Classification: General NCC Group Alumni Privacy Notice Version 1.0 Page 1
NCC Group - Alumni Privacy Notice
Classification: General NCC Group Alumni Privacy Notice Version 1.0 Page 2
We’re committed to protecting your rights and freedoms with regards to your personal data. This notice describes how we collect, store, use, and share personal information. It also explains the rights you have in relation to the personal information that we hold about you.
This notice is applicable to all members, and applicants, to the NCC Group Alumni program, including previous colleagues from permanent and fixed term roles. It applies to agents and contractors, as well as other roles such as interns, trainees and graduates who work on an NCC Group project. Please note, this notice relates to the processing of personal data by NCC Group – the Alumni program is hosted and maintained by Enterprise Alumni; for more information on their privacy practices please see https://enterprisealumni.com/infosec-compliance/eu-us-privacy-shield-privacy-policy/.
Please note that we have layered this Notice in order to simplify the content, which is in accordance with good practice guidance issues by the EU Data Protection Regulators. This mean we have embedded links to further information at the appropriate point, to ensure this is easily accessible. We have checked these links are authentic prior to publication.
As of the 31st January 2020, the UK is no longer part of the EU. Hence the EU’s GDPR no longer applies. However, the UK government has directly translated the EU GDPR into UK law. Therefore, all requirements remain the same, and all references to the GDPR relate to both the UK and EU regimes.
Who we are
When we say ‘we’ or ‘us’ in this notice, we’re referring to NCC Group plc, a company registered in England and Wales (registered number 04627044) whose registered office is at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.
Within NCC Group additional entities will be classed as previous employers, so will also process your personal data as ‘Data Controllers’. Please see your contract for the applicable entity, which includes;
• Australia – NCC Group PTY Ltd
• Canada – NCC Group Security Services Corporation
• Denmark – NCC Group A/S
• Germany – NCC Group GMBH
• Japan – NCC Group Japan K.K
• Lithuania – NCC Group UAB
• Netherlands - Fox IT BV, NCC Group Escrow Europe BV
• Singapore - NCC Group Pte Limited
• Spain – NCC Group Security Services España SL
• Sweden – Cyber Assurance Sweden AB
• Switzerland – NCC Group Escrow Europe (Switzerland) AG
• United Arab Emirates – NCC Group FZ-LLC
• UK - NCC Group Security Services Ltd, NCC Services Limited, NCC Group Corporate Limited
• US – NCC Group Security Services Inc, NCC Group Inc, NCC Group Escrow Associates LLC, Payment Software Company Inc, Virtual Security Research LLC
What kinds of information do we collect about you?
To make sure this privacy notice is clear for everyone, we’ve summarised the types of personal data below;
• Personal - such as name, date and place of birth, contact numbers, email, address, gender, picture.
• Education and training - qualifications, training records and any professional certifications relevant to your role.
• Job-related - such as current and previous roles, CVs and employment start/end dates.
Classification: General NCC Group Alumni Privacy Notice Version 1.0 Page 3
Why do we use your personal information?
We keep personal information about you in order to administer our Alumni program and to allow us to improve our processes. This includes for:
• Identification of Alumni users and prior roles at NCC Group to assess eligibility
• Administration of the Alumni system, including managing system access and monitoring usage
• Using resume/CV data provided by the user to deliver content, information, and experiences the user may find of value.
Where do we get your information from?
NCC Group will have previous data previously collected and processed as part of your prior employment (a copy of our Colleague Privacy Notice is available to previous employees on request), the majority of information processed by the system will be provided directly by you through the Alumni platform or by Enterprise Alumni in relation to your use of the Alumni platform.
Where data is likely to be obtained from other sources, such as LinkedIn, we’ll look to make sure you’re informed in advance – for example as part of privacy notices or at the point of requesting information. This privacy notice shall be published on our website.
How do we use your personal information, and what are our legal grounds?
Worldwide, a number of Data Protection laws require organisations to process personal information only where we have a ‘lawful basis’. This section will explain the legal basis/es applicable in your country.
Please make sure you read the ‘Use of your Information’ column below regardless of your location.
• For sensitive information, such as diversity information, consent is required.
• (A legal basis is not required for non-sensitive information.)
• Consent is required.
• Consent is not required for transfers to the UK / EU (where a lot of employee data is stored), or for transfers to providers of outsourced services (such as Workday).
• Consent is required for Special Care-required Personal Information such as diversity data.
• We use the employment conditions for collection and use of your data.
• Consent is required for diversity information.
• N/a – only federal entities require a legal basis.
• Consent is required for private or family life information – i.e. diversity information and beneficiaries / emergency contact details.
• N/a – legal basis isn’t required.
Where we process your personal data based on consent as within your local data protection law, it is worth noting that this is not the same as consent under the GDPR. The requirements for GDPR-standard consent means this can only be used in very specific circumstances, and while it is unlikely to be applicable to employees this is more applicable to previous employees providing optional information.
Where we are using non-GDPR standard consent, we will imply your consent by way of you entering into a contract with us, and will make sure the consent is informed by way of providing you with this notice. However please note that if you withdraw your consent, then we may not delete your data if we have a good reason for keeping it.
