Personal privacy is very important to Crayon Group and we have a strong privacy culture. We are committed to safeguarding the personal data of our customers and the data we manage on behalf of our customers. And we are equally committed to safeguarding your personal data if:

• You are a current team member;
• You work for us as a contractor, consultant or agency staff;
• You are an applicant interested in joining our team.

This Human Resources Privacy Policy (hereafter: “this policy”) describes the framework for honouring our privacy commitments. If you have any questions related to this policy, please contact our Data Protection Officer

1.1. Scope of this Policy

This policy applies to the following stakeholders (hereafter: “you”/“your”):

• Applicants to Crayon Group’s subsidiaries;
• Current Team Members of Crayon Group’s subsidiaries; and;
• Contractors, Consultants and Agency Staff contracted by Crayon Group’s subsidiaries.

This policy outlines the obligations of Crayon Group and its subsidiaries (hereafter: “we”/ “our”/“us) as an employer or principal towards you, and your obligations towards us, in terms of data protection and how privacy protection is applied. By accepting the terms of your employment contract and/or your Confidentiality and Privacy Agreement with us, or when applying to work with us, you are consenting to this policy. We expect that you honour this commitment to security and privacy after the completion of your contract.

1.2. Our Privacy Principles

1.     Personal data will be processed lawfully and fairly.

2.     Personal data will be kept only for specific, explicit and lawful purposes as outlined in our policies and guidelines. Personal data will be used and disclosed only when compatible with those purposes.

3.     Personal data will be adequate and relevant, not excessive.

4.     Personal data will not be retained for longer than is necessary for the purposes for which they were obtained.

5.     Personal data will be accurate, complete and up-to-date.

6.     A transcript copy of the personal data we hold on an individual will be provided to them on request in line with our commitments under the EU GDPR

7.     Personal data will be kept secure using technical measures and organisational measures which are grounded in principle of privacy by design.

Personal Data means: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (Art.4(1) EU GDPR)

1.3. Our Commitment to Privacy, Transparency and Accountability

There are strict regulations concerning data protection in the European Union (EU). As we appreciate the importance of data privacy, irrespective of location, we apply those standards and principles governing data protection to every team member, contractor, consultant and agency staff employee working for any of our subsidiaries worldwide. We abide by regulations and national laws and we fully comply with and support any activities that aim to verify our compliance in the form of investigations and audits, whether they are from supervisory authorities or companies for due diligence. We are committed to ensuring the security of any personal data processed by us. We report data breaches as quickly as possible and take a result-oriented approach to effectively and efficiently resolve any issues resulting from an unintentional or unforeseen data breach.

2.1. When and why may your data be collected/stored?

Your personal data is collected to enable us to comply with applicable employment laws and execute on critical functions such as HR and payroll. The examples in this section provide an overview of the principal purposes for which we are required to collect your personal data. Each requirement to collect, store and use personal data is governed by Processing Guidelines. As an additional safeguard, our DPO performs ongoing monitoring to ensure Processing Guidelines are being implemented correctly and we are compliant with data protection regulations.

Specifically, for compliance with our obligations as an employer, we must collect the following:

• Maternity/paternity/parental leave
• Diversity requirements
• Working hours
• Sick leave
• Payroll
• Health and Safety – accident or injuries at work
• In specific cases, the following collection of personal data may apply, but are not limited to these examples:
• Checking of qualifications during recruitment
• Provision of employee benefits such as health insurance, pensions or lunch vouchers
• Performance management to facilitate career development through annual appraisals
• Security and monitoring access to our premises (badge controls), video surveillance
• Resource management for the allocation and maintenance of resources (access rights to office buildings, IT systems, databases)
• Training for the organisation of training sessions
• International mobility in cases where employees are relocated
• Under the above obligations and specific cases, we may collect the following kinds of personal data:
• Identification data: name, surname, contact information
• Work entitlement data (e.g. for the purpose of verifying if you are entitled to work in the country)
• Family status (e.g. for the purpose of health insurance and pension provision)
• Education and career development data
• Professional life: contracts, working time, absence, paid holidays
• Economic situation: tax and source deductions, pay grade, salary and other compensation elements, pension fund contributions, bank account details
• Military status: military situation in countries where there is compulsory military service
• Police records: criminal records checks or security background checks for those working in confidential environments or subject to Customer Required Security Clearance
• Marketing information: employee photos for those included in our external marketing or other materials
• Other information required for us to comply with our obligations as an employer under local laws

2.2. Who has access to your personal data?

Your data may be handled by our HR Department, Payroll and managers. However, in all cases, access to your data is restricted to those who need it and governed by Processing Guidelines, which are closely monitored and reviewed by the Data Protection Officer (DPO). Your personal data is securely stored and processed using technical and organisational measures which are regularly reviewed to ensure they are state of the art and they remain up to date. Some personal data, including electronic identities, is handled by the IT Department for the purposes of resource management. The use of electronic communications, devices, internet, phones, etc. is covered in our IT Use and Data Processing Policy. To fulfil our contractual obligations, we may provide your contact details to our customers and suppliers for the purposes of service support. These data transfers are governed by Data Processing Agreements, which are monitored regularly by the DPO.

We disclose your personal data to any authority to which we are required by law (e.g. Tax Authorities, Social Security Services, Child Benefits Agencies). In some cases, your personal data may be requested by judicial authorities or law enforcement agencies in the context of legal investigations. In most cases (unless it will prejudice the outcome of the investigation) you will be notified about such requests. In all cases, the DPO will be involved to ensure privacy principles are upheld in a lawful manner and the identity and authority of the person/agency making the data access request will always be verified.

