CITRUSHR CONSULTING LTD (“We”) are committed to protecting and respecting your privacy.
This policy (together with our Terms of Service and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.
This policy relates to personal data about our clients, their employees and anyone visiting our website (referred to in part in this policy as “You”). In addition, it applies to any other person whose data we process in the course of our business.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. In addition please be aware that when visiting https://citrushr.com/consultancy/ you are accepting and consenting to the practices described in this policy.
CitrusHR Consulting Ltd is the data controller for all of the information it processes except in so far as that which is stored on our HR Software for which we are a data processorOur lead for all data protection requirements and to contact with any issue pertaining to our data arrangements is: Kirsty Senior 18E Charles Street, Bath, BA1 1HX firstname.lastname@example.org
WHAT WE DO
CitrusHR Consulting Ltd provides a full range of HR consulting services to its clients, and in addition we have a range of HR resources and tools available on our website and within our HR Software.
INFORMATION WE MAY COLLECT
We collect information about customers with whom we contract and suppliers we use to help us provide our services. The information we collect about our clients and suppliers is normally limited to contact details and financial information. However, we may also collect other information which clients and suppliers provide to us. We do this so that we can have the best business relationships with everyone we interact with in the course of our
We may also collect and process the following data about you (our customers’ employees):
- Information you or your employer give us. Your employer will have given us some information about you either when you started working with them or when they started using our service. This includes for example: your contract of employment, sickness records, maternity / paternity leave.
- In addition, we store information about you which we get from someone filling in forms on our site – https://citrushrconsulting.coghr.com – or by corresponding with us by phone, e-mail or otherwise. This includes information provided when you or your employer register to use our service, and when you report a problem with our site. The information you give us may include your name, address, e-mail address and phone number, employment information, personal description and photograph, and any other personal data stored on our system which is included in your employer’s HR Privacy Notice.
- Information we collect about you. With regard to each of your visits to our site we may automatically collect the following information:
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
- information about you gathered during any consulting work we undertake with, and on behalf of, your employer.
Some of the information we process is classed as special category data. This is information relating to any of the following:
- racial or ethnic origin,
- political opinions
- religious or philosophical beliefs
- trade union membership
- the processing of genetic data, biometric data for the purpose of uniquely identifying a
- data concerning health or
- data concerning a natural person’s sex life
- sexual orientation
Special category data is routinely processed as part of an employee’s HR records – for example when records of sickness absence are created, full details of the special category data we may process and the legal basis for doing so is outlined in your employer’s HR Privacy Notice. For any other special category data that is not listed we will obtain your consent.
Why we process data
We process data only to deliver HR Consulting services, specifically advising your employer on matters surrounding your employment and their employment obligations.
When we collect information
CitrusHR Consulting Ltd collects information:
- When receiving communications from clients, suppliers and others
- When we enter into a contract with our clients and suppliers
- When you or your employer give us information about you or when, for example, we
help with a grievance procedure
- When you fill out and send a contact form via our website and we receive an email with
your personal information and any message.
- When you or your employer input information into our HR Software
HOW WE USE THE INFORMATION
We use information held about you in the following ways:
- Information you give to us. We will use this information:
- to carry out our obligations arising from the contract for HR services entered into between your employer and us;
- to notify you about changes to our service;
- to ensure that content from our site is presented in the most effective manner for you and for your computer.
- Information we collect about you. We will use this information:
- to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our site to ensure that content is presented in the most effective manner for you and for your computer;
- to allow you and your employer to participate in interactive features of our service, when you or your employer choose to do so;
- as part of our efforts to keep our site safe and secure.
Information processed about our clients and suppliers is used solely for the fulfilment of contracts, to satisfy legal requirements and to maintain good working relationships with everyone we interact with in the course of our business.
LEGAL GROUNDS FOR PROCESSING DATA
There are six grounds that are available to process data lawfully. In the course of its work CitrusHR Consulting Ltd process information:
A. With consent of the data subject
In specific and very limited situations, we process your data with your consent.
