Employee and Contractor Privacy Notice |

Your data

Purpose of processing

Sources

Contact Data

• Name

• Address, telephone, email and other contact (personal and work) details

• Age, gender (voluntary), ethnicity (voluntary), sex, marital status (voluntary), location

How long we keep it

Until up to 7 years from the end of the tax year when our relationship with you ends.

• Recruitment

• Right to Work

• Employment

• Leave Administration

• Finance & Accounting

• Benefit Administration

• Health & Safety

• Crime & Fraud

We collect this information from you directly, or from our/your

recruitment consultants or platforms.

Recruitment Data

• CV, portfolios, professional and academic qualifications and experience

• Details of educational background, copies of diplomas, degree certificates, transcripts, training records and other evidence of academic achievement or work experience

• Skills and language capabilities

• Professional licences, certifications, accreditations or memberships

• Information supplied in interview or through assessments or telephone-screening

• References

• Offer letters and associated correspondence

• Personal data in your CV or provided in relation to your recruitment.

• Inferences and opinions drawn from Recruitment Data.

How long we keep it

7 years from when our relationship with you ends. Or, if you apply for a job, and are unsuccessful, for at least 4 weeks and up to 6 months after notifying you of the outcome (or up to 12 months if we ask for and receive your consent to retain this information in order to let you know of future opportunities). If you are a non-active contractor, for up to 4 years if you give us your consent to retain your information.

• Recruitment

• Right to Work

• Employment

• Health & Safety

• Crime & Fraud

We collect most of this information directly from you. We may also receive information from our/your recruitment consultants or platforms. We may also obtain some of this from public social media profiles, from your referees, academic institutions, and professional accreditation bodies.

Benefit Data

• name, Payroll Giving Agency ID, donation amounts, destinations, and frequency;

• confirmation of whether you have applied for Cycle to Work or ULEV schemes;

• for the ULEV scheme we share your tax code, salary, and salary sacrifice deduction amounts with the provider of the scheme.

How long we keep it

7 years from when our relationship with you ends.

• Benefit Administration

• Finance & Accounting

We either collect this information from you, or we receive it from the third party benefit partner (for example, where UK employees use Payroll Giving, our agencies Charitable Giving or Hands on Payroll Giving Ltd let us know how much each employee would like to donate)

Right to Work Data

• ID and right to work documentation (e.g. driving licence, work permits, birth certificates, residency status, passport, visas, citizenship documentation)

How long we keep it

7 years from when our relationship with you ends.

• Recruitment

• Right to Work

• Employment

• Crime & Fraud

Sources

We generally collect this information from you but may compare it with information held by us or available on public records.

Key Contact Data

• Spouse, partner, next of kin, other eligible dependents and beneficiaries, and emergency contact details including email, address, telephone number.

How long we keep it

Until 12 months after our relationship with you ends or, if longer, until 7 years after the date upon which any benefits or other duties are due to such key contacts.

• Benefit Administration

• Health & Safety

• Crime & Fraud

We collect this information from you. Please ensure that, where you provide us with this sort of information, the individuals concerned receive a copy of this policy and are happy for you to provide their information.

HR Data

• Role, contract, date of (and reasons for) hire, start, promotion, resignation, termination, employee ID number
• Pension and benefits (e.g. medical, dental, retirement, life insurance) information
• Salary, bonuses, rewards, sick pay, compensation history, student loan, and bank details
• National Insurance, PAYE, tax, social security, residency, other taxpayer or government identification numbers, and payroll, payslip records, and tax status information
• Driving details (copy of licence, licence number, vehicle registration, motor insurance including cover for business use)
• Driving history where company cars are used (such as relating to parking fines, collisions, accidents, related insurance claims)
• Personal vehicle information (including vehicle registration, type, manufacturer, model, engine size and fuel type)
• Clothing size
• Location of workplace
• Working hours, time records, flexible working requests, work history, training records
• Performance history, achievements, letters of recommendation, complaints and awards
• Performance review, appraisals, hearing, investigation, warning, disciplinary and grievance records (including records of monitoring compliance with and enforcement of policies)
• Absence and leave data (including sickness, paternity/maternity/adoption, shared parental, annual and other leave, and associated forms, certificates and other related documentation)
• Payment information for business credit or debit cards, limits, account details, how and where they are used or authorised for use.

How long we keep it

Until up to 7 years from the end of the tax year when our relationship with you ends.

• Recruitment
• Right to Work
• Employment
• Leave Administration
• Finance & Accounting
• Benefit Administration
• Health & Safety
• Diversity Monitoring
• Crime & Fraud
• Monitoring & Security

We collect much of this information from you directly.

