1. Introduction

The Sumo Group

In this policy, references to “Sumo” and to “we”, “us” or “our” are to Sumo Group Limited (company number: 11071913) and all subsidiary companies of Sumo Group Limited and you should read them as meaning the Sumo Group company which employs (or engages) you or which you are applying to for employment or engagement.

These entities (together, “we”, “us” or “our”) may decide the means or purpose of processing your personal data. Sometimes, these entities jointly determine the means or purpose of processing your personal data. Where there are joint controllers of your personal data this is mentioned in this policy.

What’s this policy about?

Prior to and throughout your time of employment or engagement and for a period thereafter, we will collect, use, and store personal data about you. This policy explains how we process personal data relating to our people (or prospective employees/contractors) as a data controller.

Please note that you may be required (contractually or otherwise) to provide us with certain information to progress job applications, for us to provide you with benefits and other cooperation, to exercise rights and comply with your contractual obligations (including to report absences from work, provide information about disciplinary or other matters, or in order to exercise statutory rights such as in respect of statutory leave entitlements).

It is important that personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us. You may provide updated information to HR or (for current employees) via Sumo HR or (for current contractors) via Partners Portal.

If you are an employee, this notice should be read in conjunction with the Employee Handbook, which contains further details about our policies and processes, and any other privacy notices made available to you from time to time.

While this notice is intended to provide an overall description of our processing activities globally, processing activities may be more limited in jurisdictions where restricted by local laws. In such instances, we adjust our internal policies accordingly.

How do you contact us?

If you have any questions or comments about this privacy notice, please contact the Sumo Group data privacy team using the following email address:

Email: data@sumogroupltd.com

If we can’t resolve your issue, you can also get in touch with the regulator. In the UK this is the ICO: https://ico.org.uk/concerns.

If you live in Europe, you may also submit concerns to the supervisory
authority in your country.

What are your rights?

You have the following rights, although these rights may be limited in some circumstances:

  • Ask us to send a copy of your data to you or someone else
  • Ask us to restrict, stop processing, or delete your data
  • Object to our processing of your data
  • Object to use of your personal data for direct marketing
  • Ask us to correct inaccuracies in your data

If we rely on consent to process your data, you can withdraw your consent by contacting us via the email address above.

 

2. Your personal data and how we use it

This section sets out the different types of personal data we process about you, and the purposes for which we use it. It also explains where we get the information, and who it is shared with. For further information on the purposes for which this personal data is used, please refer to section 3.

Your data

Purpose of processing

Sources

Contact Data

 

  • Name

  • Address, telephone, email and other contact (personal and work) details

  • Age, gender (voluntary), ethnicity (voluntary), sex, marital status (voluntary), location

How long we keep it

 

Until up to 7 years from the end of the tax year when our relationship with you ends.

  • Recruitment

  • Right to Work

  • Employment

  • Leave Administration

  • Finance & Accounting

  • Benefit Administration

  • Health & Safety

  • Crime & Fraud

We collect this information from you directly, or from our/your

recruitment consultants or platforms.

Recruitment Data

 

  • CV, portfolios, professional and academic qualifications and experience

  • Details of educational background, copies of diplomas, degree certificates, transcripts, training records and other evidence of academic achievement or work experience

  • Skills and language capabilities

  • Professional licences, certifications, accreditations or memberships

  • Information supplied in interview or through assessments or telephone-screening

  • References

  • Offer letters and associated correspondence

  • Personal data in your CV or provided in relation to your recruitment.

  • Inferences and opinions drawn from Recruitment Data.

How long we keep it

 

7 years from when our relationship with you ends. Or, if you apply for a job, and are unsuccessful, for at least 4 weeks and up to 6 months after notifying you of the outcome (or up to 12 months if we ask for and receive your consent to retain this information in order to let you know of future opportunities). If you are a non-active contractor, for up to 4 years if you give us your consent to retain your information.

  • Recruitment

  • Right to Work

  • Employment

  • Health & Safety

  • Crime & Fraud

We collect most of this information directly from you. We may also receive information from our/your recruitment consultants or platforms. We may also obtain some of this from public social media profiles, from your referees, academic institutions, and professional accreditation bodies.

