Personal data is processed in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) and other applicable national and European privacy legislation and regulations (together the “data protection law”).
To the extent the company decides why and how personal data is processed, the company is a data controller of such personal data.
The company may process personal data of, for example, employees, former employees, and their family members, temporary workers, self-employed persons, job applicants, contractors, supplier contacts, customers, and visitors.
3. TYPES OF PERSONAL DATA
3.1 Employees and Contractors
The company collects and processes personal data in relation to our employees, candidates for employment and contractors, as well as our former employees and former contractors. This personal data includes: personal details such as name, date of birth, social security number, bank account details, next of kin, details of social media accounts, visa / passport data; contact details such as address and phone number(s); personnel file details including, for example, terms and conditions of employment, training, performance evaluations, promotions, personal development plans, conduct and disciplinary data, work location, salary information, bank account details and tax and social security numbers, security clearances; employment history/application details such as educational history and employment history; editorial or journalistic content such as links to works e.g. links to video files or audio files; medical information such as medical certificates and sick notes; family details such as names and dates of birth of children (e.g. Relevant if an individual is applying for parental leave); details required for pension; details regarding trade union membership; and performance related data such as performance management ratings for managers and annual incremental salary reviews of employees, psychometric testing, etc. The above list is not exhaustive but covers the most commonly collected, used and otherwise processed personal data.
3.2 Suppliers and Customers
The company collects and processes personal data in relation to individuals who are, and/or are working with, our suppliers and customers. This personal data may include: personal details such as name, title, position, work identification numbers, department, business unit (including contact data collected for training / verification); and contact details such as email address, telephone number(s) and work location; and tax information such as tax numbers.
3.3 Special Categories of Personal Data
The types of special categories of personal data that the company may process includes, without limitation, health data, information on criminal convictions and biometric data. The company processes all personal data in accordance with data protection law, and, in particular, any special categories of personal data.
4. PURPOSES OF PROCESSING
The company processes personal data for the purpose(s) for which the personal data has been obtained.
Common examples of the reasons why the company processes personal data include: payroll and benefit administration; HR, performance and talent management; marketing and PR; improvement of business products and services; research and statistical analysis; business strategy; internal audits or investigations; prevention and detection of unlawful and/or criminal behaviour towards us or our customers and employees; and/or fulfilling legal obligations. We may process personal data for other reasons from time to time.
The company tries to ensure individuals are informed about the purpose(s) for processing their personal data at the time the company collects consent. Where this is not possible or practical, the company tries to inform you as soon as possible after the processing of personal data. Individuals have the right to withdraw consent at any time.
The company may process the personal data of various individuals (for example, employees, contractors and candidates for employment) for talent management and workforce evaluation (to potentially include attendance and performance analysis).
The company engages in such processing where: (a) expressly authorised by national law (including for fraud and tax-evasion monitoring); (b) necessary for the entering into or performance of a contract; or (c) the individual has given appropriate consent.
6. INDIVIDUAL RIGHTS
Individuals have certain rights under data protection law.
6.1 Inspection and Access: you can request from us a summary and a copy of your personal data which we process or which is processed on our behalf;
6.2 Correction/Addition: where you believe your personal data is inaccurate or incomplete, you are entitled to request us to correct or amend your personal data;
6.3 Objection: you may object to us processing your personal data based on our legitimate reasons for processing
6.4 Restriction: you may request that we restrict the processing of your personal data where the accuracy of your personal data is contested, our processing is unlawful, you believe we no longer need the personal; and
The company’s Individual Rights Procedure explain how the above requests can be made and how the company will manage these requests.
7.1 Security Measures
The company has technical and organisational measures in place to protect personal data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access.
Personal data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, and various IT measures.
For more information on the company’s security measures, please see the Information Security Policy.
7.2 Personal Data Breach
The company will manage a data breach in accordance with the personal data breach reporting procedure. For guidance on how to identify and report a data breach please refer to our Personal Data Breach Procedure.
8. DISCLOSING PERSONAL DATA
From time to time, the company may disclose personal data to third parties, or allow third parties to access personal data which we process (for example where a law enforcement agency or regulatory authority submits a valid request for access to personal data).
The company may also share personal data: (a) with another member of the CRH Group (including our subsidiaries, our ultimate holding company and its subsidiaries); (b) with selected third parties including business partners, suppliers and sub-contractors; (c) with third parties when we sell or buy any business or assets; or (d) if the company is under a legal obligation to disclose personal data.
This includes exchanging information with other companies and organisations for the purposes of fraud prevention.
Where the company enters into agreements with third parties to processes personal data on our behalf it will ensure that the appropriate contractual protections are in place to safeguard it. Examples include communications providers, payroll service providers, occupational health providers, marketing or recruitment agencies, operators of data centers used by the company, etc.
