Privacy policy

  1. Purpose
    1. The purpose of this document is to set out the overall policy of enfinium Ltd and its subsidiary companies in the UK (“enfinium” or “the Company”) in relation to the collection, use, processing, management and disclosure of Personal Data in relation to Data Subjects or Third Parties in accordance with the requirements of data protection law and guidance provided by the UK Data Protection Authority.
    2. This policy aims to protect the confidentiality and integrity of employee, customer, supplier and Third Party Personal Data, in accordance with Regulation (EU) 2016/679 (“GDPR”), national data protection laws and in line with our ENFINIUM values.
  2. Scope
    1. enfinium Policies and Procedures apply to all enfinium employees and dictate when and how Personal Data may be collected and shared. This is applicable for sharing data:
      1. Within enfinium;
      2. With employees, whether within enfinium or other entities in the enfinium group;
      3. With approved Third Parties located either in on outside the UK.
    2. enfinium must only collect, access, use and disclose Personal Data:
      1. as permitted under applicable laws (including but not limited to GDPR);
      2. in a manner consistent with enfinium Privacy Policy and Procedures; and
      3. as required in the course of their employment.
    3. If you have any questions or would like to raise a suspected breach of these laws and policies, please contact dataprotection@enfinium.co.uk.
  3. References
    1. Information Security Policy: Document IT-POL-001
    2. Technology Acceptable Use Policy: Document IT-POL-003
  4. Definitions
    1. Personal Data

      Personal Data is any information relating to a natural person who can be identified, directly or indirectly. Personal Data includes, but is not limited to, any individually identifiable information that is maintained or transmitted about a living person in any form, including electronic, and that identifies or could be used to identify them.

      GDPR

      Regulation(EU)2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation)

      Data Controller

      A legal entity that determines the purposes and means for the processing of Personal Data.

      Data Processor

      A legal entity processing Personal Data on behalf of a Data Controller.

      Processor Agreement

      An agreement with a Third Party Data Processor that follows the template agreement approved by enfinium and the UK Legal Department.

       

      Data Protection Authority

      The independent public authority that supervises the application of European data protection laws, through investigative and corrective powers.

       

      Data Subject

      An identifiable natural person whose Personal Data is being collected, held or processed.

      Data Subject Rights

      The set of rights provided to data subjects by the GDPR: the right to be informed about the collection and the use of their Personal Data. the right to access Personal Data and supplementary information. the right to have inaccurate Personal Data rectified, or completed if it is incomplete. the right to erasure (to be forgotten) in certain circumstances. the right to restrict processing in certain circumstances. the right to data portability, which allows the data subject to obtain and reuse their Personal Data for their own purposes across different services. the right to object to processing in certain circumstances. rights in relation to automated decision making and profiling. the right to withdraw consent at any time (where relevant). the right to lodge a complaint.

      IT Resources

      All hardware and software including, but not limited to, host computers, files, applications, communications, email, fax, intranet, print servers, Workstations, stand-alone computers, laptops, handhelds, mobile phones, printers, software, hubs, switches, routers, cables, and all other internal and external computer and communications resources and devices which may receive, transmit, and/or store enfinium Personal Data.