Benefit Data

 

  • name, Payroll Giving Agency ID, donation amounts, destinations, and frequency;

  • confirmation of whether you have applied for Cycle to Work or ULEV schemes;

  • for the ULEV scheme we share your tax code, salary, and salary sacrifice deduction amounts with the provider of the scheme.

 

How long we keep it

 

7 years from when our relationship with you ends.

  • Benefit Administration

  • Finance & Accounting

We either collect this information from you, or we receive it from the third party benefit partner (for example, where UK employees use Payroll Giving, our agencies Charitable Giving or Hands on Payroll Giving Ltd let us know how much each employee would like to donate)

Right to Work Data

 

  • ID and right to work documentation (e.g. driving licence, work permits, birth certificates, residency status, passport, visas, citizenship documentation)

 

How long we keep it

 

7 years from when our relationship with you ends.

  • Recruitment

  • Right to Work

  • Employment

  • Crime & Fraud

Sources

 

We generally collect this information from you but may compare it with information held by us or available on public records.

Key Contact Data

 

• Spouse, partner, next of kin, other eligible dependents and beneficiaries, and emergency contact details including email, address, telephone number.

 

How long we keep it

 

Until 12 months after our relationship with you ends or, if longer, until 7 years after the date upon which any benefits or other duties are due to such key contacts.

  • Benefit Administration

  • Health & Safety

  • Crime & Fraud

We collect this information from you. Please ensure that, where you provide us with this sort of information, the individuals concerned receive a copy of this policy and are happy for you to provide their information.

HR Data

 

  • Role, contract, date of (and reasons for) hire, start, promotion, resignation, termination, employee ID number
  • Pension and benefits (e.g. medical, dental, retirement, life insurance) information
  • Salary, bonuses, rewards, sick pay, compensation history, student loan, and bank details
  • National Insurance, PAYE, tax, social security, residency, other taxpayer or government identification numbers, and payroll, payslip records, and tax status information
  • Driving details (copy of licence, licence number, vehicle registration, motor insurance including cover for business use)
  • Driving history where company cars are used (such as relating to parking fines, collisions, accidents, related insurance claims)
  • Personal vehicle information (including vehicle registration, type, manufacturer, model, engine size and fuel type)
  • Clothing size
  • Location of workplace
  • Working hours, time records, flexible working requests, work history, training records
  • Performance history, achievements, letters of recommendation, complaints and awards
  • Performance review, appraisals, hearing, investigation, warning, disciplinary and grievance records (including records of monitoring compliance with and enforcement of policies)
  • Absence and leave data (including sickness, paternity/maternity/adoption, shared parental, annual and other leave, and associated forms, certificates and other related documentation)
  • Payment information for business credit or debit cards, limits, account details, how and where they are used or authorised for use.


How long we keep it

 

Until up to 7 years from the end of the tax year when our relationship with you ends.

  • Recruitment
  • Right to Work
  • Employment
  • Leave Administration
  • Finance & Accounting
  • Benefit Administration
  • Health & Safety
  • Diversity Monitoring
  • Crime & Fraud
  • Monitoring & Security

We collect much of this information from you directly.


Some of this information is generated by you or us in the course of your work with us.

Certain other information, for example relating to your performance, may be collected from colleagues and others you work with.

We may also receive some of this information from HMRC or other authorities, or from benefit providers, or corporate credit or debit card providers and other suppliers we work with.

Employee Stock Information

 

  • Details of share, option, distribution or similar entitlements and holdings.

How long we keep it

 

We keep this information for as long as you have any such entitlement, for 7 years thereafter, and otherwise for as long as necessary for us to comply with our legal obligations.

  • Recruitment
  • Employment
  • Finance & Accounting
  • Benefit Administration
  • Diversity Monitoring
  • Crime & Fraud
We may collect this data from you. We may also generate some of this information ourselves and/or obtain it from public registers (for example Companies House).