Below you can see more detail on legal bases under the General Data Protection Regulation;
Classification: General NCC Group Alumni Privacy Notice Version 1.0 Page 4 Use of your information
User Profiles and Email Marketing
Where a user opts to provide and share profile data with us, we will use this to develop a profile and enable the platform to deliver content, information, and experiences the user may find of value. Within the platform, users are able to engage with the company, with other Alumni, explore job opportunities and other community driven functions.
Your personal information may be processed when we receive your consent. The consent you provide must be freely given, informed, specific, unambiguous and be given with a positive affirmative action. Your consent can be withdrawn at any time.
Consent is not usually deemed appropriate for employee data, however this legal basis is more appropriate for the additional processing of data relating to previous employees. It is also a legal requirement for email marketing in many jurisdictions.
We may disclose or share your personal data in order to comply with any legal obligation such as a court order.
Necessary for compliance with a legal obligation
Your personal information may be processed in order to meet any legal obligations NCC Group is subject to.
We may disclose your information to the police or other authorities if we have serious concerns about you or another’s wellbeing.
Necessary to protect vital interests
This will usually only apply in ‘life-or-death’ scenarios.
Necessary for legitimate interests
We also use your information when we have a ‘legitimate interest’ and that interest isn’t outweighed by your privacy rights. Each activity is assessed and your rights and freedoms are taken into account to make sure that we’re not being intrusive or doing anything beyond your reasonable expectation.
We’ll assess the information we need, so we only use the minimum. If you want further information about processing under legitimate interests you can contact us using the details below.
You also have the right to object to any processing done under legitimate interests. We’ll re-assess the balance between our interests and yours, considering your particular circumstances. If we have a compelling reason we may still continue to use your information. We use legitimate interests for the following:
Use of your information
Record of eligibility
We will assess any request to join the program against our internal HR records to ensure that the request has come from a valid user who meets eligibility requirements (for example, have previously worked for NCC Group).
We need to ensure that any users wishing to join the program are eligible (e.g. have previously worked for NCC Group).
Additionally, we need attract candidates who have the talents which will enable us to meet our commitments to our clients and develop our business and
User access and administration
We monitor the overall usage of the platform in order to improve service offering, provide support and assess the effectiveness of the Alumni program and its security controls.
We need to monitor the overall usage of the platform in order to improve service offering, provide support and assess the effectiveness of the Alumni program.
Additionally, we will need to ensure that access controls are appropriate and monitor the platforms compliance against internal policies, legal requirements and user expectations.
Analysis and management reporting
We analyse and report on our engagement activities (such as recruitment postings). Where we do so, we do this to produce aggregated reports – i.e. facts and figures, which no longer contain personal data. Any monitoring of individuals would only take place as part of a compliance monitoring assessment or an investigation.
We need to analyse and assess our recruitment performance in order to optimise our resources and ensure we’re recruiting the right people promptly.
We need to make sure we’re appropriately allocating our resources.
Who do we share your personal information with?
We share your personal data with other organisations. Who we share your personal data will depend on the job you have applied for and which location you are in. The organisations we share personal data with are as follows;
• Systems providers such as Enterprise Alumni, our Alumni platform.
• Government bodies and Regulators such as UWV, HMRC, the Health & Safety Executive (HSE), Federal Trade Commission, data protection regulators worldwide.
• Professional services providers and consultants where warranted, such as contractors, external auditors and lawyers.
We will always ensure that personal data will only be shared where there is a requirement to do so, and where appropriate technical, organisational, and where necessary, contractual measures are in place in order to ensure its protection.
The data that we process about you may be transferred to, or stored at, a destination outside the UK and / or European Economic Area ("EEA"). It may also be processed by staff operating outside the UK / EEA who work for us or for one of our suppliers.
We need to have legal grounds to transfer your data outside of the UK / EEA. Some countries have been assessed by the EU as being ‘adequate’, which means their legal system offers a level of protection for personal information which is equal to the EU’s protection. The EU Commissioner (and the Information Commissioner’s Office for the UK) has also approved Binding Corporate Rules (BCRs) as an adequacy mechanism. This requires the company to commit to European data protection standards and provide oversight mechanisms, but BCRs are approved for a group of companies, in conjunction with all EU supervisory authorities, and require extensive monitoring and oversight before the BCRs are authorised.
Where the country or mechanism hasn’t been assessed as adequate, the method we use most frequently is Standard Contractual Clauses (SCCs). The European Commission has recognised SCCs as offering adequate safeguards to protect your rights and we’ll use these where required ensuring adequate protection for your information. The European Commission approved standard contractual clauses are available here.
The main transfer of your personal data will be to Enterprise Alumni. The data is stored within the EEA – in Germany - however if we need specialist support on a change or initiative, there may be some remote access by Enterprise Alumni or other application management specialists in the US. We have SCCs in place in our contract with Enterprise Alumni. We have also conducted extensive due diligence on Enterprise Alumni’s controls.
