Employee and Candidate Data Privacy Notice
Effective Date December 16, 2023
Ravnur, Inc. (“Ravnur”, “we”, “us”) values its employees and respects and protects their privacy.
This employee and candidate data privacy notice (“Notice“) sets out the types of information that Ravnur collects about you, the purposes for which it is collected, the basis on which we process it, and how Ravnur handles your personal data. It is intended to comply with our obligations to provide you with information about Ravnur’s processing of your personal data under applicable privacy laws.
This Notice principally applies to current employees even after the end of their employment but, where relevant, it also applies to workers, job applicants, interns, agency workers, consultants, directors, and third parties whose information is provided to us in connection with the employment or work relationship (for example, referees or emergency contact information). Where we use the term “employee” or “employment”, for the purpose of this notice, such terms include those who work for us on a basis other than employment to the extent it is relevant, but this does not in any way indicate that the individual is an employee of Ravnur.
This Notice does not form part of any contract of employment and does not confer any contractual right on you, or place any contractual obligation on us. We may update or otherwise amend this Notice at any time.
If you have any questions regarding the processing of your personal data or if you believe your privacy rights have been violated, please contact privacy@ravnur.com. If you are aware of unauthorized disclosure of data, please also refer this to us for guidance as to the applicable reporting requirements.
Overview
Ravnur collects and uses personal details which you provide as part of the recruitment and onboarding processes, together with additional personal data collected throughout the course of your employment or engagement (for instance, in relation to performance reviews, disciplinary processes, and participation in any voluntary benefits schemes).
The personal data Ravnur collects is used primarily for the recruitment process, managing the workforce, and complying with contracts of employment. The data may be stored in systems based around the world and may be processed by third-party service providers acting on Ravnur’s behalf.
We need your data in order to commence, perform and terminate your employment and for performing the related contractual or statutory obligations. Without this data, we will not be able to enter into a contract with you or to perform our obligations under such a contract.
It is our policy to comply with our obligations under the European General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), including other applicable local laws. But you also have an important role to play in protecting the security of personal data, and you should be careful to whom you disclose personal data, and how you protect your communications and devices. Please refer to the Ravnur Privacy Policy and Ravnur Security Policy for more information about your responsibilities.
You also have certain rights in respect of your personal data, which you can exercise by contacting us at privacy@ravnur.com.
Types of personal data that Ravnur processes
“Personal data” refers to information which relates to an identified or identifiable natural person. An identifiable natural person is an individual who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Personal data includes, for example, your contact details and your date of birth.
Ravnur processes your personal data. In this context, “processing” means dealing with the data in any way, such as using, disclosing or destroying it.
The types of personal data which we process will vary depending on your role, your location and any terms and conditions of employment or engagement relevant to you. Typically, the types of personal data will include, for example, your personal and basic work details and details of your remuneration and benefits.
The types of personal data which we process will include, but may not be limited to, the following:
- Your Personal Details – for example your name, date of birth, gender, personal contact details, emergency contact/next of kin details, immigration and eligibility to work data and languages spoken;
- Basic Work Details – for example your work contact details (corporate email address and telephone numbers), employee number, photograph, job title, job description, assigned business unit or group, reporting lines, primary work location, working hours and your terms and conditions of employment;
- Professional Qualifications and Regulatory Data – where applicable, including certifications and unique regulatory identifiers;
- Recruitment/Selection Data – for example, any personal data contained in your CV, application form, record of interview or interview notes, records of assessments and vetting and verification documentation;
- Remuneration and Benefits Data – for example, details of your pay and benefits package, bank account details, grade, social security number, tax information and third-party benefit recipient information;
- Leave Data – for example, your holiday and family-related leave records;
- Incapacity Data – for example, any personal data contained in your absence records, medical forms, reports or certificates and records relating to accommodations or adjustments;
- Disciplinary and Grievance Data – for example, any personal data contained in records of allegations, investigations and meeting records and outcomes;
- Performance Management Data – for example, colleague and manager feedback, appraisals, outputs from talent programs and formal and informal performance management processes;
- Equality and Diversity Data – where permitted under local law, data regarding gender, age, race, nationality, religious belief and sexuality (stored anonymously for equal opportunities monitoring purposes);
- Training and Development Data – data relating to training and development needs or training received;
- Monitoring Data – where permitted under local law, identifiable images contained in CCTV footage, system and building login and access records, keystroke, download and print records, call recordings, data caught by IT security programs and filters;
- Health and Safety Data – personal data in audits, risk assessments and incident reports;
- Employee Claims, Complaints and Disclosures Data – personal data in the subject matter of employment-based litigation and complaints, employee involvement in incident reporting and disclosures;
- Termination Data – for example, dates and reason for leaving, termination arrangements and payments, exit interviews and references;
- Any other personal data which you choose to disclose to Ravnur personnel during the course of your employment, whether verbally or in written form (for example, on work emails).