Work Data

 

  • Information produced during your engagement or employment, including email, voicemail, correspondence, calendar items, usernames, paper and electronic documents, and other work product and communications created, stored, transmitted or accessed via our networks, software, devices (such as work mobile, laptop or other equipment) or systems.
  • Content featuring you produced for use on our website, social media or other marketing, such as your website photograph, audio, videos, articles, blog posts, speech transcripts.

 

How long we keep it

We keep this information until it is no longer necessary for the purpose of operating our business, and for at least 7 years following the end of your engagement/employment.

  • Recruitment
  • Right to Work
  • Employment
  • Leave Administration
  • Finance & Accounting
  • Benefit Administration
  • Diversity Monitoring
  • Health & Safety
  • Monitoring & Security
  • Crime & Fraud

We collect much of this information from you directly.

Some of this information is generated by you or us in the course of your work with us.

Certain other information, for example relating to your performance, may be collected from colleagues and others you work with.

We may also receive information from our clients or suppliers and others we work with.

Equality Data

 

  • Information relating to race, health, disability, ethnicity, gender identification, sex, nationality, religious beliefs, sexual orientation, philosophical or political opinions, your preferred pronouns.
  • Diversity Monitoring
  • Finance & Accounting
We collect this from you directly on a voluntary basis.

Health Data

 

  • Information regarding your health, including any disability or medical conditions, your dental, health and sickness records, information about physical limitations, visual or hearing impairment and special needs.
  • Benefit Administration
  • Health & Safety
We collect this from you directly (on a voluntary basis) but may also receive certain information from occupational therapists and medical professionals such as your GP.

Vetting Data

 

  • Information regarding criminal convictions & offences, inc. criminal record checks
  • Credit reference agency checks

 

How long we keep it

 

Unless indicated otherwise in this policy, we do not store this once reviewed, but we do record that we undertook vetting checks in line with our policies and procedures, and we keep that record for 6 years after the date on which our relationship with you ends.

  • Employment
  • Right to Work
  • Health & Safety
  • Crime & Fraud
We collect this from you directly, from public authorities, or credit reference agencies.

Survey Data

 

  • Your responses to employee and/or contractor surveys (if not anonymised)

 

How long we keep it

 

After 12 months underlying data is deleted, but we may retain anonymous, aggregated statistics generated from that data. We may undertake exit surveys with departing employees, and answers volunteered to those surveys are retained for 6 years.

Our purpose (and legal basis) for surveys will be explained when each such survey is sent out. We collect survey information from you directly.

IT & Security Data

 

  • CCTV footage (retained for up to 90 days unless longer retention is required for the purposes of an investigation)
  • Key/swipe card and other security pass identifiers, photographs and ID
  • Date, time, nature and location of access to (or through, including internet activity, browsing/search history, and interaction with websites and applications) our systems, data and premises
  • Details of phone, laptop, computer and other devices used to connect to our systems or otherwise in the course of your work
  • Usernames and passwords

Purposes

  • Employment
  • Health & Safety
  • Monitoring & Security
  • Crime & Fraud

More information

Please also refer to our CCTV policy.

We collect some of this information from you directly, and some of it is collected through our systems as you use them or from our information technology and security service providers.

Where explicit retention periods are not described above, we hold data for as long as necessary bearing in mind the purpose for which it was collected. At the end of the retention period, we assess whether it is necessary to continue to retain information to achieve the purposes for which it was collected. To determine appropriate retention periods, we consider the amount, nature, and sensitivity of the data, the potential risk of unauthorised access, and legal requirements.

 

3. Purposes and lawful basis

This table sets out in more detail the purposes for which we process personal data. It also explains the legal basis for that processing.

Purpose Our legal basis for this processing

Recruitment

 

We use this information to make a decision about your recruitment or appointment, or your promotion, and to determine the terms on which you work for us, and whether you are suitable for the role you are applying for (internally or externally)

Our and your legitimate interests in ensuring that you are the right candidate for the role, suitably qualified and experienced, and that the terms of your prospective engagement meet our mutual expectations and our business objectives.