Some of this information is generated by you or us in the course of your work with us.

Certain other information, for example relating to your performance, may be collected from colleagues and others you work with.

We may also receive some of this information from HMRC or other authorities, or from benefit providers, or corporate credit or debit card providers and other suppliers we work with.

Employee Stock Information

• Details of share, option, distribution or similar entitlements and holdings.

How long we keep it

We keep this information for as long as you have any such entitlement, for 7 years thereafter, and otherwise for as long as necessary for us to comply with our legal obligations.

• Recruitment
• Employment
• Finance & Accounting
• Benefit Administration
• Diversity Monitoring
• Crime & Fraud

Work Data

• Information produced during your engagement or employment, including email, voicemail, correspondence, calendar items, usernames, paper and electronic documents, and other work product and communications created, stored, transmitted or accessed via our networks, software, devices (such as work mobile, laptop or other equipment) or systems.
• Content featuring you produced for use on our website, social media or other marketing, such as your website photograph, audio, videos, articles, blog posts, speech transcripts.

How long we keep it

We keep this information until it is no longer necessary for the purpose of operating our business, and for at least 7 years following the end of your engagement/employment.

• Recruitment
• Right to Work
• Employment
• Leave Administration
• Finance & Accounting
• Benefit Administration
• Diversity Monitoring
• Health & Safety
• Monitoring & Security
• Crime & Fraud

We collect much of this information from you directly.

Some of this information is generated by you or us in the course of your work with us.

Certain other information, for example relating to your performance, may be collected from colleagues and others you work with.

We may also receive information from our clients or suppliers and others we work with.

Equality Data

• Information relating to race, health, disability, ethnicity, gender identification, sex, nationality, religious beliefs, sexual orientation, philosophical or political opinions, your preferred pronouns.

• Diversity Monitoring
• Finance & Accounting

Health Data

• Information regarding your health, including any disability or medical conditions, your dental, health and sickness records, information about physical limitations, visual or hearing impairment and special needs.

• Benefit Administration
• Health & Safety

Vetting Data

• Information regarding criminal convictions & offences, inc. criminal record checks
• Credit reference agency checks

How long we keep it

Unless indicated otherwise in this policy, we do not store this once reviewed, but we do record that we undertook vetting checks in line with our policies and procedures, and we keep that record for 6 years after the date on which our relationship with you ends.

• Employment
• Right to Work
• Health & Safety
• Crime & Fraud

Survey Data

• Your responses to employee and/or contractor surveys (if not anonymised)

How long we keep it

After 12 months underlying data is deleted, but we may retain anonymous, aggregated statistics generated from that data. We may undertake exit surveys with departing employees, and answers volunteered to those surveys are retained for 6 years.

IT & Security Data

• CCTV footage (retained for up to 90 days unless longer retention is required for the purposes of an investigation)
• Key/swipe card and other security pass identifiers, photographs and ID
• Date, time, nature and location of access to (or through, including internet activity, browsing/search history, and interaction with websites and applications) our systems, data and premises
• Details of phone, laptop, computer and other devices used to connect to our systems or otherwise in the course of your work
• Usernames and passwords

Purposes

• Employment
• Health & Safety
• Monitoring & Security
• Crime & Fraud

More information

Please also refer to our CCTV policy.

Recruitment

We use this information to make a decision about your recruitment or appointment, or your promotion, and to determine the terms on which you work for us, and whether you are suitable for the role you are applying for (internally or externally)

Right to work

Diversity Monitoring

We use this information to ensure meaningful equal opportunity in our workplace, to monitor and report on the same (including in respect of diversity generally, pay equity, and otherwise) and to and ensure employees and/or contractors are referred to using the pronouns they prefer where feasible.

Employment (inc. contractor engagement)

We use this information to:

(i) administer the contract we have entered (or will enter) into with you;

(ii) provide access to our systems, services, premises & facilities;

(iii) arrange travel, visas, accommodation and insurance (e.g. motor insurance for business where applicable, or insurance for remote working equipment stored at your home);

(iv) enable your education, and to support training and development requirements;

(v) manage HR processes e.g. performance, disciplinary, and grievance reviews and procedures, salary reviews, and to deal with legal disputes which might involve you;

(vi) make decisions about your continued employment or engagement, making arrangements for the termination or expiration of our working relationship with you;

(vii) assess your qualifications for a particular job or task, and enable you to discharge your duties;

(viii) notify employees and contractors (e.g. via SMS or telephone) if there is an issue affecting a studio such as a power cut or internet outage);

(ix) promote our business and personnel, for example by providing an employee bio with our business partners;

(x) to send promotional or “thank-you” items to employee and/or contractors;

(xi) maintain a profile for our personnel which is available to all employees internally in our directory, which includes information such as your name, address, telephone number, email, job role and title, and reporting lines;

(xii) produce & distribute promotional written and audio-visual content, including video of our events, offices and staff;

(xiii) conduct data analytics studies to better understand our retention and attrition rates.

