1. Introduction
The Sumo Group
In this policy, references to “Sumo” and to “we”, “us” or “our” are to Sumo Group Limited (company number: 11071913) and all subsidiary companies of Sumo Group Limited and you should read them as meaning the Sumo Group company which employs (or engages) you or which you are applying to for employment or engagement.
These entities (together, “we”, “us” or “our”) may decide the means or purpose of processing your personal data. Sometimes, these entities jointly determine the means or purpose of processing your personal data. Where there are joint controllers of your personal data this is mentioned in this policy.
What’s this policy about?
Prior to and throughout your time of employment or engagement and for a period thereafter, we will collect, use, and store personal data about you. This policy explains how we process personal data relating to our people (or prospective employees/contractors) as a data controller.
Please note that you may be required (contractually or otherwise) to provide us with certain information to progress job applications, for us to provide you with benefits and other cooperation, to exercise rights and comply with your contractual obligations (including to report absences from work, provide information about disciplinary or other matters, or in order to exercise statutory rights such as in respect of statutory leave entitlements).
It is important that personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us. You may provide updated information to HR or (for current employees) via Sumo HR or (for current contractors) via Partners Portal.
If you are an employee, this notice should be read in conjunction with the Employee Handbook, which contains further details about our policies and processes, and any other privacy notices made available to you from time to time.
While this notice is intended to provide an overall description of our processing activities globally, processing activities may be more limited in jurisdictions where restricted by local laws. In such instances, we adjust our internal policies accordingly.
How do you contact us?
If you have any questions or comments about this privacy notice, please contact the Sumo Group data privacy team using the following email address:
Email: data@sumogroupltd.com
If we can’t resolve your issue, you can also get in touch with the regulator. In the UK this is the ICO: https://ico.org.uk/concerns.
If you live in Europe, you may also submit concerns to the supervisory
authority in your country.
What are your rights?
You have the following rights, although these rights may be limited in some circumstances:
- Ask us to send a copy of your data to you or someone else
- Ask us to restrict, stop processing, or delete your data
- Object to our processing of your data
- Object to use of your personal data for direct marketing
- Ask us to correct inaccuracies in your data
If we rely on consent to process your data, you can withdraw your consent by contacting us via the email address above.
2. Your personal data and how we use it
This section sets out the different types of personal data we process about you, and the purposes for which we use it. It also explains where we get the information, and who it is shared with. For further information on the purposes for which this personal data is used, please refer to section 3.
Your data |
Purpose of processing |
Sources |
Contact Data
How long we keep it
Until up to 7 years from the end of the tax year when our relationship with you ends. |
|
We collect this information from you directly, or from our/your recruitment consultants or platforms. |
Recruitment Data
How long we keep it
7 years from when our relationship with you ends. Or, if you apply for a job, and are unsuccessful, for at least 4 weeks and up to 6 months after notifying you of the outcome (or up to 12 months if we ask for and receive your consent to retain this information in order to let you know of future opportunities). If you are a non-active contractor, for up to 4 years if you give us your consent to retain your information. |
|
We collect most of this information directly from you. We may also receive information from our/your recruitment consultants or platforms. We may also obtain some of this from public social media profiles, from your referees, academic institutions, and professional accreditation bodies. |
Benefit Data
How long we keep it
7 years from when our relationship with you ends. |
|
We either collect this information from you, or we receive it from the third party benefit partner (for example, where UK employees use Payroll Giving, our agencies Charitable Giving or Hands on Payroll Giving Ltd let us know how much each employee would like to donate) |
Right to Work Data
How long we keep it
7 years from when our relationship with you ends. |
|
Sources
We generally collect this information from you but may compare it with information held by us or available on public records. |
Key Contact Data
• Spouse, partner, next of kin, other eligible dependents and beneficiaries, and emergency contact details including email, address, telephone number.
How long we keep it
Until 12 months after our relationship with you ends or, if longer, until 7 years after the date upon which any benefits or other duties are due to such key contacts. |
|
We collect this information from you. Please ensure that, where you provide us with this sort of information, the individuals concerned receive a copy of this policy and are happy for you to provide their information. |
HR Data
Until up to 7 years from the end of the tax year when our relationship with you ends. |
|
We collect much of this information from you directly.