Special categories of personal data
To the extent permitted by applicable laws, Ravnur may also collect and process a limited amount of personal data falling into special categories. Within this category, Ravnur collects and records information relating to health (including details of accommodations and adjustments) as permitted by applicable laws. We may also process information relating to e.g. trade union membership, only where you provide this to us and as permitted by applicable laws.
Sources of personal data
Primarily the personal data we process about you will have been provided by you, either during your application for employment or engagement, the on boarding process, or on an ad hoc basis during the course of your employment or engagement. This will especially include your personal and basic work details as well as equality and diversity data.
During the recruitment process, we may request references from third parties, and carry out screening and vetting processes using third party sources. We carry out such screening and vetting processes only to the extent permitted by applicable laws. These may include credit and employment history checks. Credit checks will only be carried out if you are applying for a type of position within Ravnur which, according to applicable laws, allows us to perform such checks (e.g. if you are applying for a key or management position).
We also receive information which may include your personal data from time to time, from your managers or colleagues (for instance, in the course of conducting reviews or an investigation).
We may also receive personal data about you from other third parties, for example clients, tax authorities, benefit providers, brokers and regulatory bodies to the extent permitted by applicable laws.
In some circumstances, data may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, telephone logs and recordings and email and Internet access logs), if and to the extent permitted by applicable laws. In these circumstances, the data may be collected by Ravnur or a third-party provider of the relevant service. This type of data is generally not accessed on a routine basis, but access is possible. Access may occur, for instance, in situations where Ravnur is investigating possible violations of Ravnur policies such as those relating to travel and expense reimbursement, use of the Internet, or employees conduct generally, or where the data are needed for compliance purposes. More frequent access to such data may occur incidental to an email surveillance program, if and to the extent permitted by applicable laws. Ravnur will not use any such collected data for any purpose other than explicitly stated in this Notice.
Where we ask you to provide personal data to us on a mandatory basis, we will inform you of this at the time of collection and in the event that particular information is required by the contract or statute this will be indicated. Failure to provide any mandatory information will mean that we cannot carry out certain HR processes. For example, if you do not provide us with your bank details, we will not be able to pay you. In some cases, it may mean that we are unable to continue with your employment or engagement as Ravnur will not have the personal data we believe to be necessary for the effective and efficient administration and management of our relationship with you.
Apart from personal data relating to yourself, you may also provide Ravnur with personal data of other third parties, notably your referees, dependents and other family members or friends, for purposes of HR administration and management, including employment verification, the administration of benefits and to contact your next of kin in an emergency. Before you provide such third-party personal data to Ravnur you must first inform these third parties of any such data which you intend to provide to Ravnur and of the processing to be carried out by Ravnur, as detailed in this Notice.
Please contact us if you have any questions regarding the source of your personal data or would like more detail than is set out in this Notice.
Purposes of Processing
Your personal data is collected and processed for various business purposes, in accordance with applicable laws and any applicable collective bargaining agreements. Data may occasionally be used for purposes not obvious to you where the circumstances warrant such use (e.g. in investigation or disciplinary proceedings).