Right to work

 

Our legal obligation to ensure you are entitled to work for us in the country where you are engaged.

Diversity Monitoring

 

We use this information to ensure meaningful equal opportunity in our workplace, to monitor and report on the same (including in respect of diversity generally, pay equity, and otherwise) and to and ensure employees and/or contractors are referred to using the pronouns they prefer where feasible.

Our legitimate interest (and your interest, and that of the public) in identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with a view to enabling such equality to be promoted or maintained, and in seeking to ensure our personnel are referred to using the pronouns they prefer.

Employment (inc. contractor engagement)

We use this information to:

(i) administer the contract we have entered (or will enter) into with you;

(ii) provide access to our systems, services, premises & facilities;

(iii) arrange travel, visas, accommodation and insurance (e.g. motor insurance for business where applicable, or insurance for remote working equipment stored at your home);

(iv) enable your education, and to support training and development requirements;

(v) manage HR processes e.g. performance, disciplinary, and grievance reviews and procedures, salary reviews, and to deal with legal disputes which might involve you;

(vi) make decisions about your continued employment or engagement, making arrangements for the termination or expiration of our working relationship with you;

(vii) assess your qualifications for a particular job or task, and enable you to discharge your duties;

(viii) notify employees and contractors (e.g. via SMS or telephone) if there is an issue affecting a studio such as a power cut or internet outage);

(ix) promote our business and personnel, for example by providing an employee bio with our business partners;

(x) to send promotional or “thank-you” items to employee and/or contractors;

(xi) maintain a profile for our personnel which is available to all employees internally in our directory, which includes information such as your name, address, telephone number, email, job role and title, and reporting lines;

(xii) produce & distribute promotional written and audio-visual content, including video of our events, offices and staff;

(xiii) conduct data analytics studies to better understand our retention and attrition rates.

We process personal data for this purpose to:

(i) perform our agreement with you, or to take steps prior to entering into such agreement;

(ii) pursue our and your legitimate interests, being our mutual legitimate interests in ensuring our business and your contribution to it are successful, that you are able to, and do, discharge your duties, that performance is recognised or rewarded appropriately, that developmental needs are understood and met and that disciplinary matters and concerns are understood and addressed correctly (sometimes, where multiple Sumo Group companies work together on a project, they are joint controllers processing personal data on this basis, to the extent necessary for these purposes); and

(iii) comply with our legal obligations.

Leave Administration

 

We use this data to administer statutory and contractual leave entitlements including sickness and other absences.

Our respective legitimate interests in ensuring absence and cover are dealt with appropriately.

To perform our contractual obligations to you and to comply with our legal obligations.

Finance & Accounting

 

We use this information to pay you (salary and expenses, e.g. fuel/mileage where authorised) and, if you are an employee, deduct tax and National Insurance contributions, and for the purposes of maintaining our accounts.

To perform our contract with you, or take steps requested by you prior to entering a contract, and to comply with our legal obligations.

We may also process this personal data for tax management and planning, audits, and for BFI certification, in pursuit of our and your legitimate interests in Sumo maintaining BFI certification, complying with audits and managing tax liability.

Where necessary to comply with group legal tax and accounting obligations, this information may be shared with and processed by Sumo Group Limited and/or Sumo Digital Limited.

Sumo Group Limited, Sumo Digital Limited, and the Sumo Group company which engages or employs you, may also process certain Finance & Accounting information for the purpose of tax and financial planning and management, as joint controllers, in pursuit of their legitimate interests in managing the Sumo Group finances effectively.

Benefit Administration

 

We use this information to administer and provide pension contributions, the employee assistance programme, employee share plans, life assurance, and similar support, and any other memberships or benefits we may agree with or offer to you from time to time, and to liaise with associated benefit providers, for example:

(i) we upload name, email address, employee number and studio to the Reward Gateway platform so you can use it to claim rewards where available;

(ii) for UK employees using Payroll Giving we receive information about how much and how often employees wish to donate, so we can make relevant deductions, and we also notify Charitable Giving via a summary of employees, payroll numbers, amounts donated and to whom, so they can make donations to the relevant charities;

(iii) we provide names and emails to benefit providers where necessary to grant you access to use their platforms (e.g. to Lifeworks, UChoose, and Help@hand which are provided by Unum Limited, and to Udemy) along with details of benefits to which certain staff are entitled where applicable (in particular, to UChoose);

(iv) we share your tax code, salary and deduction information with Knowles Associates TFM Limited so they can administer the ULEV scheme.

