Games Workshop is committed to protecting your privacy. This notice describes how we collect and use personal information about you before, during and after your working relationship with us.

EMPLOYEE PRIVACY NOTICE                                                                                  MAY 2018

Games Workshop is committed to protecting your privacy. This notice describes how we collect and use personal information about you before, during and after your working relationship with us. This notice applies to all current and former employees.  This notice does not form part of any contract of employment.

The data controller of the personal information collected from you is Games Workshop Limited of Willow Road, Nottingham, NG7 2WS, United Kingdom.

Please read this notice carefully to understand how and why we are using your personal information.  

This policy is overseen by the Data Protection Manager of the Games Workshop group.  If you have any questions, complaints or requests please make contact with our Data Protection Manager by email: [email protected].

1. The kind of information we may hold about you

We may collect, store, and use the following categories of your personal information:

• Personal contact details: name, title, address, telephone number, email address.
• Date of birth.
• Marital status, spouse, dependents, family information.
• Next of kin and emergency contact information
• National insurance number.
• Recruitment information (including copies of right to work documentation, identification documents, references and other information included in a CV, cover letter, video application, or generally as part of the application process).
• Employment records (including start date, job titles, departments, work contact information, employment contract information, working time opt-in, work history, working hours, annual leave, absence and return to work information, training records).
• Salary/wage, bank account details, payroll records, tax status information, expenses records, pay deductions, bonus and PRP information, student loan account details.
• Travel information, passport details, copy of driving licence, car registration number.
• Time and attendance records, including overtime working records.
• Personal development records and MBTI information.
• Pension plan participation and contributions, sharesave participation and contributions, childcare scheme participation, discounted travel scheme participation, Cycle to Work scheme participation, and other benefits information.
• Performance information (including appraisals information).
• Investigation, case handling records, disciplinary and grievance information.
• CCTV footage and other information obtained through electronic means such as site access records.
• Information about use of our information and communication systems (such as internet and email use), including call recording.
• Photographs and videos, which may include images or footage taken in the course of business, or for identification purposes.

We may also collect, store and use the following ‘special categories’ of more sensitive personal information:

• Information about your race, ethnicity or religious beliefs.
• Transgender status.
• Sexual orientation.
• Disability status.
• Information about your health, including any medical condition and/or disability, health and sickness records, eye sight status, health surveillance records, accident/injury details.
• Biometric data, including fingerprint data.

We may also collect, store and use information about criminal convictions and offences.

2.         How is your personal information collected?

We collect information about potential employees through the application and recruitment process, either directly from candidates or sometimes from other sources such as recruitment agencies, former employers, background check providers and regulatory authorities.

We will collect additional information about employees in the course of job related activities throughout the period you work for us.

3.         Why do we collect your personal information?

The situations in which we will process your personal information are listed below:

• Assessment of candidate suitability, and recruitment
• Maintaining talent pools of candidates for future job opportunities
• Contacting you about future job opportunities which may be of interest to you
• Checking you are legally entitled to work in the UK
• Determining the terms on which you work for us, administering the contract we have entered into with you, and maintaining employment records
• Maintaining emergency contact information
• Recording your time and attendance for payroll purposes
• Paying you salaries, wages, bonuses, performance related pay, overtime pay, reimbursing expenses, deducting tax and national insurance, and other deductions
• Managing absences and salary/wage deductions
• Liaising with your pension provider
• Providing and managing the following benefits (as applicable): bonus payments, Performance Related Pay, Sharesave scheme, life assurance, discounted travel scheme, Cycle to Work scheme, and/or staff discount.
• Maintaining training records, and monitoring and enforcing compliance with company policies and procedures
• Managing safety, security and access control across our sites and stores
• Logging and managing IT and engineering work requests
• Incident management and business continuity planning
• Managing staff relocation, travel and event arrangements
• Making arrangements in respect of any staff works council
• To allow access to and to monitor and record your use of our information and communication systems, including call recording.
• Publication within products and/or promotional materials such as White Dwarf magazine, our websites and social media channels or newsletters
• Sending and receiving deliveries to/from our sites and stores
• Measuring and managing performance and conducting reviews
• Making decisions about remuneration, promotions, and your employment
• Managing your education, training and development requirements and records
• Handling audits and investigations, and possible grievance and/or disciplinary hearings
• Dispute management and training purposes
• Ascertaining your fitness to work
• Logging and investigating accidents, injuries and incidents
• Complying with health and safety obligations

The situations in which we may process your ‘special categories’ of more sensitive personal information are listed below:

• Equality and diversity monitoring.
• Managing leaves of absence, which may include sickness absence or family related leaves
• Using information about your physical or mental health, or disability status, to ensure your health and safety in the workplace, to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence, and to manage our life assurance scheme
• Maintaining health surveillance records to ensure safety in the workplace
• Using biometric data (fingerprint records) for purposes of time and attendance record keeping

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it such as (i) for the purpose of performing our obligations under your contract of employment (or to take steps prior to entering into a contract with you), (ii) to enable us to comply with our legal obligations, or (iii) where the processing is in our legitimate interests and not overridden by your rights.

Where we are collecting and using ‘special categories’ of more sensitive personal information, that information shall be processed on the basis that (i) you have given explicit consent to the processing, (ii) processing is necessary for the purposes of carrying out our obligations in the field of employment, or (iii) processing is necessary for the establishment, exercise or defence of legal claims.