Certain other information, for example relating to your performance, may be collected from colleagues and others you work with. We may also receive some of this information from HMRC or other authorities, or from benefit providers, or corporate credit or debit card providers and other suppliers we work with. |
Employee Stock Information
How long we keep it
We keep this information for as long as you have any such entitlement, for 7 years thereafter, and otherwise for as long as necessary for us to comply with our legal obligations. |
|
We may collect this data from you. We may also generate some of this information ourselves and/or obtain it from public registers (for example Companies House). |
Work Data
How long we keep it We keep this information until it is no longer necessary for the purpose of operating our business, and for at least 7 years following the end of your engagement/employment. |
|
We collect much of this information from you directly. Some of this information is generated by you or us in the course of your work with us. Certain other information, for example relating to your performance, may be collected from colleagues and others you work with. We may also receive information from our clients or suppliers and others we work with. |
Equality Data
|
|
We collect this from you directly on a voluntary basis. |
Health Data
|
|
We collect this from you directly (on a voluntary basis) but may also receive certain information from occupational therapists and medical professionals such as your GP. |
Vetting Data
How long we keep it
Unless indicated otherwise in this policy, we do not store this once reviewed, but we do record that we undertook vetting checks in line with our policies and procedures, and we keep that record for 6 years after the date on which our relationship with you ends. |
|
We collect this from you directly, from public authorities, or credit reference agencies. |
Survey Data
How long we keep it
After 12 months underlying data is deleted, but we may retain anonymous, aggregated statistics generated from that data. We may undertake exit surveys with departing employees, and answers volunteered to those surveys are retained for 6 years. |
Our purpose (and legal basis) for surveys will be explained when each such survey is sent out. | We collect survey information from you directly. |
IT & Security Data
|
Purposes
More information Please also refer to our CCTV policy. |
We collect some of this information from you directly, and some of it is collected through our systems as you use them or from our information technology and security service providers. |
Where explicit retention periods are not described above, we hold data for as long as necessary bearing in mind the purpose for which it was collected. At the end of the retention period, we assess whether it is necessary to continue to retain information to achieve the purposes for which it was collected. To determine appropriate retention periods, we consider the amount, nature, and sensitivity of the data, the potential risk of unauthorised access, and legal requirements.
3. Purposes and lawful basis
This table sets out in more detail the purposes for which we process personal data. It also explains the legal basis for that processing.
Purpose | Our legal basis for this processing |
Recruitment
We use this information to make a decision about your recruitment or appointment, or your promotion, and to determine the terms on which you work for us, and whether you are suitable for the role you are applying for (internally or externally) |
Our and your legitimate interests in ensuring that you are the right candidate for the role, suitably qualified and experienced, and that the terms of your prospective engagement meet our mutual expectations and our business objectives. |
Right to work
|
Our legal obligation to ensure you are entitled to work for us in the country where you are engaged. |
Diversity Monitoring
We use this information to ensure meaningful equal opportunity in our workplace, to monitor and report on the same (including in respect of diversity generally, pay equity, and otherwise) and to and ensure employees and/or contractors are referred to using the pronouns they prefer where feasible. |
Our legitimate interest (and your interest, and that of the public) in identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with a view to enabling such equality to be promoted or maintained, and in seeking to ensure our personnel are referred to using the pronouns they prefer. |
Employment (inc. contractor engagement) We use this information to: (i) administer the contract we have entered (or will enter) into with you; (ii) provide access to our systems, services, premises & facilities; (iii) arrange travel, visas, accommodation and insurance (e.g. motor insurance for business where applicable, or insurance for remote working equipment stored at your home); (iv) enable your education, and to support training and development requirements; (v) manage HR processes e.g. performance, disciplinary, and grievance reviews and procedures, salary reviews, and to deal with legal disputes which might involve you; (vi) make decisions about your continued employment or engagement, making arrangements for the termination or expiration of our working relationship with you; (vii) assess your qualifications for a particular job or task, and enable you to discharge your duties; (viii) notify employees and contractors (e.g. via SMS or telephone) if there is an issue affecting a studio such as a power cut or internet outage); (ix) promote our business and personnel, for example by providing an employee bio with our business partners; (x) to send promotional or “thank-you” items to employee and/or contractors; (xi) maintain a profile for our personnel which is available to all employees internally in our directory, which includes information such as your name, address, telephone number, email, job role and title, and reporting lines; (xii) produce & distribute promotional written and audio-visual content, including video of our events, offices and staff; (xiii) conduct data analytics studies to better understand our retention and attrition rates. |
