Oxley Privacy Notice
OXLEY (the “company”, “we”, “our”, or “us”) holds and processes data on all current and former clients, service users, agency workers, consultants, sub-contractors, suppliers and visitors to our sites and offices, and third parties whose information you provide us in connection with the business relationship (e.g. banking details, contact details, health and safety records, next-of-kin, emergency contact information and/or dependants) (“you or “your”)
The following Privacy Notice describes the categories of personal information we may process, how your Personal Information may be processed, and how your privacy is safeguarded during our relationship with you. It is intended to comply with our obligations to provide you with information about the Company’s processing of your Personal Information under privacy laws.
If you have any questions regarding the processing of your Personal Information or if you believe your privacy rights have been violated, please contact our Data Manager on firstname.lastname@example.org . If you are aware of an unauthorised disclosure of data, please also refer this to our Data Manager for guidance as to the applicable reporting requirements.
Access to Data
Within the company, your Personal Information can be accessed by or may be disclosed internally on a need-to-know basis to:
Certain basic Personal Information, such as your name, job title, contact information and any published skills and experience profile may also be accessible to other employees. The security measures in place within the company to protect your data are set out below.
Your Person Information may be accessed by third parties with whom we work together. Examples of third parties with whom your data will be shared include tax authorities, regulatory bodies, the companies’ insurers, bankers, IT, lawyers, auditors, investors, consultants, site access providers, payment facilitators and other professional advisors. The company expects such third parties to process any data disclosed to them in accordance with applicable law, including with respect to data confidentiality and security.
Where these third parties act as a Data Processor, they carry out their tasks on our behalf and upon our instructions for the above – mentioned purposes. In this case your Personal Information will only be disclosed to these parties to the extent necessary to provide the required services.
In addition, we may share Personal Information with national authorities to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.
Processing of personal information
The company collects and processes your Personal Information for the purposes described in this Privacy Notice as set out in the Data Protection Policy, Personal Information means any information describing or relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. For example, it could be a photograph, email address, posts on social networking sites, medical information, computer IP address etc.
The company identified in your contract with us (whether issued by the Company or a third party) will be the data controller of your Personal Information. In addition, where processing of Personal Information is undertaken by other associated companies of the Company for their own independent purposes, these associated companies may be joint controllers of your Personal Information.
WHAT DO WE PROCESS?
We may collect various types of Personal Information about you for the purposes described in this Privacy Notice including:
Certain additional information may be collected where this is necessary and permitted by local applicable laws.
Special Categories of Personal Information
To the extent permitted by applicable laws the company may also collect and process a limited amount of Personal Information falling into special categories, sometimes called “sensitive personal data”. This term includes information relating to such matters as racial or ethnic origin, physical or mental health (including details of accommodations or adjustments), biometric data, genetic data, criminal records and information regarding criminal offences or proceedings.
How does the company collect data?
The company collects and records your Personal Information from a variety of sources, but mainly directly from you. You will usually provide this information directly to us through your participation in pre-construction negotiations, competitive tendering processes, pre-qualification processes, emails you send, through verbal information which may be recorded, or through site inductions.
We may also obtain some information from third parties, for example, references from previous clients, credit agencies, companies house or where we employ a third party to carry out a background check.
In some circumstances, data may be collected indirectly from monitoring devices or by other means (building/site access control/monitoring system, CCTV etc), if and to the extent permitted by applicable laws. In these circumstances, the data may be collected by the Company or a third-party provider of the relevant services. This type of data is generally not accessed on a routine basis but can be accessible if required. Access may occur in situations where the company is investigating criminal activity at our sites or offices or if the data is needed for compliance/valuation purposes.
Where we ask you to provide personal information to us on a mandatory basis, we will inform you of this at the time of collection and if particular information is required. Failure to provide any mandatory information could mean that we will not be able to carry out certain processes.
Apart from personal information relating to yourself, you may also provide the company with personal information of third parties, notably your staff or dependants and other family members for the purposes of pre-qualification to our supply chain and contacting your next-of-kin in an emergency. Before you provide such third party personal information to the company you must inform these third parties of any such data which you intend to provide and of the processing to be carried out by the company, as detailed in this privacy notice.
What is the purpose from which data is processed
Your personal information is collected and processed for various business purposes, in accordance with applicable laws. Data may occasionally be used for purposes not obvious to you where the circumstances warrant such use (e.g. criminal investigations, validating payment claims). We may collect and process your personal information for various purposes, as set out in this Privacy Notice.
Where applicable data protection laws require us to your personal information based on a specific lawful justification, we generally process your personal information under one of the following bases:
We may seek your consent to certain processing, if consent is required for the processing in question, it will be sought from your separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your appointment to agree to any request for consent from the company.
The company aims to ensure that all personal information is correct. You also have a responsibility to ensure that changes in personal/business circumstances are notified to the company so that we can ensure that your data is up-to-date.
You have the right to access any of your personal information that the company may hold and to request correction of inaccurate data relating to you. You furthermore have the right to request deletion of any irrelevant data we hold about you.
You have the right to receive all personal information which you have provided to the company in a structured, commonly used and machine-readable format, and to require us to transmit it to another controller where this is technically feasible.
You have the right to restrict our processing off your personal information, we will only process this restricted data with your consent or for the establishment, exercise or defence of legal claims.