Privacy Notice for Contractors

Korian UK Ltd and Korian UK Estates Ltd (“we” or “Company”) are each a ‘controller’. This means that we are responsible for deciding how we hold and use personal information about you. In accordance with and as required by the General Data Protection Regulation (EU) 2016/679 (“GDPR”) as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR”) and the Data Protection Act 2018, we have implemented this privacy notice to inform you, our contractor, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.

This notice applies to current and former contractors. This notice does not form part of any contract to provide skills or services. We may (and reserve the right to) update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical. We may also notify you in other ways from time to time about the processing of your personal information.


Data Protection Principles

Under the UK GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
a) processing is fair, lawful and transparent
b) data is collected for specific, explicit, and legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
c) data collected is adequate, relevant and limited to what is necessary for the purposes of processing
d) data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
e) data is not kept for longer than is necessary for its given purpose
f) data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
g) we comply with the relevant UK GDPR procedures for international transferring of personal data


Types of Data Held

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are certain types of more sensitive personal data which require a higher level of protection, such as information about a person’s health or sexual orientation. Information about criminal convictions also warrants this higher level of protection. This is covered in a later section of this privacy notice. We keep several categories of personal data about you in order to carry out effective and efficient processes. We keep this data in a file relating to each contractor and we also hold the data within our computer systems, for example, our accounts systems.


Specifically, we collect, hold and use the following types of data about you:
a) personal details such as name, title, address, phone numbers and personal email address.
b) your photograph and any photographic ID.
c) your gender.
d) marital status.
e) confirmation of right to work status.
f) information on your race and ethnicity, religion or religious beliefs and sexual orientation for equality monitoring purposes.
g) information gathered via the contract engagement process such as that entered into an application or tender.
h) criminal conviction and offences.
i) bank account details.
j) payment rates
k) CCTV footage.
l) building access card records.
m) IT equipment use including telephones and internet access.
n) Your public liability insurance
o) Details in relation to your health and safety contractor questionnaire


Collecting your Data

You provide several pieces of data to us directly during any contract negotiation period, for example your name and address, and subsequently upon the start of your engagement in the course of performance of the services throughout the period you are engaged by us, for example, your bank details.

In some cases, we will collect data about you from third parties, such as intermediaries who may act as an introducer.

Personal data is kept in files or within the Company’s HR and IT systems.


Lawful Basis for Processing

The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to comply with a legal requirement; where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests; in order to perform the contract we have with you or in pursuit of our legitimate interests. We may also use your personal data where we need to protect you (or someone else’s) interests; or where it is needed in the public interest or for an official purpose.

The information below categorises the types of data processing we undertake and the lawful basis we rely on.

Activity requiring your data Lawful basis
Carry out the contract that we have entered into with you e.g. using your name, contact details, public liability insurance Performance of the contract
Ensuring you receive payment Performance of the contract
Making decisions about who to enter into a contract with Our legitimate interests (engagement with appropriate and reputable contractors for performance of necessary services)
Business planning and restructuring exercises Our legitimate interests (for business efficacy, succession planning and workforce management)
Dealing with legal claims made against us Our legitimate interests (respond to and defend against legal claims)
Preventing fraud Our legitimate interests (to prevent fraud and other illegal activity)
Ensuring our administrative and IT systems are secure and robust against unauthorised access Our legitimate interests (to ensure adequate security of IT systems and compliance with data protection and confidentiality requirements)
Making referrals to the Disclosure and Barring Service (DBS) when required Legal Obligation
Complying with health and safety obligations Legal Obligation


Where we rely upon legitimate interest as a reason for processing personal data, we have considered whether or not those interests are overridden by the rights and freedoms of the contractor and have concluded that they are not.


Special Categories of Personal Data

Special categories of personal data are data relating to your:
a) health
b) sex life
c) sexual orientation
d) race
e) ethnic origin
f) political opinion
g) religion
h) trade union membership
i) genetic and biometric data.

These special categories of personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.

We may process special categories of data when the following applies:

a) in limited circumstances, where you have given explicit consent to the processing.
b) we must process the data in order to carry out our legal obligations.
c) we must process data for reasons of substantial public interest, such as for equal opportunities monitoring.
d) where it is necessary to protect you or another person from harm.
e) where it is needed in relation to legal claims.
f) where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
g) you have already made the data public.

In general, we will not process particularly sensitive personal data about you unless it is necessary for performing or exercising our legal obligations or rights. On rare occasions, there may be other reasons for processing, such as it is in the public interest to do so. The situations in which we may process your particularly sensitive personal information are listed below:
a) We may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting, and to maintain and promote equality.
b) We may use information about your physical or mental health, or disability status, to ensure that appropriate health and safety information and documentation is communicated to you and which you must comply with during performance of the services and to monitor and manage absence for business planning purposes.
c) If we reasonably believe that you or another person are at risk of harm and the processing is necessary to protect you or them from physical, mental or emotional harm or to protect physical, mental or emotional well-being.