In the event of a business merger or acquisition, personal details about team members are anonymised wherever possible. At the time of the merger/acquisition the personal data will be transferred using secure means and governed by a Data Processing Agreement, which is monitored by the DPO.

2.3. How long is your personal data stored?

Your personal data is kept only for as long as it is necessary for us to comply with our legal obligations. There are data retention laws in place, to which we must adhere.

2.4. When may sensitive data be processed/stored?

Sensitive data: is categorised as any data revealing your: racial/ethnic origins; political opinions; religious beliefs; membership of a trade union; sexuality; physical or mental health conditions; or, criminal offenses or convictions. (Art. 9 EU GDPR).

(a) Statutory Obligations:

We may be required to process sensitive personal data to comply with our statutory obligations. For example, to demonstrate non-discriminatory practices, we might be asked for figures relating to gender, age or ethnic background. In these cases, the data will be anonymised and kept strictly for statistical purposes. We also ensure any sensitive personal data we hold or process is kept to a minimum, in accordance with our Privacy Principles.

(b) Occupational Health:

Health data is a sensitive category and must be subject to stricter access controls and security measures. The principles of “need to know” are applied here. The processing of health data is governed by the HR Processing Guidelines which place restrictions on who has access to this data and how it is stored or processed.

(c) Security Background Checks:

Security background checks for those working in confidential environments or subject to Customer Required Security Clearance may be necessary. In the event of a security background check, this will be conducted in close cooperation with the staff member undergoing the check and comply fully with local legislation. We will never pass the content or details of this check to third parties. They will be informed only that a check has been conducted and whether the member of staff has passed. This will also be the only data we keep on your personnel record (that a check was done and whether it was passed).

(d) Video Surveillance:

For the purposes of physical security, the buildings of our offices may have video surveillance to monitor and secure car parks, entrances or other important environments. Where video surveillance is in use, this will be signposted clearly. It may be necessary to access and provide this data to local police in criminal investigations, and then it is subject to local legislation and careful monitoring by the DPO that relevant privacy rules are applied.

(e) Sensitive Data Conditions:

Sensitive data can only be processed where you have given consent or unless a sensitive data condition is satisfied. The consent you provide is not confined to the initial request but to the subsequent recording, use and disclosure. It is our policy to ensure that any sensitive personal data we hold or process is kept to a minimum. The sensitive data condition is satisfied when: the processing is necessary to protect the vital interests of the worker or another person where consent cannot be given or the data controller cannot reasonably be expected to obtain it; to protect the vital interests of another person where consent is unreasonably withheld; the collection of sensitive medical/health data is required to defend a tribunal claim or for other legal proceedings; the processing is of information in categories relating to racial or ethnic origin religious beliefs or other beliefs of a similar nature or physical or mental health condition is necessary for the purpose of identifying or keeping under review the existence or absence of equality in opportunity or treatment, and there are safeguards for that data subject; where a public sector body needs the information to discharge its statutory functions; where the collection of medical or health information is done by a confidential occupational health service and is necessary for preventative medicine, diagnosis or care and treatment; where the collection of health information is necessary for important, non-obtrusive research; where the worker has deliberately made his/her sensitive personal information public. (Art.9.2 EU GDPR).

(f) What Data We Do NOT Collect:

Under no circumstances do we collect sensitive personal data relating to: political opinions; religious beliefs; membership of a trade union; sexuality.

2.5. How can you access your own information?

You are entitled to receive a transcript copy of your personal data held by us, in accordance with the EU GDPR and guidelines issued by the national Supervisory Authorities, which also include exemptions for certain types of information. Data access requests should be made in writing by contacting your DPO (email: dpo@crayon.com) with a clear description of the information you seek. Your request will be processed as a data subject request and we will respond within 10 working days.

The following obligations apply if you are a current or former employee, contractor, consultant, agency staff, or applicant.

3.1. Confidentiality and Data Protection

You are obliged to uphold strict confidentiality and security regulations in the processing and handling of personal data. These are covered in our Binding Corporate Rules (BCRs) and our IT Use and Data Processing Policy. The BCRs and related policies are explained in more detail in the mandatory Information Security and Data Protection (ISDP) training. You will also receive copies of relevant policies in your induction pack.

You are obliged to attend information security and data protection training. We will also provide awareness materials to keep you regularly updated and provide you with dedicated training which is tailored to your role in processing personal data.

During employment and after termination you are obliged to maintain data protection and professional confidentiality regarding all matters relating to us and our business, as laid down in your Confidentiality and Privacy Agreement with us.

Breaches of confidentiality, both in terms of data protection and professional confidentiality constitute a material breach of your employment agreement, which may result in additional training for corrective actions. Breaches resulting from malicious actions or gross negligence may result in termination of employment, legal action, whereby you may be required to pay compensation to us for civil or business liabilities arising as a result of such actions.

To ensure accuracy of records, you must notify HR within 30 days of any changes to personal data or circumstances. For example: a change of address, marriage, etc. This ensures that your personnel records are kept accurate and up to date.

3.2. Health and Safety

We aim to provide a safe, comfortable working environment. You should report any accidents or injuries at your workplace to your assigned Health and Safety Manager (or HR manager). The assigned manager is responsible for assisting you in receiving medical attention, registering the incident, and informing your line manager of your absence. We do not record your health/medical data.

3.3. End of Contract: Termination or Resignation

Upon end of contract or the replacement of assets, it is your responsibility to ensure:

• You return all hardware belonging to Crayon Group (i.e. devices, peripherals etc.).
• You erase your personal data from all hardware used during your employment with Crayon Group.
• You return all keys which enable access to personal data (i.e. access cards, passcodes, etc.).
• You return any printed documents or materials in your possession.