Privacy Policy
LUNA Students (the “Company”, “we”, “our” or “us”) holds and processes data on all current and former clients, service users, agency workers, consultants, sub-contractors, suppliers and visitors to our sites and offices, and third parties whose information you provide to us in connection with the business relationship (e.g. banking details, contact details, accident records, next-of-kin, emergency contact information and/or dependents) (“you” or “your”).
We take your data protection rights and our legal obligations seriously. Your Personal Information will be treated in a secure and confidential manner and only as set out below.
The following Privacy Notice describes the categories of Personal Information we may process, how your Personal Information may be processed, and how your privacy is safeguarded in the course of our relationship with you. It is intended to comply with our obligations to provide you with information about the Company’s processing of your Personal Information under privacy laws.
If you have any questions regarding the processing of your Personal Information or if you believe your privacy rights have been violated, please contact our HR Director, Paula Smith (details below). If you are aware of an unauthorised disclosure of data, please also refer this to our HR Director for guidance as to the applicable reporting requirements.
Paula Smith, HR Director (paulasmith@torsiongroup.co.uk)
Processing of personal information
The Company collects and processes your Personal Information for the purposes described in this Privacy Notice. As set out in the Data Protection Policy, Personal Information means any information describing or relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. For example, it could be a photograph, email address, posts on social networking sites, medical information, computer IP address etc.
The company identified in your contract with us (whether issued by the Company or a third party) will be the data controller of your Personal Information. In addition, where processing of Personal Information is undertaken by other associated companies of the Company for their own independent purposes, these associated companies may be joint controllers of your Personal Information.
What do we process?
We may collect various types of Personal Information about you for the purposes described in this Privacy Notice including:
- Contact Details: your title, forename, middle name(s) and surname, birth name, preferred name, any additional names, home address, home / mobile telephone number, email address, employer name, job title, employer address, and employer telephone number.
- Induction Data: your title, forename, middle name(s) and surname, birth name, preferred name, any additional names, date of birth, age, home contact details (e.g., address, telephone number), employer name, occupation, card accreditation schemes (e.g., CSCS), medical conditions, and next-of-kin/dependent contact information.
- Accident / Incident Data: your title, forename, middle name(s) and surname, birth name, preferred name, any additional names, gender, date of birth, age, home contact details (e.g. address, telephone number), national ID number, next-of-kin/dependent contact information, employer name, occupation, and accident / incident records (e.g. location, time, date, nature of injuries, medical history, hospital details);
- Pre-Qualification Data: names and contact details, qualifications, references, CV’s, application email/letter, vetting and verification information, and accident / incident records.
- Regulatory Data: records of your registration with any applicable regulatory authority, your regulated status and any regulatory references.
- Remuneration Data: your remuneration information (including hourly rate/contract pay information as applicable), bank account details and tax information; and
- Monitoring Data (to the extent permitted by applicable laws): Closed Circuit television footage, system and building/site login and access records, download and print records, call recordings, data caught by IT security programmes and filters.
Certain additional information may be collected where this is necessary and permitted by local applicable laws.
Special categories of personal information
To the extent permitted by applicable laws the Company may also collect and process a limited amount of Personal Information falling into special categories, sometimes called “sensitive personal data”. This term includes information relating to such matters as racial or ethnic origin, physical or mental health (including details of accommodations or adjustments), biometric data, genetic data, criminal records and information regarding criminal offences or proceedings.
How does the company collect data?
The Company collects and records your Personal Information from a variety of sources, but mainly directly from you. You will usually provide this information directly to us through your participation in pre-construction negotiations, competitive tendering processes, pre-qualification processes, emails you send, through verbal information which may be recorded, or through site inductions.
We may also obtain some information from third parties, for example, references from a previous client, credit agencies, companies house or where we employ a third party to carry out a background check (where permitted by applicable law).
In some circumstances, data may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, Closed Circuit television, and email), if and to the extent permitted by applicable laws. In these circumstances, the data may be collected by the Company or a third-party provider of the relevant service. This type of data is generally not accessed on a routine basis, but access is possible. Access may occur, for instance, in situations where the Company is investigating criminal activity at our sites or offices or where the data is needed for compliance or valuation purposes.
Where we ask you to provide Personal Information to us on a mandatory basis, we will inform you of this at the time of collection and in the event that particular information is required by the contract or statute this will be indicated. Failure to provide any mandatory information will mean that we cannot carry out certain processes. For example, if you do not provide us with your bank details, we will not be able to pay you. In some cases, it may mean that we are unable to continue with your engagement as the Company will not have the Personal Information, we believe to be necessary for the effective and efficient administration and management of our relationship with you.