For example, when we process employee photographs or when we receive an occupational health referral we do so with your explicit consent
B. To fulfil contractual requirements with clients and suppliers. For example where we need your data to deliver our service,
C. To fulfil legal requirements such as HMRC reporting requirements
D. On occasion, we also process data where it is in our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact the rights or freedoms of the data subjects to whom the information
For example, we retain client and supplier information beyond the contract period in order maintain a good working relationship with these individuals
Special category data
Special category data must not be processed unless there is one or more specific ground found in Article 9 GDPR to apply. For the purposes of our processing special category data about our clients’ employees we do so by virtue of article 9(2))(b) to fulfil employment functions and where this relates to information beyond these functions, with your consent.
SHARING PERSONAL INFORMATION
We sometimes share your personal data with trusted third parties which act only on our instruction (known as “data processors”).
Data processors might be, for example, Microsoft which stores data for us:
Where we share information with these companies or individuals we make sure that they also keep your data secure and that they also protect your rights. To this end we make sure that:
- We provide only the information they need to perform their specific services.
- They may only use your data for the exact purposes we specify in our contract with them or where their terms and conditions of processing contain the correct data processor clauses under GDPR.
- If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Sharing your data with third parties for their own purposes (“joint controllers”) eg your employers, HMRC, accountants, legal advisors:
We will only do this in very specific circumstances, for example:
- With your consent
- Where we have a data sharing agreement in place with the other party
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms
the rights, property, or safety of CitrusHR Consulting Ltd, our customers, employees or others.
WHERE WE STORE YOUR PERSONAL DATA – AND KEEPING IT SECURE
We do not routinely transfer your data, whether gathered via the website or in our general consultancy work, outside of the EEA. However, from time to time we may pass personal data such as your name and email address to other services that we use to send out communications (both electronic and print). However, your personal data will remain in the EU or countries considered by the EU to have equivalent policies such as Jersey, Guernsey, Switzerland, New Zealand and Canada. Companies based in the USA that have certified with the EU-US Privacy Shield programme are also considered to be
permitted destinations by the EU (this includes popular US products like Microsoft, DropBox and MailChimp).
HR Software users:
We work hard to keep our site as secure as possible. We have our service constantly monitored and carry out regular “penetration tests” to test our security processes. We use online security specialists for this work and regularly review which companies we use here in order to stay as up to date as we can with changes in online security. We believe that our security is sufficiently strong that your information is more secure with us than it would be in a traditional employer’s office filing system.
We offer Two-Factor Authentication to all clients at no extra charge. This makes it much harder for unauthorised people to access the information we store.
All information you provide to us is stored on our secure servers. Our system is hosted on a secure, UK-based server provided for us by a dedicated hosting company which also hosts websites for government and financial institutions. We regularly review our hosting in order to continue to host and store this data as securely as we can.
Our IT support company has access to our server when needed to perform their obligations to provide us with technical IT support, but has no authorisation to access, use or disclose personal data stored on the secure servers, which is all password protected.
We back our data up to one separate secure physical location in the UK and another separate physical location in the EU.
We encrypt all data transmitted between our servers and the devices our users use to access our website.
We may communicate with you or your employer from time to time over email and using our third party “help desk software” and this communication might occasionally contain some of your personal information. Data will be deleted by us in accordance with your employer’s current HR Data Retention Policy.
When your employer first starts to use our software, it might send us your personal information within a spreadsheet via email or via our secure website. We might store a password-protected version of this spreadsheet on our server in our Head Office for a short period of time while we set your employer up, after which we will delete it from our server. The only members of our staff who would have access to your information on our server would be the team which processes your information for the purposes of setting it up on our software system, and their access is also password protected.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential and for complying with all other requirements for setting a robust password and regularly changing it to make sure your password is effective, contained in your employer’s Data Security Policy.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We do not process any payment or other financial transactions through the website.
Face-to-face consulting service users:
In addition to the HR Software CitrusHR Consulting Ltd also provides face-to-face HR consultancy. In order to deliver this service we also process data outside of the HR Software systems and processes noted above.
We take the security of data processed outside of HR Software systems equally seriously and as such we are aware of the need to maintain the correct and highest level security when processing your personal information. We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.
