Graphite HRM (“Graphite”) is committed to protecting your privacy by ensuring that any personal data is collected and used lawfully and transparently. When delivering our professional services we are the Data Controller of the personal data that you supply to us under your contract with us.
This Privacy Notice explains:
- Who we are
- Personal data we collect
- Our legal basis for processing
- Who we may share information with and why
- Where we may transfer data to
- How we keep information secure and deal with security incidents
- How long we may keep your data for
- Your data privacy rights
- How to contact our DPO and the ICO
If you are an employee of one of our clients looking for further information on how we handle your data, please click here.
Who is Graphite?
Graphite HRM Services specialises in the provision of HR consultancy services to businesses within Northern Ireland and The Republic of Ireland.
When providing these services, we take our responsibilities regarding data protection very seriously and are bound by all applicable data protection laws in respect of the handling, processing and collection of data. All employees who handle personal and business data are fully trained to ensure that the data is processed in line with the General Data Protection Regulations 2018 (GDPR) as well as The Data Protection Act 2018 (DPA 2018).
Personal data we collect
Our legal basis for processing
Before processing any personal data, we ensure that at least one lawful basis under GDPR is met. We will not disclose personal data for any purpose other than what the data was originally collected for; unless there is an overriding legal basis that enables this processing.
We may collect, hold, use and disclose the information collected to compile statistical data and to maintain our database; to develop or improve our website; respond to any queries; notify you of any upcoming marketing, training or other events that we think may be of interest to you; provide you with publications; manage quality control and compliance issues; manage systems administration; provide you or your organisation with advice; notify you about important changes or developments to our services; contact you for your views on our services or to determine the suitability for employment.
We may also process your personal data in the following circumstances:
Graphite HRM is one of several companies within The Peninsula Group. There may be occasions where several divisions in the group are involved in the delivery of the services you are contracted to receive. On occasion, we may share data with our affiliated divisions under our ‘legitimate interests’ to enhance the delivery of any services you have. Please refer to the footer of this page for details on the identity of our other group divisions.
You can opt out of group marketing by emailing us at: GDPR@graphitehrm.com
As part of our business-to-business sales strategy we may contact companies and individuals of companies about our products and services. To do this, we rely on our shared ‘legitimate interests’ in doing business together. This lawful basis also applies to any purchased data we may use from our various lead sources and when we share your data across our EU/UK group databases. For more detailed information on our lead sources please visit the respective company privacy notices below to learn more about their individual data acquisition and handling practices. You can also opt out of updates and marketing by clicking on the unsubscribe button at the footer of our email communications.
• 118 Data Resource Limited: http://www.118information.co.uk/privacy/
Full information about our data processing obligations for each product we sell can be obtained via our Group Data Protection Officer upon request. Their contact details are disclosed at the bottom of this notice.
Data Sharing and International Transfers
Personal data will only be disclosed on a confidential basis to external service providers so that they can provide services such as financial, technological or administrative assistance. When we share data with an external third party; these operations are governed by a Data Processing Agreement (DPA) and we perform regular due diligence on any external companies we work with to ensure that high levels of data integrity are maintained.
Where necessary, we may need to share data with external organisations such as law enforcement, regulatory bodies, fraud prevention agencies, partners or advisors. Before any data is shared, we ensure that all technical and organisational controls are firmly in place and a data protection impact assessment is undertaken, where applicable, if the sharing or transfer is considered high risk. We do not sell your data to any third parties.
Data Storage and Security
We have a dedicated Information Security team who are in place to offer protection across all our networks and IT assets to assist with data security and data loss prevention. All our systems are robustly secured, and we are ISO27001 and ‘Cyber Essentials Plus’ certified. We also have a specialised Incident Response Team on hand to respond quickly to any data related issues including the prevention and detection of cyber criminals. For our UK and Irish clients, cloud providers we use have servers based within the respective UK and EEA jurisdictions. As a company we promote a ‘paperless’ culture where possible.
Graphite HRM along with other companies within the Peninsula Group only keep your data for as long as necessary, unless there is an overriding legal ground. Data may be held for purposes relating to the establishment, exercise or defence of legal claims which the group or our clients may face. Where we represent you in any legal case, we retain the data for seven years from the conclusion of the litigation case. We will also typically keep data concerning your account for at least seven years from the date you end your contract with us. Some data may be deleted before this time period depending on the category of that data in line with our commercial legitimate interests and retention schedule, for example, data provided to us in the course of an unsuccessful job application will be retained no longer than 6 months after the recruitment exercise.
Personal data that is no longer necessary is deleted securely in line with our groups Data Disposal Policy. Our Data Retention and Data Disposal policies are available upon request.
Your Data Privacy Rights
All data subjects have individual rights. On a case by case basis, you have the following rights in relation to your personal data processed by Graphite HRM:
- The right to be informed about how your personal data is collected and used
- The right to request access to a copy of any personal data that we hold about you
- The right to rectify personal data we may hold which is identified as incorrect or misleading
- The right to erasure of any personal data; also known as ‘the right to be forgotten’
- The right to restrict further processing of your personal data
- The right to data portability where technology allows us to send personal data onto a new controller
- The right to object to the processing or certain processing activities
- Rights in relation to automated decision-making including profiling.
As an organisation we do not operate any automated decision-making systems. Please be aware that the rights listed in this section only apply to individuals and cannot be used to request data relating to business entities. Please be aware that your rights of access do not entitle you to physical or digital copies of any documentation we hold.
Queries and Complaints
Our Group Data Protection officer welcomes communication around our policies and practices and they can be directly contacted on the details below, which are also publicly available on the ICO register. You can also write to us at:
Dublin Office : Block W East Point Business Park, Alfie Byrne Road, East Wall, Dublin 3, Ireland.
Northern Ireland Office : Unit 5, Citylink Business Park, Albert Street, Belfast, BT12 4HQ.
GDPR Oversight Team : GDPR@graphitehrm.com
Data Protection Officer : Peninsula Legal Services Ltd t/a Irwell Law. Email: email@example.com
If you are unhappy with the response that you receive from us when you exercise your GDPR rights, you have the right to lodge a complaint to the DPC. More guidance about raising a complaint is available on the DPC’s website https://dataprotection.ie/docs/Raise-aConcern/1716.htm.
This version was last updated and reviewed January 2022.
We regularly review and monitor regulatory guidance for any industry changes which may impact our business operations or your rights and freedoms.
In this privacy notice, “personal data” means any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier.
We are legally known as Graphite HRM,
We form part of a larger group of undertakings known as ‘The Peninsula Group’. Other Companies that sit within our Group of companies within the global group:
Peninsula Business Services (UKI and ROI), Croner (UK), Croner-I (UK), Croner Taxwise (UK), Bright HR (UK), Health Assured (UK), Peninsula Employment Services (Ireland), Graphite HRM (Ireland), Employsure (Australia), Employsure (New Zealand), Peninsula Business Services (Canada).
Copyright © Graphite HRM 2020