you will come from your managers, HR or occasionally from your colleagues.

We may also obtain some information from third parties, e.g. references from a previous employer, medical reports from external professionals, information from tax authorities, benefit providers or where we employ a third party to carry out a background check (where authorised by applicable law) or, occasionally, from clients.

In some circumstances, personal information may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings, instant message logs and email and Internet access logs), if and to the extent authorised by applicable laws.

Where we ask you to provide personal information to us on a mandatory basis, we will inform you of this at the time of collection and in the event that particular information is required by the contract or statute this will be indicated. The failure to provide mandatory information will mean that we cannot carry out certain HR processes. For example, if you do not provide us with your bank details, we will not be able to pay you.

Apart from personal information relating to you, you may also provide Crisp with personal information of third parties, notably your dependants and other family members, for purposes of HR administration and management, including the administration of benefits and someone to contact in an emergency. Before you provide such third-party personal information to Crisp you must first inform these third parties of any such information that you intend to provide and of the processing to be carried out by Crisp, as detailed in this notice.

Automated decision making

We will make some decisions about you based on automated decision making (where a decision is taken about you using an electronic system without direct human involvement). This is limited to our hiring process and includes the use of technical and psychometric tests required as part of our hiring process. These tests are based upon pre-determined criteria, however the results are reviewed by a member of the Human Resources team. Reasonable adjustments are available to accommodate individuals with neurodiversity.

Legal basis for processing your data

Your personal information is collected and processed for various business purposes, in accordance with applicable laws and collective bargaining agreements.

We will only collect, use and share your personal information where we are satisfied that one or more of the following legal bases apply:

  • The processing is necessary for compliance with a legal obligation to which Crisp is subject, for example, disclosing information to local tax authorities, making statutory payments, avoiding unlawful termination, avoiding unlawful discrimination, meeting statutory record keeping requirements or health and safety obligations
  • The processing is necessary for the performance of a contract to which you are a party or in order to take steps, at your request, prior to entering into such a contract, for example collecting bank details to pay your salary or processing information to provide you with the contractual benefits to which you are entitled
  • The processing is based on your consent. Where consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your employment to agree to any request for consent from Crisp
  • The processing is necessary for the legitimate interests pursued by Crisp or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information. Crisp considers that it has a legitimate interest in processing personal information for the purposes set out above, and to support the achievement of its immediate and long-term business goals and outcomes

Data retention

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this notice. In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting, or necessary technical requirements.

In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.

Data sharing

For the above purposes, personal information may be transferred within or outside of the jurisdiction where you are employed or perform work, either within Crisp or to third parties, including, but not limited to:

  • any holding company, subsidiary, affiliate of Crisp Thinking Limited, including Crisp Thinking (UK) Limited and Crisp thinking (U.S.) Inc.
  • certain third-parties including customers, suppliers and service providers including; software providers payroll, pension providers to whom Crisp may disclose personal information when required by law or court order, or as requested by any government or regulator or law enforcement authority or agency

Crisp may also disclose personal information to a third party where it is necessary to do so in order to protect or pursue Crisp's legitimate interests (ensuring this is proportionate and limited to that information which is strictly necessary in the circumstances). This may include, but not be limited to, disclosure to a party with whom Crisp is in negotiation for the sale or transfer of a business, assets or services. Crisp will take appropriate steps to ensure that the recipient of personal information in such circumstances puts in place an adequate level of protection for such personal information in accordance with applicable legal requirements.

Where Crisp transfers personal information internally within Crisp or to any third party between different jurisdictions, including, but not limited to, transfers outside of the European Economic Area (EEA) including the USA, and to other jurisdictions that have not been deemed to offer adequate protection, for the purposes outlined in this document, it will take appropriate steps to ensure that there is an adequate level of protection for personal information in place in accordance with applicable legal requirements. For any transfers to Crisp Thinking (U.S.) Inc., Crisp has put in place EU approved Standard Contractual Clauses in order facilitate the transfer of personal information between its companies.

Your rights as a data subject

You have a number of legal rights in relation to the personal data that we hold about you and you can exercise your rights by contacting us using the details at the end of this document. These rights include:

  • the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you
  • the right to withdraw your consent to our processing of your personal data at any time. Please note, however, that we may still be entitled to process your personal data if we have another legitimate reason (other than consent) to do so
  • in some circumstances, the right to receive some personal data in a structured, commonly used and machine-readable format and/or request that we transmit those data to a third party where this is technically feasible. Please note that this right only applies to personal data that you have provided to us
  • the right to request that we correct your personal data if it is inaccurate or incomplete the right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data but we must retain it, e.g. to comply with a legal obligation
  • the right to request that we restrict our processing of your personal data in certain circumstances.
  • the right to lodge a complaint with the applicable data protection regulator in the country where the relevant Crisp entity is located if you think that any of your rights have been infringed by us. If you are not sure which part of Crisp is using your data or which is the relevant data protection regulator, you can ask us to clarify this using the contact details in the end of this document
  • when we are processing on the grounds of legitimate interest, you have the right to object to the processing and we must stop unless we have an overriding reason which will be communicated to you.

Contact

Main contact: Human Resources
Email: [email protected]
Address: Central Square, Suite 1, Floor 1, Whitehall Road, Leeds, LS1 4DL, UK