We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights. However, in limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data.
If this occurs, we will provide you with full details of the information that we would like and you will be made fully aware of the reasons for the processing so that you can carefully consider whether you wish to consent. As with all cases of seeking consent from you, you will have full
control over your decision to give or withhold consent and there will be no consequences where consent is withheld. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.

We do not need your consent where the purpose of the processing is to protect you or another person from harm or to protect your well-being and if we reasonably believe that you need care and support, are at risk of harm and are unable to protect yourself.


Failure to Provide Data

Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a contract with you or performing all or any part of the contract that we have entered into (such as paying you). We may also be prevented from complying with our legal obligations, such as to ensure the health and safety of our employees, workers and residents.


Criminal Conviction Data

We envisage that we may hold information about criminal convictions. We will only collect criminal conviction data where it is appropriate given the nature of the services you are to provide to us and where the law permits us. This data will usually be collected during contract negotiation, however, may also be collected during your engagement where you or one of your employees carries out any work on our behalf in relation to a regulated activity. We use criminal conviction data to determine your suitability, or your continued suitability for the engagement. We rely on the lawful basis of a legal obligation and legitimate interests (to ensure that our engagement practices help us attract and retain suitable contractors to provide care and support to our residents and their families) to process this data. We have in place appropriate safeguards which we are required by law to maintain when processing such data.


Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.


Who We Share Your Data With

We will share your personal data where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. Employees within our company who have responsibility for recruitment, administration of payment and contractual benefits and the carrying out performance related procedures will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processing in line with the UK GDPR.

Data is shared with third parties for the following reasons:
• With our External Payroll Partner for the administration of Payroll (performance of the contract)
• With our Employment Law and Health and Safety advisors to advise us on employmentlaw and health and safety related matters (legitimate interests)
• With CQC inspectors, Local Authority Safeguarding Teams, the Police, the Disclosure and Barring Service (DBS) and Nursing and Midwifery Council (NMC) in order to comply with a legal obligation upon us.
• For audit purposes, the Company Statutory Auditors will review information containing personal information in order to comply with a legal obligation upon us
• With HMRC for payroll purposes in order to comply with a legal obligation upon us (including regular assessment as to whether a contractor may fall inside or outside IR35 and taking any appropriate actions as a result of such assessment).
• With Insurance companies for any claims made (legitimate interests)
• For audit purposes, the Company Statutory Auditors will review information containing personal information in order to comply with a legal obligation upon us


We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us. Where your personal data is shared in the context of a Company sale or restructure, we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction. We have a data processing agreement in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, or in order to provide services to us.

All our third-party service providers and other entities in the Company group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

We will transfer the personal information we collect about you to countries within the European Economic Area in order to perform our contract with you. There are adequacy regulations in respect of those countries within the European Economic Area. This means that the countries to which we transfer your data are deemed to provide an adequate level of protection for your personal information.


Protecting Your Data

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Data Protection Officer.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. This notification will be made without undue delay and may, dependent on the circumstances, be made after the supervisory authority is notified.

The following information will be provided when a breach is notified to the affected individuals:
a) A description of the nature of the breach
b) The name and contact details of the data protection officer where more information can be obtained
c) A description of the likely consequences of the personal data breach
d) A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.


Retention Periods

We only keep your data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, which will be at least for the duration of your engagement with us though in some cases we will keep your data for a period after your engagement has ended. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Some data retention periods are set by the law. Retention periods can vary depending on why we need your personal data; however, our standard retention period is 6 years after expiry or contract completion.


Automated Decision Making

Automated decision-making means making decision about you using no human involvement e.g. using computerised filtering equipment. We are allowed to use automated decisionmaking in the following circumstances:

1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you, unless we have a lawful basis for doing so and we have notified you.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.


Data Subject Rights

Under certain circumstances, you have the following rights in relation to the personal data we
hold on you:
a) the right to be informed about the personal data we hold on you and what we do with it;

b) the right of access to the personal data we hold on you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
c) the right for any inaccuracies in the personal data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
d) the right to have personal data deleted or removed in certain circumstances. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing. This is also known as ‘erasure’;
e) the right to restrict the processing of the personal data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
f) the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
g) the right to object to the inclusion of any personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes; and
h) the right to regulate any automated decision-making and profiling of personal data.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing.

Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please use the Subject Access Request form.

Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.

We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with, and an explanation of the reason will be provided.



Where you have provided consent to our collection, processing or transfer of your personal data for a specific purpose, you also have the right to withdraw that consent at any time. To withdraw your consent, please contact the Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will stop processing your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.


Making a Complaint

If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.


Data Protection Compliance

We have appointed a Data Protection Officer to oversee compliance with this privacy notice.
If you have any questions about this privacy notice or how we handle your personal information, please contact the Data Protection Officer.
Our Data Protection Officer is:
• Leah Smith
• Chief HR Officer
07826 133549