We take the following steps to maintain the security of your personal information:
- we keep all of your information in systems that are secure/li>
- we limit access to your personal information to those who have a genuine business need to know it/li>
- we have password protected systems/li>
- we maintain firewalls and anti-virus software/li>
- all processing with the exception of emails are processed though Microsoft Office 365 and Microsoft Sharepoint. Emails are processed through Microsoft Outlook/li>
- any data which is accessed off site or on a mobile device is kept locked when not in use and never left unattended
We do not keep any paper records and all electronic storage of data must, at all times, be stored, processed and accessed by CitrusHR Consulting Ltd and our employees in accordance with our IT and Data Security policies.
We have procedures in place to deal with any suspected data security breach. (link to breach procedure) We will notify you and any applicable regulator of a suspected data security breach where we are required to do so.
HOW LONG WE RETAIN DATA
We only retain data for as long as it is required for its original or related purpose. We also seek to keep only the minimum amount of data required to fulfil the purpose. In the course of our work for example:
- Employers are required to maintain employment records for their current and former staff, and we can provide that service to our clients who use our HR Software.
- Data will be deleted in accordance with your employer’s current HR Data Retention Policy.
- When a client ceases to use our service, they are able to request that we delete any data of theirs which we have stored, and this will in any event be carried out upon the expiry of six months from the date when we ceased to provide services under the Terms of Service.
- We retain information contained in any HR advice we give to our clients for seven years in order to satisfy our professional obligations and indemnity requirements.
- In respect of information we retain about our clients and suppliers we retain data for as long as our contract remains in place. Beyond that we retain financial information for seven years to fulfil reporting requirements. All other information is retained for seven years in order for us to exercise our legitimate interest – specifically to allow good continuing business relationships with clients and suppliers.
Certain features of Our Site depend on Cookies to function. Cookie Law deems these Cookies to be “strictly necessary”. These Cookies are needed by us to manage your session and they will be deleted when the browser is closed. These Cookies, by themselves, do not tell us your e-mail address or other personally identifiable information and we do not share the Cookie with any other company. Your consent will not be sought to place these Cookies, but it is still important that you are aware of them. You may still block these Cookies by changing your internet browser’s settings, but please be aware
that Our Site will not work properly if you do so. We have taken great care to ensure that your privacy is not at risk by allowing them.
We use Google Analytics to monitor how our website is being used so we can make improvements. Our use of Google Analytics requires us to pass to Google your IP address (but no other information) – Google uses this information to prepare site usage reports for us, but Google may also share this information with other Google services. In particular, Google may use the data collected to contextualise and personalise the ads of its own
advertising network. Related information:
How Google uses this information
You have the following rights, which you can exercise free of charge:
|Access||The right to be provided with a copy of your personal data|
|Rectification||The right to require us to correct any mistakes in your personal data|
|To be forgotten||The right to require us to delete your personal data—in certain situations|
|Data portability||The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations|
|To object||The right to object: —at any time to your personal data being processed for direct marketing (including profiling); —in certain other situations to our continued processing of your personal data, eg processing carried out for the purpose of our legitimate interests.|
|Not to be subject to automated individual decision-making||The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you|
Restriction of processing The right to require us to restrict processing of your personal data—in certain circumstances, eg if you contest the accuracy of the data
If you would like to exercise any of those rights, please contact Kirsty Senior: 18E Charles
Street, Bath, BA1 1HX or via email at email@example.com
More details about your rights in relation to your personal data can be found in your HR
Privacy Notice provided by your employer.
Where we rely on your consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent. You can do this by contacting Kirsty Senior 18E Charles Street, Bath, BA1 1HX firstname.lastname@example.org
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.
We will then stop processing your information unless we believe we have a legitimate overriding reason to continue processing.
Checking your identity
To protect the confidentiality of your information, we may ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
For us to check your identity please:
- let us have enough information to identify you (eg your full name, address and client or matter reference number);
- let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
- let us know what right you want to exercise and the information to which your request relates.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
If we choose not to action your request we will explain to you the reasons for our refusal.
Your right to contact the ICO
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113.
Or go online to www.ico.org.uk/concerns
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
You also have the right to take to seek a judicial remedy You can seek to exercise your rights under local data protection law or GDPR at any time by contacting your employer, or alternatively by contacting Kirsty Senior, Citrus HR Consulting Ltd at 18E Charles Street, Bath, England BA1 1HX, or emailing us at email@example.com