We process personal data for this purpose to: (i) perform our agreement with you, or to take steps prior to entering into such agreement; (ii) pursue our and your legitimate interests, being our mutual legitimate interests in ensuring our business and your contribution to it are successful, that you are able to, and do, discharge your duties, that performance is recognised or rewarded appropriately, that developmental needs are understood and met and that disciplinary matters and concerns are understood and addressed correctly (sometimes, where multiple Sumo Group companies work together on a project, they are joint controllers processing personal data on this basis, to the extent necessary for these purposes); and (iii) comply with our legal obligations. |
Leave Administration
We use this data to administer statutory and contractual leave entitlements including sickness and other absences. |
Our respective legitimate interests in ensuring absence and cover are dealt with appropriately. To perform our contractual obligations to you and to comply with our legal obligations. |
Finance & Accounting
We use this information to pay you (salary and expenses, e.g. fuel/mileage where authorised) and, if you are an employee, deduct tax and National Insurance contributions, and for the purposes of maintaining our accounts. |
To perform our contract with you, or take steps requested by you prior to entering a contract, and to comply with our legal obligations. We may also process this personal data for tax management and planning, audits, and for BFI certification, in pursuit of our and your legitimate interests in Sumo maintaining BFI certification, complying with audits and managing tax liability. Where necessary to comply with group legal tax and accounting obligations, this information may be shared with and processed by Sumo Group Limited and/or Sumo Digital Limited. Sumo Group Limited, Sumo Digital Limited, and the Sumo Group company which engages or employs you, may also process certain Finance & Accounting information for the purpose of tax and financial planning and management, as joint controllers, in pursuit of their legitimate interests in managing the Sumo Group finances effectively. |
Benefit Administration
We use this information to administer and provide pension contributions, the employee assistance programme, employee share plans, life assurance, and similar support, and any other memberships or benefits we may agree with or offer to you from time to time, and to liaise with associated benefit providers, for example: (i) we upload name, email address, employee number and studio to the Reward Gateway platform so you can use it to claim rewards where available; (ii) for UK employees using Payroll Giving we receive information about how much and how often employees wish to donate, so we can make relevant deductions, and we also notify Charitable Giving via a summary of employees, payroll numbers, amounts donated and to whom, so they can make donations to the relevant charities; (iii) we provide names and emails to benefit providers where necessary to grant you access to use their platforms (e.g. to Lifeworks, UChoose, and Help@hand which are provided by Unum Limited, and to Udemy) along with details of benefits to which certain staff are entitled where applicable (in particular, to UChoose); (iv) we share your tax code, salary and deduction information with Knowles Associates TFM Limited so they can administer the ULEV scheme. |
To perform our contract with you, or take steps requested by you prior to entering a contract, and to comply with our legal obligations. Where benefits are discretionary and non- contractual we process this data on the basis of our and your legitimate interests in the provision of benefits to you. For healthcare and associated insurance purposes, with their consent, we may also process and share (with benefit providers) information about your spouse, partner or dependents (including birthdate, phone number, social security number, and tax identification number). Where necessary to comply with group legal tax and accounting obligations, financial information relating to benefits may be shared with and processed by Sumo Group Limited and/or Sumo Digital Limited. Sumo Group Limited, Sumo Digital Limited, and the Sumo Group company which engages or employs you, may also use certain information about benefits on offer, their cost and utilisation, and feedback, as joint controllers, in pursuit of legitimate interests in ensuring an appropriate range of benefits are offered by companies in the Sumo Group |
Health & Safety
We use this information to assess fitness to work, carry out desk audits, assess needs and reasonable adjustments, to ensure the health and safety of our personnel and applicants, and to record accidents at work. We may also use Key Contact Data to communicate with a designated third party in the event of a medical emergency, disaster or similar. |
To meet our legal obligations, to perform our contractual obligations, and to pursue our and your mutual interests in ensuring health and safety in the workplace. |
Crime & Fraud