We process personal data for this purpose to:

(i) perform our agreement with you, or to take steps prior to entering into such agreement;

(ii) pursue our and your legitimate interests, being our mutual legitimate interests in ensuring our business and your contribution to it are successful, that you are able to, and do, discharge your duties, that performance is recognised or rewarded appropriately, that developmental needs are understood and met and that disciplinary matters and concerns are understood and addressed correctly (sometimes, where multiple Sumo Group companies work together on a project, they are joint controllers processing personal data on this basis, to the extent necessary for these purposes); and

(iii) comply with our legal obligations.

Leave Administration

We use this data to administer statutory and contractual leave entitlements including sickness and other absences.

Our respective legitimate interests in ensuring absence and cover are dealt with appropriately.

To perform our contractual obligations to you and to comply with our legal obligations.

Finance & Accounting

We use this information to pay you (salary and expenses, e.g. fuel/mileage where authorised) and, if you are an employee, deduct tax and National Insurance contributions, and for the purposes of maintaining our accounts.

To perform our contract with you, or take steps requested by you prior to entering a contract, and to comply with our legal obligations.

We may also process this personal data for tax management and planning, audits, and for BFI certification, in pursuit of our and your legitimate interests in Sumo maintaining BFI certification, complying with audits and managing tax liability.

Where necessary to comply with group legal tax and accounting obligations, this information may be shared with and processed by Sumo Group Limited and/or Sumo Digital Limited.

Sumo Group Limited, Sumo Digital Limited, and the Sumo Group company which engages or employs you, may also process certain Finance & Accounting information for the purpose of tax and financial planning and management, as joint controllers, in pursuit of their legitimate interests in managing the Sumo Group finances effectively.

Benefit Administration

We use this information to administer and provide pension contributions, the employee assistance programme, employee share plans, life assurance, and similar support, and any other memberships or benefits we may agree with or offer to you from time to time, and to liaise with associated benefit providers, for example:

(i) we upload name, email address, employee number and studio to the Reward Gateway platform so you can use it to claim rewards where available;

(ii) for UK employees using Payroll Giving we receive information about how much and how often employees wish to donate, so we can make relevant deductions, and we also notify Charitable Giving via a summary of employees, payroll numbers, amounts donated and to whom, so they can make donations to the relevant charities;

(iii) we provide names and emails to benefit providers where necessary to grant you access to use their platforms (e.g. to Lifeworks, UChoose, and Help@hand which are provided by Unum Limited, and to Udemy) along with details of benefits to which certain staff are entitled where applicable (in particular, to UChoose);

(iv) we share your tax code, salary and deduction information with Knowles Associates TFM Limited so they can administer the ULEV scheme.

To perform our contract with you, or take steps requested by you prior to entering a contract, and to comply with our legal obligations.

Where benefits are discretionary and non- contractual we process this data on the basis of our and your legitimate interests in the provision of benefits to you.

For healthcare and associated insurance purposes, with their consent, we may also process and share (with benefit providers) information about your spouse, partner or dependents (including birthdate, phone number, social security number, and tax identification number).

Where necessary to comply with group legal tax and accounting obligations, financial information relating to benefits may be shared with and processed by Sumo Group Limited and/or Sumo Digital Limited.

Sumo Group Limited, Sumo Digital Limited, and the Sumo Group company which engages or employs you, may also use certain information about benefits on offer, their cost and utilisation, and feedback, as joint controllers, in pursuit of legitimate interests in ensuring an appropriate range of benefits are offered by companies in the Sumo Group

Health & Safety

We use this information to assess fitness to work, carry out desk audits, assess needs and reasonable adjustments, to ensure the health and safety of our personnel and applicants, and to record accidents at work. We may also use Key Contact Data to communicate with a designated third party in the event of a medical emergency, disaster or similar.

Crime & Fraud

We use this information to detect and prevent fraud and other crime.

Certain clients who grant our employees and contractors access to sensitive data, facilities, or systems, expect us to take exceptional precautions. These may from time to time include carrying out background checks on relevant individuals before access is granted, to prevent fraud and other crime.