Where applicable data protection laws require us to process your personal data on the basis of a specific lawful justification, we generally process your personal data under one of the following bases:
(a) you have given your consent for one or more specific purposes (GDPR, Article 6 1. (a));
(b) the processing is necessary for the legitimate interests pursued by Ravnur (being those purposes described in the section below), except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (GDPR, Article 6.1(f));
(d) the processing is necessary for compliance with a legal obligation to which Ravnur is subject (GDPR Article 6.1(c)); or
(d) the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into such a contract (GDPR Article 6.1(b)).
We may on occasion process your personal data for the purpose of the legitimate interests pursued by a third party (GDPR Article 6.1(f)), except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data. Where this is the case, this is set out in this Notice or will be communicated to you prior to such processing taking place as appropriate.
We process your personal data for recruitment decisions, the performance of the employment contract and the termination of the employment relationship. These purposes each relate to a lawful basis for processing, as required under applicable law. These purposes include:
| Purpose for processing | Lawful basis |
(a) | Recruitment and selection | This processing is necessary to take steps at the applicant’s request to enter a contract of employment or contract of services. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in fully reviewing and deciding on applications for employment or engagement to ensure that only suitable and appropriate candidates are assessed, shortlisted and selected. |
(b) | Appropriate vetting for recruitment and team allocation including, right to work verification, relevant employment or engagement history, relevant regulatory status, academic / education checks and professional qualifications and bringing you on-board and creating an employment record. | This processing is necessary for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in managing its business operations in the most appropriate and effective way and wishes to maintain its world class reputation and continue to attract and appoint high caliber employees. |
(c) | Providing and administering remuneration, benefits and incentive schemes and reimbursement of business costs and expenses and making appropriate tax and social security deductions and contributions; | This processing is necessary to perform the contract between you and Ravnur and necessary for compliance with legal obligations. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in managing its workforce and operating its business. This includes ensuring that employees are properly rewarded, remunerated as well as remain engaged for the duration of their employment or engagement. |
(d) | General employee management, including: 1. allocating and managing duties and responsibilities and the business activities to which they relate; 2. business travel; 3. employee certification, licensing and regulatory requirements; 4. budgeting, financial review and internal business reporting; 5. planning and allocating work and measuring working hours; 6. maintain emergency contact and beneficiary details; 7. manage health and safety at work and investigate and report on incidents. | This processing is necessary to perform the contract between you and Ravnur and, where necessary, for compliance with legal obligations. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in managing its workforce and ensuring that each employee undertakes appropriate duties, are properly trained and undertake their roles correctly and in accordance with appropriate procedures. |
(e) | Identifying and communicating effectively with employees and other agents, including managing internal directories to facilitate contact and effective working and communication; | This processing is necessary to perform the contract between you and Ravnur. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in undertaking normal business operations and maintaining a dialogue with employees to ensure effective management and job satisfaction. |
(f) | Managing and operating appraisal, conduct, performance, capability, behavioral, absence and grievance related reviews, allegations (including those received as part of any whistleblowing/speak-up report), complaints, investigations and processes and other informal and formal HR and legal compliance processes and making related management decisions; | This processing is necessary to perform the contract between you and Ravnur and for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in addressing employee related concerns and issues and resolving the same and complying with applicable laws and regulations. |
(g) | Training, development, promotion, career and succession planning and business contingency planning; | This processing is necessary to perform the contract between you and Ravnur and for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in effective employee management to support its long-term business goals and outcomes to ensure it continues to retain as well as attract high caliber employees and consultants. |
(h) | Consultations or negotiations with employee representatives; | This processing is necessary for the compliance with legal obligations to which Ravnur is subject. |
(i) | Processing information about absence or medical information regarding physical or mental health or condition in order to: assess eligibility for incapacity or permanent disability related remuneration or benefits; determine fitness for work; facilitate a return to work; make adjustments or accommodations to duties or the workplace; make management decisions regarding employment or engagement or continued employment or engagement or redeployment; and conduct related management processes; | This processing is necessary for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in ensuring that employee undertakes appropriate duties, are properly trained, supported by management and undertake their roles correctly and in accordance with appropriate procedures.