Apart from Personal Information relating to yourself, you may also provide the Company with Personal Information of third parties, notably your staff or your dependents and other family members, for purposes of pre-qualification to our supply chain and contacting your next-of-kin in an emergency. Before you provide such third-party Personal Information to the Company you must first inform these third parties of any such data which you intend to provide and of the processing to be carried out by the Company, as detailed in this Privacy Notice.
What is the purpose and lawful basis for which data is processed?
Your Personal Information is collected and processed for various business purposes, in accordance with applicable laws. Data may occasionally be used for purposes not obvious to you where the circumstances warrant such use (e.g., in criminal investigations or for validating valuation payment claims). We may collect and process your Personal Information for various purposes, as set out in this Privacy Notice.
Where applicable data protection laws require us to process your Personal Information on the basis of a specific lawful justification, we generally process your Personal Information under one of the following bases:
- the processing is necessary for the legitimate interests pursued by the Company (being those purposes described in the section above), except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of Personal Information.
- the processing is necessary for compliance with a legal obligation to which the Company is subject; or
- the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into such a contract.
We may on occasion process your Personal Information for the purpose of the legitimate interests pursued by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of Personal Information.
We have identified the following purposes for processing Personal Information. These purposes each relate to a lawful basis for processing, as required under applicable law. These purposes include:
No. |
Purpose for processing |
Lawful basis |
|
|
|
a) |
Appropriate vetting for appointment and supply chain development including, where relevant and appropriate, financial records, right to work verification, identity fraud checks, criminal record checks (if and to the extent permitted by applicable laws), references, relevant regulatory status, accident / incident data and professional qualifications; |
This processing is necessary for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in managing its business operations in the most effective way. The Company needs to make decisions relating to the future of its business in order to preserve its business operations or grow its business. These interests include the interests of our clients, service users, agency workers, consultants, sub-contractors and suppliers as a whole and the Company customer base. |
b) |
Providing and administering payments and making appropriate tax and social security deductions and contributions; |
This processing is necessary to perform the contract between you and the Company. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in managing its clients, service users, agency workers, consultants, sub-contractors, suppliers and operating its business. |
c) |
Identifying and communicating effectively with our clients, service users, agency workers, consultants, sub-contractors and suppliers; |
This processing is necessary to perform the contract between you and the Company and maintaining relationships. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in managing its clients, service users, agency workers, consultants, sub-contractors, suppliers and operating its business. This includes undertaking normal business operations and maintaining a dialogue with its clients, service users, agency workers, consultants, sub-contractors and suppliers.
|
d) |
Processing information about accidents / incidents or medical information regarding physical or mental health or condition in order to comply with HSE Investigations and regulations; |
This processing is necessary for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
|
e) |
Complying with reference requests where the Company is named by the individual or business as a referee or where you have provided referees for the Company to contact; |
The Company considers that there is legitimate interest to receive or provide reference details for the client, service user, agency worker, consultant, sub-contractor or supplier it has previously appointed or intends to appoint. It is the policy of the Company to provide factual reference details only.
|
f) |
Operating email, IT, internet, social media, HR related and other company policies and procedures. To the extent permitted by applicable laws, the Company carries out monitoring of the Company’s IT systems to protect and maintain the integrity of the Company’s IT systems and infrastructure; to ensure compliance with the Company’s IT policies and to locate information through searches where needed for a legitimate business purpose; |
This processing is necessary to perform the contract between you and the Company and for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in managing its clients, service users, agency workers, consultants, sub-contractors, suppliers and operating its business. The Marketing and IT function is essential to ensuring that this can be carried out in the most effective way. This includes maintaining the integrity and security of data and facilitating records management.
The Company considers effective IT management to support its long-term business goals and outcomes. |
g) |
Satisfying its regulatory obligations to supervise the persons appointed by it to conduct business on its behalf, including preventing, detecting and investigating a wide range of activities and behaviours, whether relating to specific business dealings or to the workplace generally and liaising with regulatory authorities; |
This processing is necessary for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in ensuring that its business, clients, employees and systems are protected. This includes detecting and preventing crimes or criminal activity; ensuring that only appropriate clients, service users, agency workers, consultants, sub-contractors and suppliers are engaged in our business, and ensuring compliance with legal requirements placed upon us (both by EU and non-EU laws).
|
h) |
Protecting the private, confidential and proprietary information of the Company, its clients, service users, agency workers, consultants, sub-contractors, suppliers and third parties; |
This processing is necessary for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in ensuring that its business, clients, service users, agency workers, consultants, sub-contractors, suppliers and systems are protected. This includes protecting our assets and the integrity of our systems and detecting and preventing loss of our / your confidential information and proprietary information.
|
i) |
Complying with applicable laws and regulation (for example working time and health and safety legislation, taxation rules and regulation to which the Company is subject in the conduct of its business); |
This processing is necessary for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
|
j) |
Monitoring programmes to ensure equality of opportunity and diversity with regard to personal characteristics protected under applicable anti-discrimination laws and to comply with Corporate Social Responsibility applied by local planning authorities; |
This processing is necessary for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has legitimate interests in ensuring that it takes action to prevent discrimination and promote an inclusive and diverse workplace.