We use this information to detect and prevent fraud and other crime. Certain clients who grant our employees and contractors access to sensitive data, facilities, or systems, expect us to take exceptional precautions. These may from time to time include carrying out background checks on relevant individuals before access is granted, to prevent fraud and other crime. In those cases, if relevant to you, we will let you know what information is required for the checks, you will be entitled to opt-out of the relevant project if you prefer not to undergo those checks, and if you do complete the checks we will let the relevant client know whether or not you passed them. |
To meet our legal obligations, and pursue our legitimate interest in detecting and preventing crime, and harm to our property or personnel or that of our clients. In certain exceptional cases we may also ask for your consent to vetting where appropriate. |
Monitoring & Security
We use this data to keep track of attendance, monitor use of information & communication systems, to monitor compliance with our IT policies, and to ensure network & information security (including detecting, and preventing unauthorised access to computer & electronic communications systems, and preventing the distribution of malicious software). |
We process personal data for this purpose to: (i) pursue our legitimate interests in monitoring compliance with terms of employment (or engagement) and policies and procedures, identifying breaches of the foregoing, and preventing and detecting unauthorised use of or access to our systems (this information may also be shared with and processed by (ii) and to comply with our legal obligations. |
4. How we use particularly sensitive personal information
We only process sensitive “special category” personal data where appropriate given the nature of the data and processing, and where we are legally able to do so.
Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Processing of special category data must meet certain criteria under the UK GDPR and GDPR. Restrictions also apply to criminal offence data. We may process special categories of personal data and information about criminal offences, where criteria apply as set out in the table below.
Criteria | Processing |
Article 9(2)(b): where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us or you in connection with employment, social security or social protection | Examples of our processing include monitoring sickness leave, paternity/maternity absences, or to make reasonable adjustments, ensure your health and safety in the workplace, assess your fitness to work, and to administer benefits such as health insurance. |
Article 9(2)(f): for the establishment, exercise or defence of legal claims | Examples include processing relating to any employment tribunal or other litigation. |
Article 9(2)(a): Explicit consent |
We may ask for consent to process special category data from time to time, such as if we ask about dietary requirements, or seek information as part of voluntary surveys. Where you are included in and identifiable from a video/photograph used for promotional purposes, if that entails sharing/processing of information about your health, racial or ethnic origin, or similar, we will let you know in advance and seek your consent, so you can object if you are not comfortable with such use of material. |
Article 9(2)(c): Where processing is necessary to protect the vital interests of the data subject or of another natural person | Examples of our processing include using health information about employees and/or contractors in a medical emergency. |
We may process criminal offence data under Article 10 of the GDPR |
We will only collect information about criminal convictions if it is appropriate given the nature of the role or task, and where we are legally able to do so. Examples may include pre-employment checks and/or declarations by employees, or additional background checks where appropriate for the purpose of preventing fraud or other crime, or with consent, when access is given to sensitive data, systems, or facilities of certain customers. |
5. Storage, transfers, and disclosure
Storage & Transfers |
Your personal data is normally securely stored in the UK, European Economic Area or in the country where the Sumo Group entity which engages or employs you is based. We use technical and organisational measures to protect personal data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Where we use data processors outside the UK and European Economic Area, or otherwise transfer personal data to a country which does not provide an adequate level of protection (for example, we may transfer personal data to other Sumo Group companies based around the world including, without limitation, if you relocate to a different country) we use contracts or other safeguards which give personal data the same or equivalent protection it has in Europe or the UK. Let us know if you would like further information. |
Disclosure (we may disclose your personal data as follows) |
|
Suppliers |
Suppliers who may receive your personal data for the reasons set out in this policy include the following:
For further information get in touch using the contact details at the start of this policy. |
Updates to this privacy notice
Date | Change Summary |
18 August 2023 | Addition of “Finance & Accounting” into “2. YOUR PERSONAL DATA AND HOW WE USE IT” within the column “Purposes of processing” for the sub-section “Equality Data.” |
27 November 2023 | Addition of “ethnicity (voluntary)” into “2. YOUR PERSONAL DATA AND HOW WE USE IT” within the column “Your Data” for the sub-section “Contact Data.” |