In those cases, if relevant to you, we will let you know what information is required for the checks, you will be entitled to opt-out of the relevant project if you prefer not to undergo those checks, and if you do complete the checks we will let the relevant client know whether or not you passed them.

To meet our legal obligations, and pursue our legitimate interest in detecting and preventing crime, and harm to our property or personnel or that of our clients.

In certain exceptional cases we may also ask for your consent to vetting where appropriate.

Monitoring & Security

We use this data to keep track of attendance, monitor use of information & communication systems, to monitor compliance with our IT policies, and to ensure network & information security (including detecting, and preventing unauthorised access to computer & electronic communications systems, and preventing the distribution of malicious software).

We process personal data for this purpose to:

(i) pursue our legitimate interests in monitoring compliance with terms of employment (or engagement) and policies and procedures, identifying breaches of the foregoing, and preventing and detecting unauthorised use of or access to our systems (this information may also be shared with and processed by
Sumo Digital Limited either independently or as a joint controller, on this basis, for these purposes);

(ii) and to comply with our legal obligations.

We may ask for consent to process special category data from time to time, such as if we ask about dietary requirements, or seek information as part of voluntary surveys.

Where you are included in and identifiable from a video/photograph used for promotional purposes, if that entails sharing/processing of information about your health, racial or ethnic origin, or similar, we will let you know in advance and seek your consent, so you can object if you are not comfortable with such use of material.

We will only collect information about criminal convictions if it is appropriate given the nature of the role or task, and where we are legally able to do so.

Examples may include pre-employment checks and/or declarations by employees, or additional background checks where appropriate for the purpose of preventing fraud or other crime, or with consent, when access is given to sensitive data, systems, or facilities of certain customers.

Your personal data is normally securely stored in the UK, European Economic Area or in the country where the Sumo Group entity which engages or employs you is based. We use technical and organisational measures to protect personal data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.

Where we use data processors outside the UK and European Economic Area, or otherwise transfer personal data to a country which does not provide an adequate level of protection (for example, we may transfer personal data to other Sumo Group companies based around the world including, without limitation, if you relocate to a different country) we use contracts or other safeguards which give personal data the same or equivalent protection it has in Europe or the UK. Let us know if you would like further information.

Disclosure

(we may disclose your personal data as follows)

• Where required by law, government, regulators and other competent authorities or the courts or to establish, exercise or defend our legal rights, and for the purposes of preventing crime and fraud (for example, we may share personal data with our professional advisors, investigators, or credit reference agencies).
• Your personal data is shared with the relevant tax authorities in order for us to comply with our legal obligations.
• Promotional photographs, video and audio recordings, and your professional bio may be shared through our website, social media, brochures and other promotional channels.
• To your colleagues, our HR, IT and other departments, members of our corporate group, insurers, bankers, auditors, and legal advisers.
• With our service providers and subcontractors, provided they use that personal data on our instructions and not for their own independent purposes. Please refer to the box below (“Suppliers”) for detail.
• To clients, colleagues, and commercial contacts, where necessary for the purposes set out in this policy.
• If involved in an investment, merger, acquisition, or sale of our organisation or assets, data we hold may be shared on the basis of legitimate interests of us, shareholders, customers and other parties to a transaction if not outweighed by prejudicial impact upon you.
• In order to ensure you are able to take advantage of employee share/option schemes, we may disclose details about you such as your name, identification (such as passport) number, date of birth, nationality, to other members of the Sumo Group.

Suppliers who may receive your personal data for the reasons set out in this policy include the following:

• Lever, Inc. in the USA operate the platform we use to accept and manage job applications.
• We use Yoti Ltd to undertake Right to Work checks.
• Shortlist (Partners Portal)
• Local/global employment organisations (where employees and/or contractors move abroad)
• Delivery/courier companies (for delivering equipment and similar)
• Occupational health therapists (where you consent)
• We may use recruiters to identify candidates for open positions.
• We use third party suppliers to administer payroll, pension and other benefits, share plans, IT support, travel booking, DSE assessments, insurance, our learning & development platform Dojo, training courses, employee engagement surveys (where we may use Best Companies).
• For benefits such as medical insurance, personal data may also be provided directly by you to the third party service provider.
• We use a range of other suppliers to provide our business infrastructure, including email service providers, web hosts, IT support consultants, CCTV operators, and suppliers of security technology (e.g. swipe-card access systems).
• Advance IT Solutions Limited (where employees are lone working in a studio and have consented to using a lone worker alarm for their own health and safety)

For further information get in touch using the contact details at the start of this policy.