1.1 Sonata and all its associated companies are committed to protecting its Staff safety and privacy, and takes its responsibilities regarding the security of Staff’s personal data very seriously. This privacy policy explains what personal data we collect about its Staff, how and why we use it, who we disclose it to, and how we protect your privacy.
1.2 This Fair Processing Notice is non-contractual and we may amend it from time to time. Please visit this page if you want to stay up to date, as we will post any changes here.
2.1 This Fair Processing Notice applies to all "Staff" (see the Definitions/Abbreviations Section at the end of this Policy for the meaning of "Staff"). Being deemed to be "Staff" under this policy is for convenience only and does not have any bearing on your employment/worker rights. When we refer to this policy applying to “Staff”, we include all categories of individual listed in the Definitions/Abbreviations Section to this policy.
3.1 Our Privacy Policy applies to the personal data that our companies collect and use. References in this Privacy Policy to “Payments Advisory Consultants & Technology Limited”, “we”, “us” or “our” mean Sonata(a company registered in the Isle of Man with registration no 136067C and registered office at 2 River Walk, Braddan, Douglas, IM4 4TJ, Isle of Man). We control the ways your personal data are collected and the purposes for which your personal data are used by Sonata Limited. Sonata is the “data controller” for the purposes of the UK Data Protection Act 1998 (as amended or replaced), the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and other applicable European Data Protection legislation (together the “Data Protection Legislation”).
4.1 Please see the table at the Appendix to this Notice which sets out (a) types of information about you that we process; (b) the purpose of such processing; (c) the legal basis for such processing; and (d) legitimate interest pursued for such processing (where relevant).
We may share your personal data, in various ways and for various reasons, with the following categories of people:
5.1 Colleagues within Sonata Limited (where appropriate, this may include colleagues in overseas offices);
5.2 Where appropriate, medical professionals such as your GP or an occupational health specialist;
5.3 Tax, audit, or other authorities, when we believe in good faith that the law or other regulation requires us to share this data (for example, because of a request by a tax authority or in connection with any anticipated litigation);
5.4 Third party service providers who perform functions on our behalf (including benefits administration, external consultants and professional advisers such as lawyers, auditors, accountants, technical support functions and IT consultants carrying out testing and development work on our business technology systems);
5.5 Third party outsourced IT providers where we have an appropriate processing agreement (or similar protections) in place;
5.6 Third parties who we have retained to provide services such as reference, qualification and criminal convictions checks, to the extent that these checks are appropriate and in accordance with local laws; and
5.7 If [ ] Limited merges with or is acquired by another business or company in the future, we may share your personal data with the new owners of the business or company (and provide you with notice of this disclosure).
6.1 Subject to your data rights, we will ordinarily process your data throughout the course of employment and then aim to delete data that is no longer needed (e.g. CV, bank details and emergency contact details) within 6 months of your termination date. There is some data that we will need to keep for longer than this period to enable us to be able to provide a reference to your new employer, to answer any questions from tax authorities and to comply with other legal and risk obligations. We will hold this data for as long as we consider it reasonable to do so in good faith.
6.2 Please note that in certain circumstances, we may hold your data for a longer period if we believe in good faith that the law or relevant regulators require us to preserve your data.
6.3 Once we have determined that we no longer need to hold your personal data, we will Delete it from our systems.
7.1 We may from time to time need to process “Special Categories” of your personal data (e.g. data relating to your health). We only collect this information where you have given your explicit consent or one of the other exemptions apply (e.g. processing is necessary in the field of employment law).
7.2 We currently process your health data in order to keep a record of your sickness absence. We are required to provide you with the following information about such processing:
7.2.1 We process this data lawfully (we have a lawful basis for processing as the processing is necessary in the field of employment law), fairly and in a transparent manner (e.g. we are providing you with information about this processing in this notice);
7.2.2 We only collect this data for specified, explicit and legitimate purposes and will not use it in any way that is incompatible with these purposes;
7.2.3 We only collect data the health data that is adequate, relevant and limited to why we need it (i.e. to comply with our legal obligations to pay you statutory sick pay);
7.2.4 We will keep this data accurate and up-to-date;
7.2.5 This data is kept securely within Google Cloud systems;
7.2.6 This data is only stored for as long as is necessary. We will delete this data within [6] months of the end of your employment (unless we consider in good faith that we need to keep it longer for legal reasons).