To perform our contract with you, or take steps requested by you prior to entering a contract, and to comply with our legal obligations.

Where benefits are discretionary and non- contractual we process this data on the basis of our and your legitimate interests in the provision of benefits to you.

For healthcare and associated insurance purposes, with their consent, we may also process and share (with benefit providers) information about your spouse, partner or dependents (including birthdate, phone number, social security number, and tax identification number).

Where necessary to comply with group legal tax and accounting obligations, financial information relating to benefits may be shared with and processed by Sumo Group Limited and/or Sumo Digital Limited.

Sumo Group Limited, Sumo Digital Limited, and the Sumo Group company which engages or employs you, may also use certain information about benefits on offer, their cost and utilisation, and feedback, as joint controllers, in pursuit of legitimate interests in ensuring an appropriate range of benefits are offered by companies in the Sumo Group

Health & Safety

 

We use this information to assess fitness to work, carry out desk audits, assess needs and reasonable adjustments, to ensure the health and safety of our personnel and applicants, and to record accidents at work. We may also use Key Contact Data to communicate with a designated third party in the event of a medical emergency, disaster or similar.

To meet our legal obligations, to perform our contractual obligations, and to pursue our and your mutual interests in ensuring health and safety in the workplace.

Crime & Fraud

 

We use this information to detect and prevent fraud and other crime.

Certain clients who grant our employees and contractors access to sensitive data, facilities, or systems, expect us to take exceptional precautions. These may from time to time include carrying out background checks on relevant individuals before access is granted, to prevent fraud and other crime.

In those cases, if relevant to you, we will let you know what information is required for the checks, you will be entitled to opt-out of the relevant project if you prefer not to undergo those checks, and if you do complete the checks we will let the relevant client know whether or not you passed them.

To meet our legal obligations, and pursue our legitimate interest in detecting and preventing crime, and harm to our property or personnel or that of our clients.

In certain exceptional cases we may also ask for your consent to vetting where appropriate.

Monitoring & Security

 

We use this data to keep track of attendance, monitor use of information & communication systems, to monitor compliance with our IT policies, and to ensure network & information security (including detecting, and preventing unauthorised access to computer & electronic communications systems, and preventing the distribution of malicious software).

We process personal data for this purpose to:

(i) pursue our legitimate interests in monitoring compliance with terms of employment (or engagement) and policies and procedures, identifying breaches of the foregoing, and preventing and detecting unauthorised use of or access to our systems (this information may also be shared with and processed by
Sumo Digital Limited either independently or as a joint controller, on this basis, for these purposes);

(ii) and to comply with our legal obligations.

 

 

4. How we use particularly sensitive personal information

We only process sensitive “special category” personal data where appropriate given the nature of the data and processing, and where we are legally able to do so.

Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Processing of special category data must meet certain criteria under the UK GDPR and GDPR. Restrictions also apply to criminal offence data. We may process special categories of personal data and information about criminal offences, where criteria apply as set out in the table below.

Criteria Processing
Article 9(2)(b): where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us or you in connection with employment, social security or social protection Examples of our processing include monitoring sickness leave, paternity/maternity absences, or to make reasonable adjustments, ensure your health and safety in the workplace, assess your fitness to work, and to administer benefits such as health insurance.
Article 9(2)(f): for the establishment, exercise or defence of legal claims Examples include processing relating to any employment tribunal or other litigation.
Article 9(2)(a): Explicit consent

We may ask for consent to process special category data from time to time, such as if we ask about dietary requirements, or seek information as part of voluntary surveys.

Where you are included in and identifiable from a video/photograph used for promotional purposes, if that entails sharing/processing of information about your health, racial or ethnic origin, or similar, we will let you know in advance and seek your consent, so you can object if you are not comfortable with such use of material.