|
(j) | For planning, managing and carrying out restructuring or redundancies or other change programs including appropriate consultation, selection, alternative employment searches and related management decisions; | This processing is necessary for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in making decisions relating to the future of its business in order to preserve its business operations or grow its business. |
(k) | Complying with reference requests where Ravnur is named by the individual as a referee; | Ravnur considers that it is in the legitimate interests of a new employer to receive confirmation of employment or engagement details from Ravnur for the purposes of confirming the former employee’s employment or engagement history. |
(l) | Operating email, IT, internet, social media, HR related and other company policies and procedures. To the extent permitted by applicable laws, Ravnur carries out monitoring of Ravnur’s IT systems to protect and maintain the integrity of Ravnur’s IT systems and infrastructure; to ensure compliance with Ravnur’s IT policies and to locate information through searches where needed for a legitimate business purpose; | This processing is necessary to perform the contract between you and Ravnur and for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in managing its workforce and operating its business through IT systems. The HR IT function is essential to ensuring that this can be carried out in the most effective way. |
(m) | Protecting the private, confidential and proprietary information of Ravnur, its employees, clients and third parties and protecting the security of our sites, systems, employees and visitors; | This processing is necessary for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in ensuring that its business, clients, employees and systems are protected. This includes protecting our assets and the integrity of our systems; and detecting and preventing loss of our confidential information and proprietary information. |
(n) | Complying with applicable laws and regulations (for example, maternity or parental leave legislation, working time and health and safety legislation, taxation rules, worker consultation requirements, other employment laws and regulations); | This processing is necessary for the compliance with legal obligations to which Ravnur is subject.
|
(o) | Planning, due diligence and implementation in relation to a commercial transaction or service transfer involving Ravnur that impacts on your relationship with Ravnur for example mergers and acquisitions or a transfer of your employment under applicable automatic transfer rules; | This processing is necessary for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur needs to make decisions relating to the future of its business in order to preserve its business operations or grow its business. |
(p) | Provision of information to Ravnur’s owners, investors, asset managers, lenders for use, review, analysis in their capacity as such or pursuant to performance of contract;
| This processing is necessary to perform the contract between you and Ravnur and for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in sharing information with its owners, investors, asset managers and lenders in order for them to be able to carry out the necessary reviews and analyses in their capacities. |
(q) | For business operational and reporting documentation such as the preparation of annual reports or tenders for work or client team records, including the use of photographic images; | This processing is necessary to perform the contract between you and Ravnur. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in ensuring that each employee undertakes appropriate duties and undertaking normal business operations.
|
(r) | Where relevant, for publishing appropriate internal or external communications or publicity material (including via social media in appropriate circumstances); | This processing is necessary to perform the contract between you and Ravnur. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest to support its long-term business goals and outcomes and Ravnur wishes to maintain its world class reputation.
|
(s) | To support HR administration and management and maintaining and processing general records necessary to manage the employment, employees or other relationship and operate the contract of employment or engagement; | This processing is necessary to perform the contract between you and Ravnur and for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in effective employee management to support its long-term business goals and outcomes. |
(t) | To change access permissions, including creating IT access rights; | This processing is necessary to perform the contract between you and Ravnur and for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in complying with Ravnur policies and access controls. |
(u) | To provide technical support, including and maintenance for HR information and other IT systems; | This processing is necessary to perform the contract between you and Ravnur and for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in managing its The HR IT function which is essential. |
(v) | To enforce our legal rights and obligations, and for any purposes in connection with any legal claims, reports of violations or allegations made by, against or otherwise involving you; | This processing is necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur has a legitimate interest in protecting its organization from breaches of legal obligations owed to it and defending itself against litigation. This is needed to ensure that Ravnur’s legal rights and interests are protected appropriately, to protect Ravnur’s reputation and to protect Ravnur from other damage or loss. This processing is also necessary to perform the contract between you and Ravnur and for the compliance with legal obligations to which Ravnur is subject.