If you’re based in a country outside of the EEA, there may be local obligations with regards to the transfer. See below for details of the controls which we will apply to satisfy these;
• Australia – contractual commitments to comply with the Privacy Principles.
• Canada – clear privacy notices explaining the transfer. We also need to tell you who to contact for more information. Please contact the Privacy Team as per the Contact section below.
• Japan – the UK and the EU are classed as adequate, so there are no obligations in relation to such transfers. For any other transfers, we ensure the recipient has established similarly adequate standards for privacy protection as specified in the Act on the Protection of Personal Information.
• Singapore – standard contractual clauses & BCRs are approved mechanisms.
• US – n/a - no restrictions around overseas transfers in the US.
How long do we keep personal information for?
Unless otherwise set out in this Privacy Notice, any information we process about you will be retained by us until we no longer need it for the purposes for which it was collected, as set out in this Privacy Notice. We will base that decision on criteria, including;
• Any legal or regulatory requirements to delete or retain the data for a specific timeframe,
• Our legitimate business reasons for keeping the data, such as to analyse and assess our activities. This includes assessing the fairness of our recruitment practices,
• The likelihood of a claim arising where we’d need to defend our conduct, and;
• Whether the data is likely to remain up to date.
We will review and delete or destroy personal data on a regular basis. If we are unable, using reasonable endeavours, to delete or destroy personal data we will ensure that the personal data is encrypted or protected by security measures so that it is not readily available or accessible by us.
Automated decisions / profiling
Automated decisions are where a computer makes a decision about you without a person being involved. We don’t make any automated decisions about eligability or to assess users of the platform.
We do use testing for technical vacancies posted on the platform, but this isn’t automated. We may look to use tools which automate this in the future, but before we do we will assess this for fairness, and update this notice if this goes ahead.
Your rights under the General Data Protection Regulation
There are a number of rights available under the General Data Protection Regulation (GDPR). These don’t usually require any fee, and require us to respond within 1 calendar month in most circumstances. Not all rights apply in all situations, but for clarity we have not included full details here.
The easiest way to exercise any of your rights, or enquire if a right is applicable in a specific circumstance, would be to contact our Data Privacy Team using the contact details below. If we need further information to comply with your request we’ll let you know.
If you are not based within the EEA, the Data Privacy Team will assess your request based on our ability to provide for your rights rather than your location.
Access to your data
You have the right to ask for access to and receive copies of your personal data. You can also ask us to provide a range of information relating to our processing of your data.
Rectification of your data
If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to correct that information.
Right to be forgotten
In some circumstances, you have the right to ask us to delete personal data we hold about you.
Right to restrict processing
In some circumstances you are entitled to ask us to restrict processing of your personal data. This means we will stop using your personal data but we don’t have to delete it.
You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the personal data to another data controller.
Right to object
You are entitled to object to us processing your personal data if the processing is based on legitimate interests and/or is for the purposes of scientific or historical research / statistics.
Classification: General NCC Group Alumni Privacy Notice Version 1.0 Page 8
Right to opt-out of the sale of your data
Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) you have the right, at any time, to direct a business that sells personal information about you to third parties not to sell your personal information.
A business that has received direction not to sell a consumer’s personal information shall be prohibited from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.
Any objections relating to the sale or use of personal data for marketing purposes shall be actioned without question or undue delay.
Right to disclosure of information sold
Under the CCPA/CPRA, Californian residents have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to you:
The categories of personal information that the business collected about you.
The categories of personal information that a business sold about you and the categories of third parties to whom the personal information was sold,
The categories of personal information that the business disclosed about you for a business purpose
If you would like to exercise any of your rights in respect of your personal data, please contact firstname.lastname@example.org or write to us at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.
Changes to this Privacy Notice
Any changes we may make to the Candidate Data Privacy Notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes.
Our Chief Data Protection & Governance Officer can be contacted using the following email address: email@example.com, or alternatively by writing to XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.
Questions, comments and requests regarding the Staff Data Privacy Notice are welcomed and should be addressed to firstname.lastname@example.org.
If you have any concerns about the ways in which we process your personal data, you have a right to complain to the relevant supervisory authority in your jurisdiction. We’d encourage you to contact us first, so we can address your concerns.
Please see below for details of the relevant regulators;
• Denmark o Datatilsynet
o T: 33 19 32 00
• Germany o Bayerisches Landesamt für Datenschutzaufsicht
o 0981 1800930
• Lithuania o State Data Protection Inspectorate
o T: 271 2804 / 279 1445
• Netherlands o Autoriteit Persoonsgegevens
o T:070 888 8501
• Spain o Agencia Española Protección de Datos
o T: 901 100 099 / 91 266 35 17
• Sweden o Swedish Authority for Privacy Protection (IMY)
o T: 08-657 61 00
• Switzerland o Schweizerische Eidgenossenschaft
o T: 058 462 43 95
• UK o Information Commissioner’s Office (ICO)
o T: 0303 123 1113
Control Information Title
NCC Group - Alumni Privacy Notice
Date of issue
Version history Version
Description of change
Minor updates and comment for review by DH.
Minor updates and comment for review by DH
Minor updates and uplifted to published version.