The Company considers effective equality and diversity to support its long-term business goals and outcomes. The Company wishes to maintain its reputation and continue to attract high calibre clients, service users, agency workers, consultants, sub-contractors and suppliers.
|
k) |
Planning, due diligence and implementation in relation to a commercial transaction or service transfer involving the Company that impacts on your relationship with the Company for example mergers and acquisitions; |
This processing is necessary for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in managing its business operations in the most effective way.
The Company needs to make decisions relating to the future of its business in order to preserve its business operations or grow its business. These interests include the interests of our clients, service users, agency workers, consultants, sub-contractors and suppliers as a whole.
The Company considers business transformation to support its long-term business goals and outcomes.
|
l) |
For business operational and reporting documentation such as the preparation of monthly reports or tenders for work or client team records including the use of photographic images; |
This processing is necessary to perform the contract between you and the Company. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in managing its clients, service users, agency workers, consultants, sub-contractors, suppliers and operating its business.
|
m) |
Where relevant for publishing appropriate internal or external communications or publicity material including via social media in appropriate circumstances; |
This processing is necessary to perform the contract between you and the Company. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers effective marketing to support its long-term business goals and outcomes. The Company wishes to maintain its reputation and continue to attract high calibre clients, service users, agency workers, consultants, sub-contractors and suppliers.
|
n) |
To provide technical support and maintenance for our Supply Chain Database; |
This processing is necessary to perform the contract between you and the Company and for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in managing its clients, service users, agency workers, consultants, sub-contractors and suppliers. The IT functions are essential to ensuring that this can be carried out in the most effective way. This includes maintaining the integrity and security of data and facilitating records management.
|
o) |
To enforce our legal rights and obligations, and for any purposes in connection with any legal claims made by, against or otherwise involving you; |
This processing is necessary to perform the contract between you and the Company and for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in protecting its organisation from breaches of legal obligations owed to it and to defend itself from litigation. This is needed to ensure that the company’s legal rights and interests are managed appropriately.
|
p) |
To comply with lawful requests by public authorities (including without limitation to meet national security or law enforcement requirements), discovery requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities (including without limitation data protection, tax and employment), whether within or outside your country; |
This processing is necessary to perform the contract between you and the Company and for the compliance with legal obligations to which the Company is subject. This processing is also necessary for the purpose of the legitimate interests pursued by the Company.
The Company considers that it has a legitimate interest in ensuring that it complies with all legal requirements placed on it, whether those are EU obligations or non-EU obligations. The Company wishes to maintain its reputation as a good corporate citizen. This includes co-operating with authorities and government bodies.
|
q) |
Other purposes permitted by applicable laws, including legitimate interests pursued by the Company where these are not overridden by the interests or fundamental rights and freedoms of staff. |
Additional information regarding specific processing of Personal Information may be notified to you individually or as set out in applicable policies.
Legal bases for processing
Processing special categories of Personal Information or sensitive data
The sensitive or special categories of Personal Information that may be processed by the Company are set out in this Privacy Notice.
Where applicable, data protection laws require us to process such special categories of Personal Information on the basis of a specific lawful justification, we process the same under one of the following bases:
- the processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws.
- the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, to the extent permitted by applicable laws.
- the processing is necessary to protect your vital interests or of another person where you are physically or legally incapable of giving consent (for example in exceptional emergency situations, such as a medical emergency); or
- the processing is necessary for the establishment, exercise or defence of legal claims.
This may include the following, although this is not an exhaustive list:
No. |
Purpose for processing |
Lawful basis |
|
|
|
a) |
Assess and review eligibility to work for the Company in the jurisdiction in which you work; |
This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws. |
b) |
The collection of statistical data subject to local laws, or where required to record such characteristics to comply with equality and diversity requirements of applicable local legislation or to keep the Company’s commitment to equal opportunity under review; |
This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws.
|
c) |
Compliance with employment, health and safety or social security laws. For example, to avoid breaching legal duties to you, to ensure fair and lawful management of your contract with us or avoid unlawful discrimination or dealing with complaints arising in this regard; |
This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws.
|
d) |
Management and investigation of any complaint where such characteristics or information are relevant to the particular complaint, in order to comply with employment law obligations. |
This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws. |
We may seek your consent to certain processing which is not otherwise justified under one of the above bases. If consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your appointment to agree to any request for consent from the Company.
Processing data relating to criminal convictions and offences.
Personal Information relating to criminal convictions and offences will only be processed where authorised by applicable laws.