|
(w) | Make decisions on continuation of employment or engagement and administer terminations; | This processing is necessary to perform the contract between you and Ravnur and for the compliance with legal obligations to which Ravnur is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in managing its workforce. |
(x) | To comply with lawful requests by public authorities (including without limitation to meet national security or law enforcement requirements), discovery requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities; | This processing is necessary for the purpose of the legitimate interests pursued by Ravnur. Ravnur considers that it has a legitimate interest in protecting its organization from breaches of legal obligations owed to it and to defend itself from litigation. |
(y) | Other purposes permitted by applicable laws, including legitimate interests pursued by Ravnur where these are not overridden by the interests or fundamental rights and freedoms of employees. | This processing is necessary to comply with our legal obligations. This processing is also necessary for the purpose of the legitimate interests pursued by Ravnur. |
Please note that this is not an exhaustive list, and we may process your personal data for other purposes that are consistent with the legal basis on which we process your personal data. Further, additional information regarding specific processing of personal data may be notified to you locally or as set out in applicable policies.
Special categories of personal data
In addition, where we process special categories of personal data, this will always be justified on the basis of an additional lawful condition.
The processing of special categories of personal data (for example, data relating to health, sexual life, sexual orientation, racial or ethnic origin, trade union membership, political opinions or religious or philosophical beliefs) will be justified by one of the following special conditions:
- the processing is necessary for the purposes of carrying out obligations under employment law, social security law and for social protection, if there is no reason to believe that your legitimate interests for excluding the processing of your personal data prevails (Article 9 2. (b) GDPR) (for example, complying with health and safety rules, statutory sick pay, making reasonable adjustments for someone with a disability or ensuring any dismissal is fair);
- the processing is voluntary and is carried out subject to your explicit consent for one or more specific purposes (Article 9 2. (a) GDPR) (for example if you wish to participate in an additional support program or benefit related to incapacity or health promotion). If we are relying on consent, we will be clear about this and will not rely on consent if there is another relevant lawful condition;
- the processing is necessary for the establishment, exercise or defense of legal claims (Article 9 2. (f) GDPR) (whether a claim is made by you or a third party);
- the processing is necessary for an assessment of your working capacity carried out by a health professional (Article 9 2. (h) GDPR) (for example, an occupational health report);
- the processing is necessary for reasons of substantial public interests authorized by local law (Article 9 2. (g) GDPR) (for example, preventing or detecting unlawful acts or equal opportunities monitoring where permitted by local law); or
- in exceptional circumstances, the processing is necessary to protect your vital interests and you are incapable of giving consent (Article 9 2. (c) GDPR) (for example in a medical emergency).
This may include the following, although this is not an exhaustive list
| Purpose for processing | Lawful basis |
(a) | Assess and review eligibility to work for Ravnur in the jurisdiction in which you work; | This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or Ravnur in the field of employment law, social security and social protection law, to the extent permissible under applicable laws.
|
(b) | Compliance with employment, health and safety or social security laws. For example, to provide statutory incapacity or maternity benefits, avoid breaching legal duties to you, to ensure fair and lawful management of your employment, avoid unlawful termination of your employment, to administer Ravnur’s private medical and long-term disability schemes, to make reasonable accommodations or adjustments and avoid unlawful discrimination or dealing with complaints arising in this regard | This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or Ravnur in the field of employment law, social security and social protection law, to the extent permissible under applicable laws. To the extent that this data is managed by our occupational health advisers, this processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity and management support that can be provided in terms of reasonable work adjustments, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, to the extent permitted by applicable laws |
(c) | Management and investigation of any complaint under Ravnur’s grievance policy (or other relevant policies), where such characteristics or information are relevant to the particular complaint, in order to comply with employment law obligations. | This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or Ravnur in the field of employment law, social security and social protection law, to the extent permissible under applicable laws. The processing is also necessary in order for Ravnur to establish, exercise and defend legal claims as a result of a complaint under Ravnur’s policies. |
We may seek your consent to certain processing which is not otherwise justified under one of the above bases. If consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your employment or engagement to agree to any request for consent from Ravnur.