Article 9(2)(c): Where processing is necessary to protect the vital interests of the data subject or of another natural person Examples of our processing include using health information about employees and/or contractors in a medical emergency.
We may process criminal offence data under Article 10 of the GDPR

We will only collect information about criminal convictions if it is appropriate given the nature of the role or task, and where we are legally able to do so.

Examples may include pre-employment checks and/or declarations by employees, or additional background checks where appropriate for the purpose of preventing fraud or other crime, or with consent, when access is given to sensitive data, systems, or facilities of certain customers.

 

 

5. Storage, transfers, and disclosure

Storage & Transfers

Your personal data is normally securely stored in the UK, European Economic Area or in the country where the Sumo Group entity which engages or employs you is based. We use technical and organisational measures to protect personal data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.

Where we use data processors outside the UK and European Economic Area, or otherwise transfer personal data to a country which does not provide an adequate level of protection (for example, we may transfer personal data to other Sumo Group companies based around the world including, without limitation, if you relocate to a different country) we use contracts or other safeguards which give personal data the same or equivalent protection it has in Europe or the UK. Let us know if you would like further information.

Disclosure

(we may disclose your personal data as follows)

  • Where required by law, government, regulators and other competent authorities or the courts or to establish, exercise or defend our legal rights, and for the purposes of preventing crime and fraud (for example, we may share personal data with our professional advisors, investigators, or credit reference agencies).
  • Your personal data is shared with the relevant tax authorities in order for us to comply with our legal obligations.
  • Promotional photographs, video and audio recordings, and your professional bio may be shared through our website, social media, brochures and other promotional channels.
  • To your colleagues, our HR, IT and other departments, members of our corporate group, insurers, bankers, auditors, and legal advisers.
  • With our service providers and subcontractors, provided they use that personal data on our instructions and not for their own independent purposes. Please refer to the box below (“Suppliers”) for detail.
  • To clients, colleagues, and commercial contacts, where necessary for the purposes set out in this policy.
  • If involved in an investment, merger, acquisition, or sale of our organisation or assets, data we hold may be shared on the basis of legitimate interests of us, shareholders, customers and other parties to a transaction if not outweighed by prejudicial impact upon you.
  • In order to ensure you are able to take advantage of employee share/option schemes, we may disclose details about you such as your name, identification (such as passport) number, date of birth, nationality, to other members of the Sumo Group.
Suppliers

Suppliers who may receive your personal data for the reasons set out in this policy include the following:

  • Lever, Inc. in the USA operate the platform we use to accept and manage job applications.
  • We use Yoti Ltd to undertake Right to Work checks.
  • Shortlist (Partners Portal)
  • Local/global employment organisations (where employees and/or contractors move abroad)
  • Delivery/courier companies (for delivering equipment and similar)
  • Occupational health therapists (where you consent)
  • We may use recruiters to identify candidates for open positions.
  • We use third party suppliers to administer payroll, pension and other benefits, share plans, IT support, travel booking, DSE assessments, insurance, our learning & development platform Dojo, training courses, employee engagement surveys (where we may use Best Companies).
  • For benefits such as medical insurance, personal data may also be provided directly by you to the third party service provider.
  • We use a range of other suppliers to provide our business infrastructure, including email service providers, web hosts, IT support consultants, CCTV operators, and suppliers of security technology (e.g. swipe-card access systems).
  • Advance IT Solutions Limited (where employees are lone working in a studio and have consented to using a lone worker alarm for their own health and safety)

For further information get in touch using the contact details at the start of this policy.

 

 

Updates to this privacy notice

Date Change Summary
18 August 2023 Addition of “Finance & Accounting” into “2. YOUR PERSONAL DATA AND HOW WE USE IT” within the column “Purposes of processing” for the sub-section “Equality Data.”
27 November 2023 Addition of “ethnicity (voluntary)” into “2. YOUR PERSONAL DATA AND HOW WE USE IT” within the column “Your Data” for the sub-section “Contact Data.”