General Data Protection Regulation [GDPR]

  1. Introduction

Convertibill® is a registered trademark of Credebt Exchange Limited (“Credebt”). This Notice which is effective from 25 May 2018, describes the practices of regarding the collection, use, transfer, disclosure and other handling and Processing of the Personal Data of current and past employees, customers, suppliers, partners, agents, Originators, website visitors and all personnel that make contact with Credebt.

In particular, Credebt is committed to Processing the Personal Data of its employees in a fair, lawful and transparent manner. Accordingly, this Notice provides Credebt employees with certain information about how their Personal Data is used by Credebt. Credebt has also adopted a Privacy Policy (the “Credebt Privacy Policy”) that addresses data protection more generally. Capitalised terms used in this Notice are defined in the Glossary in Annex I to this Notice.

In relation to Personal Data provided by you to Credebt, Credebt will act as Data Controller of such Personal Data. This means that Credebt determines why and how such data is used. Credebt’s data Processing is generally undertaken in fulfilment of its legitimate interests and for the performance of contracts.

  1. What is Personal Data?

Personal data is any information relating to a living individual which allows either directly or indirectly the identification of that individual. Personal Data can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual and that would allow the individual to be identified or identifiable.  The type of Personal Data that Credebt collects and Processes in relation to employees is described in more detail in the table at Appendix II of this Notice.

  1. How we Collect and Use your Personal Data

The table at Appendix II also describes in detail the particular purposes and lawful basis for Credebt’s processing of employee Personal Data as required by Data Protection Law. Credebt will generally Process your Personal Data for personnel administration purposes and for purposes as necessary for and connected with the performance of contracts, such as employment contracts, and in its legitimate interests.

Credebt may obtain Personal Data about you from third parties, such as former employers, educational institutions, recruitment agencies, recruitment platforms such as LinkedIn, SimplyBook.me, government agencies, from information in the public domain and available on the internet and from other employees (e.g., other Credebt staff, members of the HR Department, etc.). We may also seek Personal Data about you from third parties in connection with: (I) locating former employees and beneficiaries for purposes of administering retirement, pension or other benefits; (II) performance evaluations; (III) academic and processional references; (IV) disciplinary matters and internal investigations; (V) purposes that relate to your employment relationship with us; and (VI) other purposes permitted in accordance with applicable law. Where we obtain Personal Data about you from third parties, we will do so in accordance with Data Protection Law.

  1. Special Categories of Data

Credebt Processes Special Categories of Data (“SCD”) relating to employees in limited circumstances, typically related to the ordinary course of personnel administration which is in accordance with the Data Protection Law.  Such Processing of SCD is permitted under several provisions of the Data Protection Law, including the following:

4.1     Article 9(2)(f) GDPR where it is “necessary for the establishment, exercise or defence of legal claims” and this ground is amplified under the Data Protection Act 2018 which permits the Processing of SCD where it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights (and which may include Processing in the context of disciplinary proceedings); and

4.2     In relation to the management of medical risk and medical claims the Data Protection Act 2018 permits the Processing of SCD where it is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of an employee, for the management of health or social care systems and services or for ensuring high standards of quality and safety of health care.

  1. Your rights under Data Protection Law

5.1     Data Protection Laws provide certain rights in favour of data subjects. The rights in question are as follows (together the “Data Subject Rights”):

(a)      The right of a data subject to receive detailed information on the Processing (by virtue of the transparency obligations on the Data Controller);

(b)      The right of access to Personal Data;

(c)      The right to rectify or erase Personal Data (known as the “right to be forgotten”);

(d)      The right to restrict Processing;

(e)      The right of data portability; and

(f)      The right to object to automated decision making, including profiling and where processing is based on the legitimate interests of Credebt or a third party.

5.2     The Data Subject Rights are subject to certain conditions and accordingly will not be available in all circumstances.

5.3     Any data subject wishing to exercise their Data Subject Rights should contact the Credebt Andrew Hoey at legal@credebtexchange.com. Your request will be dealt with in accordance with Data Protection Law.