Criminal offenses data
We will process criminal data relating to you should any criminal activity take place in connection with the workplace, in order to further investigate such activities and if necessary take legal actions.
If such personal data constitutes criminal data as defined under Article 10 of the GDPR, we will only process such data if necessary to establish, exercise or defend legal claims.
Retention of personal data
We only retain employee personal data for as long as required to satisfy the purpose for which it was collected by us or provided by you. We therefore will retain your personal data as a minimum for the duration of your employment with us or for a shorter period if your personal data is no longer necessary for the purpose for which it was collected or no longer accurate/up to date.
In certain cases, legal or regulatory obligations (for example in the case of tax related matters) require us to retain specific records for a set period of time, including following the end of your employment. In the case of tax/bookkeeping related matters we are for example obliged to keep data concerning your remuneration for at least seven years.
We are using the following criteria to establish our retention period: (i) as long as we have an ongoing employment relationship with you (or for a shorter period provided that the personal data is no longer necessary in relation to the purposes for which they were collected); (ii) as required by legal obligations to which we are subject (such as tax and accounting obligations); (iii) as advisable in light of our legal position (such as applicable statutes of limitations) in order to establish, exercise and defend against legal claims; and (iv) as necessary to meet our legitimate business needs (such as for forecasting, planning, follow-up etc.).
Disclosures of personal data
Internally your managers, HR professionals supporting your work area, and, in some cases, certain colleagues will have access to some of your personal data where relevant to their role.
We routinely share your personal data with other members of the Ravnur group where required in order to, for example, run global processes, carry out group wide reporting, or assist with workforce planning.
Certain basic personal data, such as your name, location, job title, contact information and any published skills and experience profile may also be accessible to other staff.
We may also be required to disclose your personal data to third parties where permitted under local law. This will include suppliers which help us provide HR services, tax or other authorities, a regulator or a professional adviser.
Examples of third parties with whom your data may be shared include tax authorities, medical/occupational health professionals, regulatory authorities, law enforcement and regulatory bodies, Ravnur’s insurers, bankers, IT administrators, lawyers, accountants, data center providers, doctors or other healthcare providers, auditors, notaries, investors, lenders, training providers, landlords, office access providers, social media and marketing suppliers, consultants and other professional advisors, payroll/tax providers, and administrators of Ravnur’s benefits programs. Your personal data is also accessed by third parties whom we work together with in connection with IT services, such as hosting, supporting and maintaining the framework of our information systems.
Ravnur expects such third parties to process any data disclosed to them in accordance with applicable law, including with respect to data confidentiality and security. Where these third parties act as a “data processor” (for example, a payroll provider), they carry out their tasks on our behalf and upon our instructions for the above-mentioned purposes. In this case your personal data will only be disclosed to these parties to the extent necessary to provide the required services.
We may also share limited information with clients where you are part of a client team or proposed team in a tender process.
We may use third party suppliers to help us provide HR services. These third parties may have access to or merely host your personal data, but will always do so under our instruction and subject to a contractual relationship.
Some third parties to whom we may provide personal data, for instance private health insurance or occupational health providers or professional advisers or regulators, are data controllers in their own right, and you should refer to their own privacy notices and policies in respect of how they use your personal data.
We may also be required to disclose your personal data to third parties in response to orders or requests from a court, regulators, government agencies, parties to a legal proceeding or public authorities, or to comply with regulatory requirements or as part of a dialogue with a regulator.