If we collect and use your personal information in reliance on our legitimate interests (or those of any third party), this interest will normally be for our legitimate commercial interest, for the purposes of recruitment, appropriate use of information and communication systems, maintaining efficient site and IT operations, incident management planning, business compliance, site safety and security, business performance, staff development, and staff remuneration.   We may have other legitimate interests and if appropriate we will make clear to you at the relevant time what those legitimate interests are.

Where appropriate we will collect and use information about criminal convictions and offences to determine eligibility for working in roles which require interaction with children and adults at risk. We will only do this where permitted by law providing for appropriate safeguards.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact the Data Protection Manager.

4.         What if you fail to provide personal information?

If you fail to provide certain information when requested we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.

5.         What if we want to use your information for a different purpose?

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent where this is required or permitted by law.

6.         How secure is your information?

We have put in place appropriate technical and organisational measures to prevent your personal information from being accidentally lost, used, accessed, altered or disclosed. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information and include:

• Site access controls – only authorised personnel are able to gain access to premises, buildings and rooms where your information is being processed.
• IT access controls – only authorised personnel are able to gain access to your information stored electronically within our IT systems.
• IT security controls – use of appropriate technology and security measures to ensure secure storage of your information.
• Policies & procedures – comprehensive data protection and IT security policies and procedures setting out the way in which your information must be handled by staff.
• Training – delivery of ongoing data protection and IT security training to all staff handling your information.

7.         Who might we share your information with?

We may share your personal information in the situations detailed below:

• Service providers

We share your personal information with third parties who provide services to us. The following activities all involve the processing of personal information and are carried out by third party service providers: hosting and maintenance of recruitment website platform, hosting and maintenance of applicant tracking system platform, hosting and maintenance of digital job advert distribution platform, maintenance of human resources platform, occupational health services, biological monitoring services, eye care voucher scheme, candidate background check services, payroll services, maintenance of time and attendance recording platform, hosting and maintenance of expense claims processing platform, pension scheme administrators, sharesave scheme administrators, life assurance scheme administrators, hosting and maintenance of Customer Relationship Management platform, maintenance of security and access control systems, maintenance of case management software, IT service providers, maintenance of call recording system, hosting and maintenance of websites and social media platforms, document and information collaboration and sharing, delivery and shipping services, legal advisers, financial services advisers, travel and accommodation agencies and providers, training and development platforms and services. Further details in respect of our third party service providers are available on request from our Data Protection Manager.

All service providers are required to take appropriate security measures to protect your personal information. We do not allow third party service providers to use your information for their own purposes. We only permit them to process your personal data for specified purposes in accordance with our instructions.

• Games Workshop group

We may share your personal information with other entities in our group of companies as part of regular reporting activities on company performance, in the context of business reorganisation or group restructuring, or for system maintenance support.

• Sale or restructure

We may share your personal information in the context of the possible sale or restructuring of the business provided that we inform the buyer it must use your personal information only for the purposes disclosed in this notice.

• Law, legal rights and vital interests

We may also need to share your information with a law enforcement body, regulator, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any person.

• Consent

We may share your personal information where you have consented to such disclosure.

 8.         Do you transfer my information outside of the European Union?

We may transfer your personal information outside the European Economic Area (EEA). For example, our IT service providers operate around the world. We will only transfer your personal information outside the EEA if adequate protection measures are in place.  To ensure that your personal information does receive an adequate level of protection outside the EEA we use the following protection measures:

• Transferring to countries approved by the European Commission
• Using model contractual clauses approved by the European Commission
• Requiring companies we transfer information to in the United States to be signed up to the EU/US Privacy Shield Framework

Further details in respect of protective measures used outside of the EEA are available on request from our Data Protection Manager.

9.         How long do we keep hold of your information?

We only retain your information for as long as necessary for the purposes described above, including for the purposes of satisfying any legal, accounting, or reporting requirements.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

Details of retention periods for different aspects of your personal information are available in our Data Retention Policy which is available on request from our Data Protection Manager.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which it has been processed, and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

10.      What are your rights in connection with your personal information?

Under certain circumstances, by law you have the right to:

• Request access to a copy of the personal information we hold about you
• Request correction of any incomplete or inaccurate information we hold about you
• Request erasure of information where there is no good reason for continued processing
• Object to processing of your information where we are relying on a legitimate interest to process your information.
• Where we are processing your information for a particular purpose based on your consent, you have the right to withdraw your consent at any time.
• Request restriction to suspend our processing of your personal information.
• Request transfer of your personal information to another party which you have provided to us.

If you want to exercise any of these rights please contact our Data Protection Manager.

You will not have to pay a fee to exercise any of your rights, however we may charge a reasonable fee if your request is unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you are not satisfied with our processing of your personal information, you also have the right to make a complaint to the relevant supervisory authority. Please see here for the relevant contact details.

11.      What we ask of you?

It is important that the personal information we hold about you is accurate and current. Please inform our Personnel team immediately of any changes to the personal information which we hold about you.

If you provide us with information about another person (e.g. next of kin), you confirm that you have informed them of our identity, the purposes for which their personal data will be processed, and that you have obtained their permission to such processing by us.

12.      Change to this privacy notice

We may update this notice from time to time. When we update this notice, we will take appropriate measures to inform you, consistent with the significance of the changes.  We will obtain your consent to any material changes if and where this is required by law.

You can see when this notice was last updated by checking the date displayed at the top of this notice.