  5. Responsibilities
    1. The UK Managing Director is responsible for the implementation of this Policy and other related policies and procedures, including the communication and detailed interpretation, monitoring and any disciplinary action in response to an apparent breach of this Policy. The UK General Counsel is responsible for maintaining and reviewing this Policy and for clarifying and resolving any issues arising in relation to it.
  6. Collection and processing of personal data
    1. enfinium (certain legal entities individually or enfinium collectively in certain cases) may collect and process personal data for any individuals who work for enfinium or otherwise in relation to one of enfinium’s corporate customers or suppliers and are engaging with enfinium on behalf of that organisation, whether through our website or otherwise in connection with normal business activities. the following non-exhaustive categories include:
      1. Master data: first name and family name, middle name, preferred first name, address and address details including address types (such as Home or Additional), municipality/city, postal code, country ISO Code, email address and email type (Work, Home, Additional), telephone number and phone type (Work, Home, Additional), international phone code, area code, phone device description, data of birth, gender, national ID and ID type code
      2. Financial data: bank account, credit or debit card, credit reports and other financial data appropriate to support business transactions such as ACH transfers;
      3. Contractual data: Personal Data related to contracts with an individual;
      4. Health data: diagnoses, test results, treatment protocols, medications, statements or information in medical file, insurance information;
      5. Emergency contact information: first name and family name, and contact information (if provided by the employee) of a family member to be contacted in an emergency.
      6. Performance data: performance scores, development objectives and personal achievements of employees;
      7. Training data: records of training courses attended by via contractor training centre services;
      8. Monitoring data: statistics and logs of enfinium IT systems’ activity, as well as usage of premises, platforms, applications and secured websites
    2. in the event enfinium is acting in the role of a data processor, enfinium will follow the terms in its agreement with the applicable data controller (enfinium).
  7. Lawful basis for processing data
    1. when processing personal data, enfinium is required to have a legal basis to do so.
    2. to fulfil enfinium’s legal obligations and to enable enfinium to manage operations as well as to provide services to customers and employees or to comply with enfinium statutory obligations, enfinium processes Personal Data on the following legal bases for processing: Article 6 Section 1 (a), (b) and (c), and Article 9 Section 2 (h) of GDPR:
      1. With the Data Subject’s consent Article 6(1)(a)
      2. For the performance of a contract, Article 6(1)(b);
      3. For compliance with a legal obligation to which enfinium is subject, Article 6(1)(c);
      4. For the purposes of preventative or occupational medicine, for the assessment of working capacity of employees, medical diagnosis, the provision of health or social care or the management of health or social care systems and services, Article 9(2)(h).
    3. in some situations, it may be necessary for enfinium to process personal data for the legitimate interest pursued by enfinium (under Article 6 Section 1(f) of GDPR)(after having weighed enfinium’s legitimate interests against the interests of the relevant Data Subjects); in particular:
      1. To conduct internal proceedings or investigations aimed at ensuring compliance of enfinium employees with the law and enfinium internal policy and procedures;
      2. for administrative purposes in relation to the security and access of enfinium systems, premises, platforms and secured websites and applications such as enfinium website, dynamics 365 business central, microsoft talent/hr, miraclepay and zetadocs expenses;
      3. for administration purposes in relation to data backup and disaster recovery;
      4. analysis of plant’s performance (pseudonymised or anonymised if necessary);
      5. for organising and holding internal enfinium events;
      6. to comply with enfinium legal and regulatory obligations and requests anywhere in the world, including reporting to and/or being audited by national and international regulatory bodies;
      7. to comply with court orders and exercise and/or defend enfinium legal rights and as otherwise permitted or required by any applicable law or regulation;
      8. In some cases, to send customers direct marketing communications;
      9. For the purposes of establishing, exercising and defending legal claims.
    4. enfinium will make every effort not to process personal data for any other purpose incompatible with the purposes outlined in relevant enfinium privacy notices, unless it is required or authorized by law or as authorized by data subjects. enfinium privacy notices will be updated to reflect any changes in enfinium’s data processing activities, as and when required.
    5. enfinium will make every effort to maintain the accuracy and completeness of the personal data it holds.
  8. Retention of personal data
    1. enfinium will retain personal data for the period defined by enfinium record retention policies and as required by national law.
    2. for some activities, processing of certain personal information continues after individuals have stopped receiving services from enfinium. however, enfinium will not keep personal information longer than is required or is appropriate in accordance with applicable law.
  9. Disclosure of data subject personal data
    1. in all circumstances, disclosure of data subject’s personal data should be limited to the minimum necessary amount of personal data that would reasonably be needed to accomplish the intended purposes of the disclosure or request. enfinium employees must use appropriate methods for transmission of data subject’s personal data as defined in the relevant it and communications policies.
    2. if enfinium has agreed to a restriction on disclosure of a data subject’s personal data, enfinium may not use or disclose the personal data covered by the restriction.
    3. enfinium is permitted to transfer data subject’s personal data:
      1. to any enfinium companies or any companies in the same corporate group as enfinium (including those outside of the EEA, see below);
      2. To third parties who process Personal Data on behalf of enfinium (such as enfinium systems providers, database maintainers or cloud providers);
      3. to third parties who process personal data on their own behalf while providing enfinium with a service on enfinium’s behalf (such as enfinium’s suppliers);
      4. To companies providing services for money laundering checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference agencies and regulatory bodies with whom such information is shared;
      5. to any third party to whom enfinium assigns or novates any of enfinium’s rights or obligations;
      6. to any prospective buyer in the event enfinium sells any part of the business or assets; and/or;
      7. to any government, regulatory agency, enforcement or exchange body or court where enfinium is required to do so by applicable law or regulation or at their request.
    4. any enfinium employee carrying out such a transfer should ensure that enfinium has a legal basis for sharing personal data and that an appropriate contract is in place if needed.
  10. Contracting with third parties
    1. when enfinium shares personal data with a third party, it will:
      1. ensure that it has carried out sufficient due diligence before doing so, to ensure that the third party can provide sufficient security and protection to the personal data;
      2. Document the transfer and where relevant enter into appropriate contracts which shall include GDPR-compliant data processing and data transfer terms if required.
    2. Enfinium employees who initiate any new sharing of Personal Data with a third party must inform the Legal Department before doing so.
  11. Data subject rights
    1. Under GDPR all Data Subjects have a number of rights relating to their Personal Data, including the right to request access to their Personal Data; to have their Personal Data updated if it is inaccurate or incomplete; and to request erasure of their Personal Data if it is no longer required for business purposes.
    2. Other than requests for Data Subjects Personal Data outlined above, if you receive a Data Subject request in any format regarding any of the rights under GDPR you must immediately notify the Legal Department.
  12. Protection of personal data
    1. enfinium protects and secures personal data using a range of technical and organisational measures. all employees must make appropriate use of enfinium IT Resources and systems as outlined in the Technology Acceptable Use Policy. The Information Security Policy defines how Personal Data must be secured and protected.
    2. Personal Data must never be left unsecured (e.g. through papers left in public spaces or unlocked Workstation screens) and must always be transmitted using secure methods as outlined in the relevant IT and communications policies.
    3. When implementing any new administration processes, systems or technology, enfinium must make sure the risks associated with any change in the collection, use, storage, transfer or disclosure of Personal Data are fully assessed through completion of a data protection impact assessment (or DPIA).
  13. Responding to a protected information incident
    1. The GDPR introduces strict timelines for responding to a Protected Information Incident involving Personal Data where the rights and freedoms of affected individuals may be impacted. A Protected Information Incident, under the GDPR, has a wide definition and could include any scenario where Personal Data is:
      1. accessed by an unauthorised Third party (such as hacking/cyberattacks);
      2. sent to an incorrect recipient;
      3. lost or stolen; 
      4. altered without permission; and
      5. made unavailable for a significant period of time (other than through routine maintenance).
    2. It is important that you report any suspected Protected Information Incident involving Personal Data immediately to the UK General Counsel.
    3. All employees should also familiarise themselves with enfinium’s Data Breach Notification Procedure.

If you have any general queries or questions about this policy,
please contact dataprotection@enfinium.co.uk in the first instance.