Your personal data may also be disclosed to advisors, potential transaction partners or interested third parties in connection with the consideration, negotiation or completion of a corporate transaction or restructuring of the business or assets of any part of the Ravnur group.
Please contact us if you have any questions regarding recipients of your personal data or would like more detail than is set out in this Notice.
Cross-border Transfers
The global nature of our business means that your personal data may be disclosed to members of the Ravnur group outside of the EEA, particularly in the USA. Certain suppliers and service providers may also have personnel or systems located outside of the EEA or USA. As a result, your personal data may be transferred to countries outside of the country in which you work to countries whose data protection laws may be less stringent than yours.
In this context, your personal data may be transferred outside the European Economic Area (EEA) for the purposes set forth in this Notice, to countries that may not offer a level of protection of personal data equivalent to that offered within the EEA.
Where third parties transfer your personal data outside of the EEA, we will take steps to ensure that your personal data receives an adequate level of protection, including by, for example, entering into data transfer agreements or by ensuring that third parties are certified under appropriate data protection schemes.
You have a right to request a copy of any data transfer agreement under which your personal data is transferred, or to otherwise have access to the safeguards used by contacting us. Any data transfer agreement made available to you may be redacted for reasons of commercial sensitivity.
Data Subject Rights
Right to access, correct and delete your personal data
Ravnur aims to ensure that all personal data we store is correct. You also have a responsibility to ensure that changes in personal circumstances (for example, change of address and bank accounts) are notified to Ravnur so that we can ensure that your data is up to date.
You have the right to request access to any of your personal data that Ravnur may hold, and ask us to:
- Confirm whether we are processing your personal data;
- Give you a copy of that data;
- Provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any automated decision making or profiling.
You have the right to request us to rectify any inaccurate personal data relating to you.
You furthermore have the right to request erasure of any irrelevant personal data we hold about you, but only where:
- It is no longer needed for the purposes for which it was collected or otherwise processed; or
- You have withdrawn your consent (where the data processing was based on consent) and there is no other legal ground for the processing; or
- Following a successful right to object; or
- It has been processed unlawfully; or
- To comply with a legal obligation to which we are subject.
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
- For compliance with a legal obligation; or
- For the establishment, exercise or defense of legal claims.
There are other certain circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.
Additional rights
You also have the following additional rights:
Data portability – where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal data is processed by automatic means, you have the right to receive all such personal data which you have provided to Ravnur in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
Right to restriction of processing – you have the right to restrict our processing of your personal data where:
- you contest the accuracy of the personal data until we have taken sufficient steps to correct or verify its accuracy;
- where the processing is unlawful, but you do not want us to erase the data;
- where we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims; or
- where you have objected to processing justified on legitimate interest grounds (see below) pending verification as to whether Ravnur has compelling legitimate grounds to continue processing.
Where personal data is subjected to restriction in this way, we will only process it with your consent or for the establishment, exercise or defense of legal claims.
Right to withdraw consent – where you have provided us with your consent to process data, you have the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You can do this in some cases by deleting the relevant data from the relevant HR system (although note that in this case it may remain in back-ups and linked systems until it is deleted in accordance with our data retention policy).
Right to object to processing justified on legitimate interest grounds – where we are relying upon legitimate interests to process data, then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defense of legal claims. Where we rely upon legitimate interest as a basis for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis
You also have the right to lodge a complaint with a supervisory authority, in particular in your country of residence, if you consider that the processing of your personal data infringes applicable law.
If you wish to investigate the exercising of any of these rights, please contact privacy@ravnur.com or your local Data Protection Authority.
Additional Privacy Notices
We may undertake certain processing of personal data which are subject to additional Privacy Notices, and we shall bring these to your attention where they engage.
Notice of changes
Ravnur may change or update this Notice at any time.
Should we change our approach to data protection, you will be informed of these changes or made aware that we have updated this Notice so that you know which information we process and how we use this information.
