Privacy policy | NBI

Personnel Privacy Notice

NBI Infrastructure Designated Activity Company t/a National Broadband Ireland and NBI Deployment Designated Activity Company t/a National Broadband Ireland and, together with our affiliates, each an “Affiliate”, “we”, “us” or “our”.

Introduction

This notice (“Notice”) has been developed to ensure our employees, contractors and consultants feel confident about the privacy and security of personal data and to meet our obligations under the General Data Protection Regulation (“GDPR”) and the data protection legislation as amended, revised, modified or replaced from time to time, and (together, the “Legislation”). Under the Legislation, ‘personal data’ is information that identifies you as an individual or is capable of doing so.

To the extent we are a ‘data controller’, we must comply with the data protection principles set down in the Legislation and this Notice applies to all personal data collected, processed and stored by us in the course of our activities. The purpose of this Notice is to set out the procedures that are to be followed when dealing with personal data and to outline how we will collect and manage personal information in accordance with all relevant legislation and standards. The procedures set out herein must be followed at all times by us, our employees, agents, contractors, consultants, or other parties working on behalf of us.

This Notice extends to all personal data whether stored in electronic or paper format.

What Personal Information do we hold?

We only hold personal data that is directly relevant to our dealings with a given data subject. That data will be collected, held, and processed in accordance with the data protection principles and with this Notice in a reasonable and lawful manner. You will be requested to provide the following information for payroll, your personal file and for the Human Resources Database:

• Identification Data – name, address, phone number, date of birth, gender and relevant national
identification number
• Bank Account details – sort code, account number and IBAN
• Emergency contacts
• Dependant data
• Prior work experiences and qualifications (CV)
• Property provided by us
• E-mail Addresses
• Marital status
• Gender
• Nationality
• Phone numbers
• Contract and commencement details
• Interview notes
• Disciplinary issues
• Health and Safety issues
• Health data

Job Applicants

Applications are currently made via our application forms in writing or via e-mail. You will receive written notification from us of receipt of your application. Your CV will be reviewed, and should your skill set and experience match a current vacancy your application will be progressed to interview stage. We hold applications and additional information which may be obtained during the course of the interview process, such as interview notes, education qualifications etc. electronically and/or manually.

All provisions of this Notice will apply to the processing of your application. Your information may be shared with our agents or partners in connection with services that these individuals or entities perform for us, including recruitment agencies. These agents or partners are restricted from using this data in any way other than to provide specified recruitment related services to us.

Processing Personal Data

Any and all personal data collected by us (as further detailed in Sections 2 and 3 of this Notice) is collected in order to ensure that we can provide the best possible service to our customers, and can work effectively with our partners, associates and affiliates and efficiently manage our employees, contractors, agents and consultants. We use personal data in order to ensure we are able to administer contracts with our employees, contractors, agents and consultants, and in our legitimate interests (for example in the normal course of personnel administration). We may also use personal data in meeting certain obligations imposed by law.

Business processes or personnel administration uses for personal data include:

• recruitment;
• background checks;
• changing salary;
• changing Department/ Job code;
• changing working hours;
• terminating a contract;
• process offers of employment etc. and processing work permits and visas where applicable;
• systems set up;
• processing payroll;
• processing benefits and expenses;
• arranging travel visas;
• organising training programmes; and/or
• other reasons for ordinary personnel administration not listed here.

We may also use your personal data to:

• carry out research and analysis on you;
• track your performance and keep records of your development for the purposes of annual reviews;
• communicate any changes to our policies, procedures or to your contract including
changes to salary);
• contact you or your dependants if there are any health and safety or absence issues (including long
term illness and maternity leave);
• calculate any changes in your salary, bonus or commission; and/or
• retain contact information for the purposes of returning our property e.g. security cards, mobile
phones, laptops, in connection with your departure from us.

Accuracy

We shall employ reasonable means to keep personal data information accurate, complete and up to date in accordance with the purposes for which it was collected.

All employees, contractors, consultants and other members of personnel are responsible for ensuring that they inform the HR department of any changes in their personal details. We endeavor to ensure personal information held by us is up to date and accurate.

Personnel Monitoring

We provide e-mail facilities and access to the internet. In order to protect against the dangers associated with e-mail and internet use, we may monitor e-mail and web usage. Please refer to the e-mail and internet usage policies for further details.

Do we disclose information about you to anyone else?

Personal data may be disclosed internally when passed from one department to another in accordance with the data protection principles and this Notice. Personal data is not passed to any internal department or any individual that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed. Sensitive and/or restricted information must have additional internal access restrictions as appropriate.