9. DATA RETENTION
The company keep personal data only for as long as the retention of such personal data is deemed necessary for the purposes for which that personal data are processed. Personal data is retained in accordance with relevant laws and company guidelines.
10. DATA TRANSFERS OUTSIDE THE EEA
11. ROLES AND RESPONSIBILITIES
12. COMPLAINTS PROCEDURE
13. ASSOCIATED POLICIES
This policy should be read in conjunction with the following policies and procedures
• Personal Data Breach Procedure
• Individual Rights Procedure
• Information Security Policy
• Website Privacy Statement
Date: 1st May 2022
Annex I - GLOSSARY
“CCM” means the country compliance manager for the company;
“Cross-border processing” arises where: (a) we are established in more than one EU member state and our processing of personal data takes place in more than one EU member state; or (b) while our processing of personal data takes place in only one EU member state, this processing substantially affects (or is likely to substantially affect) individuals in more than one EU member state.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Data controller” means the entity that decides why and how personal data is processed.
“Data processor” means the party that processes personal data on behalf of the data controller (for example, a payroll service provider).
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.
“Personal data” is any information relating to a living individual which allows the identification of that individual. A person is identifiable if his/her identity can reasonably be established from the data without any disproportionate effort. Personal data can include:
Employees and Contractors
1. Personal details such as name, date of birth, bank account details, next of kin, details of social media accounts;
2. Contact details such as address and phone number(s);
3. Personnel file details including, e.g, terms and conditions of employment, training, performance evaluations, promotions, personal development plans, conduct and disciplinary data, work location, salary information, bank account details and tax and personally identifiable numbers such as a social security numbers;
4. Employment history/application details such as educational history and employment history;
5. Editorial or journalistic content such as links to works, e.g. Links to show-reels or audio files;
6. Medical information such as medical certificates and sick notes;
7. Family details such as names and dates of birth of children, e.g. Relevant if an individual is applying for parental leave;
8. Details required for pension;
9. Details regarding trade union membership; and
10. Performance related data such as performance management ratings for managers and annual incremental salary reviews of employees, psychometric testing, etc.
Suppliers and Customers
1. Personal details such as name, title, position, work identification numbers, department, business unit;
2. Contact details such as email address, telephone number(s),
3. Work location; and
4. Tax information such as vat / tax numbers.
“Processing” includes collecting, using, recording, organising, altering, disclosing, destroying or holding personal data in any way. Processing can be done either manually or by using automated systems such as information technology systems and “process” and
“processing” shall be interpreted accordingly.
“Profiling” is the automated processing of personal data for the purpose of assessing certain aspects relating to an individual so as to analyse or predict the individual’s performance, decisions or behaviour.
“Special Categories of Personal Data” are types of personal data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special categories of personal data also include the processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any personal data relating to criminal convictions or offences.
Annex II - COMPANY SPECIFIC PROCESSING
This annex contains additional information in respect of the way in which the company processes personal data.
1. Relevant local law and data protection regulator
In this annex, “data protection law” means the General Data Protection Regulation (Regulation (EU) 2016/679) in the EEA and the Privacy Act 1988 (Privacy Act) of Australia (incl the Notifiable Data Breaches (NDB) scheme under Part IIIC)
In respect of the company the relevant local data protection regulator is the Privacy Act 1988 (Privacy Act) of Australia (incl the Notifiable Data Breaches (NDB) scheme under Part IIIC)
2. Personal data processed by the company
3. Purposes of processing personal data
The company engages in the following types of profiling: Nil
5. Security measures
The company implements the following additional technical and organisational security measures to protect the personal data from unauthorised destruction, loss, change, disclosure, acquisition or access: disposing of records after statutory limits have been reached, holding HR data in lockable areas, restricting access to IT folder structures, lap top encryption, password on key HR files, contracting with key suppliers to hold personal data in confidence and for the purpose it is intended (eg. IT service provider, document storage service provider), reporting known breaches immediately
6. Disclosure of personal data to third parties
The company discloses or provides access to the personal data to the following additional categories of third party for the purposes explained below: CRH entities for Key Performance Indicator Reporting, Travel Agents for Travel Arrangements, Banking, Taxation & Superannuation Institutions, for the purposes of statutory compliance and payroll processing, auditors for statutory compliance
7. Data retention periods
The company retains personal data on the basis of the following criteria: minimum periods where are they are required for statutory purposes, six (6) months in the case of CV’s for job applications, six (6) months for those visiting sites and two (2) months for video footage of work activities recorded for Health & Safety purposes
8. Data transfers
The company transfers personal data to the following locations outside the EEA, for the purposes specified below, using the stated legal safeguards (a copy of which are available from the Finance Director) CRH Europe for Key Performance Indicator reporting and compliance with recruitment and procedures and the like.