For example:
- a criminal record check may be carried out on appointment were authorised by applicable laws; or
- an allegation of a criminal offence or conviction arising during your relationship with the Company may be processed where required or authorised. For example, where we have a legal or regulatory requirement to report an offence or applicable laws authorise the Company to process information about the offence for the purpose of making decisions regarding your relationship with the Company.
Retention of personal information
The Company endeavours to ensure that Personal Information is kept as current as possible, and that irrelevant or excessive data is deleted or made anonymous as soon as reasonably practicable. However, some Personal Information may be retained for varying time periods in order to comply with legal and regulatory obligations and for other legitimate business reasons.
We will generally retain your Personal Information only so long as it is required for purposes for which it was collected. This will usually be the period of your contract with us plus the length of any applicable statutory limitation period following the contract completion, although some data may need to be kept for longer. We may keep some specific types of data for example, tax records, for different periods of time, as required by applicable law.
Please see the Company’s Data Retention Policy for further information.
Access to data
Within the Company, your Personal Information can be accessed by or may be disclosed internally on a need-to-know basis to:
- the Supply Chain Manager, Purchasing Manager, SHE Manager, Finance Manager who carry out the pre-qualification process.
- The Board and senior management responsible for managing or making decisions in connection with your relationship with the Company.
- our Pre-Construction and Project Teams to facilitate your appointment and site inductions; and
- where necessary for the performance of specific tasks or system maintenance by staff in the Company teams such as Finance, IT and Marketing.
Certain basic Personal Information, such as your name, location, job title, contact information and any published skills and experience profile may also be accessible to other employees. The security measures in place within the Company to protect your data are set out below.
Your Personal Information may also be accessed by third parties with whom we work together. Examples of third parties with whom your data will be shared include tax authorities, regulatory authorities, the Company’s insurers, bankers, IT administrators, lawyers, auditors, investors, consultants, site access providers, payment facilitators and other professional advisors. These currently include without limitation, PayApps, Sage, MSite, and Walker Morris and their associated companies and sub-contractors. The Company expects such third parties to process any data disclosed to them in accordance with applicable law, including with respect to data confidentiality and security.
Where these third parties act as a “data processor” (for example, a payment facilitator), they carry out their tasks on our behalf and upon our instructions for the above-mentioned purposes. In this case your Personal Information will only be disclosed to these parties to the extent necessary to provide the required services.
In addition, we may share Personal Information with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.
Security of data
The Company uses a variety of technical and organisational methods to secure your Personal Information in accordance with applicable laws.
The Company is committed to protecting the security of the Personal Information you share with us. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk.
Transfer of personal information
From time to time your Personal Information (including special categories of Personal Information) will be transferred to associated companies of the Company to process for the purposes described in this Privacy Notice. Personal Information may also be transferred to third parties, as set out above.
The Company will ensure that appropriate or suitable safeguards are in place to protect your personal information and that transfer of your personal information is in compliance with applicable data protection laws.
Your rights
The Company aims to ensure that all Personal Information is correct. You also have a responsibility to ensure that changes in personal / business circumstances (for example, change of address and bank accounts) are notified to the Company so that we can ensure that your data is up to date.
- Right to access, correct and delete – You have the right to request access to any of your Personal Information that the Company may hold, and to request correction of any inaccurate data relating to you. You furthermore have the right to request deletion of any irrelevant data we hold about you.
- Data portability – where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that Personal Information is processed by automatic means, you have the right to receive all such Personal Information which you have provided to the Company in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
- Right to restriction of processing – you have the right to restrict our processing of your Personal Information where:
-
- you contest the accuracy of the Personal Information until we have taken sufficient steps to correct or verify its accuracy.
- the processing is unlawful, but you do not want us to erase the data.
- we no longer need the Personal Information for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
- you have objected to processing justified on legitimate interest grounds (see below) pending verification as to whether the Company has compelling legitimate grounds to continue processing.
Where Personal Information is subjected to restriction in this way, we will only process it with your consent or for the establishment, exercise or defence of legal claims.
- Right to withdraw consent – where you have provided us with your consent to process data, you have the right to withdraw such consent at any time. You can do this by contacting the HR Director.
- Right to object to processing justified on legitimate interest grounds – where we are relying upon legitimate interest to process data, then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as a basis for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
You also have the right to lodge a complaint with a supervisory authority if you consider that the processing of your Personal Information infringes applicable law.
For further information regarding your rights, or to exercise any of your rights, please contact the HR Director.
Additional privacy notices
We may undertake certain processing of Personal Information which is subject to additional Privacy Notices, and we shall bring these to your attention where they engage.
Notice of changes
The Company may change or update this Privacy Notice at any time.
Should we change our approach to data protection, you will be informed of these changes or made aware that we have updated the Privacy Notice so that you know which information we process and how we use this information.