We shall disclose personnel information to third parties only when it is necessary as part of our business practices or when there is a legal or statutory obligation to do so. Categories of such third parties may include:

• Payroll
• bank
• pension provider
• health insurers
• human resource and recruitment partners
• authorities to whom we are legally obliged to disclose personal information, e.g. law enforcement,
tax authorities, etc.

Whenever we disclose personnel information to third parties, we will only disclose that amount of personal information necessary to meet such business need or legal requirement. Third parties that receive personal data from us must satisfy us as to the measures taken to protect the personal data such parties receive.

Appropriate measures will be taken to ensure that all such disclosures or transfers of personal data to third parties will be completed in a secure manner and pursuant to contractual safeguards.

We may provide information, in response to properly made requests, for the purpose of the prevention and detection of crime, and the apprehension or prosecution of offenders. We may also provide information for the purpose of safeguarding national security. In the case of any such disclosure, we will do so only in accordance with the Legislation.

We may also provide information when required to do so by law, for example under a court order.

We may also transfer data to legal counsel where same is necessary for the defense of legal claims.

If there is any change in the ownership of National Broadband Ireland or any of its assets, we may disclose personal information to the new (or prospective) owner. If we do so, we will require the other party to keep all such information confidential.

We transfer certain personal data to servers in the US, on the basis set out at Section 9 below.

How long do we keep personal information?

The time period for which we retain information varies according to the use of that information. In some cases, there are legal requirements to keep data for a minimum period of time. Unless specific legal requirements dictate otherwise, we will retain information no longer than is necessary for the purposes for which the data were collected or for which they are further processed. For example, we will normally retain personnel information for the duration of your contract with us and for an appropriate period thereafter to deal with any enquiries, claims or other issues arising. Personal data related to benefit entitlements will be retained indefinitely.

Personal data shall continue to be retained for the minimum period mandatory under local law. Following this mandatory period, personal data shall be retained for no longer than necessary to allow for the defence of legal claims in accordance with applicable statutory limitation periods under local law. Following the expiry of this period personal data held by us will be destroyed.

How do we protect data about you when it is transferred out of Europe?

Countries in the European Economic Area (EEA) are required to have a similar standard of protection of personal data. This is not always the case outside that area. We may sometimes transfer data outside the EEA and before doing so take steps to ensure that there is adequate protection, as required by the Legislation. For example, if we use a third party service provider in the United States to process personal data on our behalf, we will ensure that the company is subject to EU-approved “standard contractual clauses”, the US-EU Privacy Shield or another mechanism approved by the EU to enable lawful transfers of such data.

How can you exercise your rights in respect of personal information we hold about you?

We shall vindicate all your rights under the Legislation. These rights are as follows:

• your right to request from us access to personal data, and to have any incorrect personal data
rectified;
• your right to the restriction of processing concerning you or to object to processing;
• your right to have your personal data transferred to another employer or hiring organisation;
• your right to have personal data erased (where appropriate); and
• information on the existence of automated decision-making, if any, as well as meaningful information
about the logic involved, its significance and its envisaged consequences.

We do not normally rely on consent to support the processing of personnel related personal data. However, in exceptional cases where consent does apply (e.g. where you volunteer information to us to participate in a discretionary extra-curricular activity), you will have the right to withdraw it at any time.

Vindication of your rights shall not affect any rights which we may have under the Legislation.

If you want to know what personal information we hold about you or exercise any of the above rights, you can do so by making your specific request in writing to the following address: The Human Resources Department, National Broadband Ireland, 75 Merrion Square, Dublin 2.

We will confirm your request within 21 days of receipt and take action on your request within one month of receipt. We may require you to provide validation information to support your request in which case the time frame will commence upon receipt of the relevant information. If the information we hold about you is inaccurate, we request that you advise us promptly so that we can make the necessary amendments and confirm that these have been made within one month of receipt of your request. Note that business email addresses are not intended to be used for personal reasons so will not normally search business emails for personal data in the absence of a specific reason to support a contrary position.

How do we protect personal information about you?

We shall employ reasonable appropriate administrative, technical, personnel procedural and physical measures to safeguard personal information against loss, theft and unauthorised uses access, uses or modifications. All personal information stored is either password protected or is locked away in cabinets. Only a limited number of authorised personnel have access to this information. It is your responsibility to adhere to our workplace confidentiality and security policies and procedures.

How can you make a complaint to us about the use of your personal data?

Complaints on the use, retention and disposal of personal data can submitted via e-mail to the general Counsel in legal.

Review

You also have the right to lodge a complaint with your national data protection supervisory authority which in our case is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.
This Notice will be reviewed and updated from time to time to take into account changes in the law and the experience of the Notice in practice. Any and all changes will be advised to personnel.