8.1 We care about protecting your information. That's why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data.
8.2 We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures.
8.3 If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately. Please raise your concern with your team leader as per our staff handbook in the first instance, and we will investigate the matter and update you as soon as possible on next steps.
The GDPR gives you the following rights in relation to your personal data:
9.1 Right to object: this right enables you to object to us processing your personal data
9.2 Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time and we will cease to carry out that particular activity that you previously consented to unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.
9.3 Data Subject Access Requests (DSAR): You may ask us to confirm what information we hold about you at any time, and request us to modify, update or Delete such information.
9.4 Right to erasure: You have the right to request that we "erase" your personal data in certain circumstances.
9.5 Right to restrict processing: You have the right to request that we restrict our processing of your personal data in certain circumstances.
9.6 Right to rectification: You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you, including by means of providing a supplementary statement.
9.7 Right of data portability: If you wish, you have the right to transfer your personal data between data controllers.
If you would like to exercise any of these rights, or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), please raise your concerns with the Director of People and Culture. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
10.1 In order for us to carry out the purposes described in this policy your data may be transferred:
10.1.1 Between and within Sonata entities;
10.1.2 To third parties (such as advisers to our business);
10.1.3 To a cloud-based storage provider; and
10.1.4 To other third parties (for more details, please see above under "Who do we share your personal data with?").
10.2 We want to make sure that your data are stored and transferred in a way which is secure. We will therefore only transfer data outside of the European Economic Area or EEA (i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example:
10.2.1 By way of data transfer agreement, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of Personal Data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
10.2.2 By signing up to the EU-U.S. Privacy Shield Framework for the transfer of Personal Data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions; or
10.2.3 Transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country's levels of data protection via its legislation; or
10.2.4 Where it is a necessary for the performance of a contract between you and us or the implementation of pre-contractual measures taken at your request; or
10.2.5 Where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests for the purposes of that contract (for example, if we need to transfer your data to a benefits provider based outside the EEA); or
10.2.6 Where you have consented to the data transfer.
Without further notice and for any of the purposes set out in the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, we may carry out the following types of interception/monitoring:
11.1 Intercepting and monitoring communications which pass through our servers or on/from Sonata Limited’s Devices, including emails, and text messages that you send and receive from your Sonata email address.
11.2 Observing the dates, times and frequency with which you access the internet using Payments Advisory Consultants & Technology Limited’s Devices or through our servers and how you choose to use the internet in this way.
11.3 Recording and reviewing the dates and times you use your security pass/fob to enter or exit our building/s.
11.4 The use of CCTV may be used at our premises and locations will be listed in the staff handbook.
11.5 This monitoring and interception may be routine or ad hoc, including (but not limited to) as part of an internal (or external) investigation. You acknowledge and agree that intercepted and monitored communications may be used as evidence in disciplinary or legal proceedings.
11.6 The lawful basis we rely on to carry out such monitoring is for the purpose of our legitimate interests being to keep our Staff secure, prevent unauthorised use of our information and equipment, to conduct investigations into alleged misconduct, to keep our confidential information secure, to keep the personal data we hold relating to other individuals secure and to assist us with establishing, exercising or defending legal claims.
If you have any complaints about the way in which we collect, store and use your information, you can contact the supervisory authority, the Isle of Man Information Commissioner’s Office: www.inforights.im
Delete - while we will endeavour to permanently Delete your personal data once it reaches the end of its retention period or we receive a request from you to do so, some of your data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists in the electronic ether, our Staff will not access it or use it again.
Employment Relationship - means our contractual relationship with you as a member of Staff. We use the term 'employment' in this context simply for ease of reference - this Fair Processing Notice applies equally to employees and other workers or individuals that fall under the definition of “Staff” below.
Payments Advisory Consultants & Technology Limited’s Devices – laptops, blackberrys, smart phones or any other type of device that we provide to you to carry out work for us.
Special Categories of Personal Data - this is personal data consisting of information such as your racial or ethnic origin, your political opinions, religious or philosophical beliefs, whether you are a trade union member, your physical and mental health, your genetic and biometric data and data relating to your sex life and sexual orientation.
Staff - includes employees engaged directly in the business of Sonata and workers and other individuals engaged in the business of providing services to our companies in a way that is similar to employees (e.g. contractors, consultants, temps and agency workers). For example, the term covers individuals who work from