DPR Group Privacy Statement for Employees, Contractors and Candidates
About DPR Group
DPR Group is a fast growing Private Equity-backed leading provider of origination and servicing software solutions for banks, building societies and specialist lenders in the UK and Europe. Having received Private Equity investment in June 2017, we are seeking to accelerate our growth through acquisition as well as organic growth.
Our software solutions span across residential and commercial mortgages, personal loans, equity release and savings. We are driven by a desire to maximise operational efficiency and drive down costs across the sector through the innovative use of technology.
Our clients range from large high-street names to smaller niche providers and challenger banks.
DPR Group Limited (Reg. no.04438029)
DPR Consulting Limited (Reg. no.03178610)
Personal data definition
Personal data, or personal information, means any information about an individual from which that individual can be identified. It does not include data where the identity has been removed (anonymised data).
There are “special categories” of more sensitive personal data which require a higher level of protection.
The kind of personal data DPR Group holds
We may collect, store and use the following categories of personal information about you:
- Personal contact details such as name, title, addresses, telephone numbers and personal email addresses
- Date of birth
- Marital status and dependants
- Next of kin and emergency contact information
- National Insurance number
- Bank account details, payroll records and tax status information
- Salary, annual leave, pension and benefits information
- Employment start date and end date
- Location of employment or workplace
- Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
- Employment records (including job titles, work history, working hours, training records and professional memberships).
- Compensation history (including bonus payments)
- Performance information
- CCTV footage
- Access control data
- Information about your use of our information and communications systems
- Personal emails sent to your email address
We may also collect, store and use the following “special categories” of more sensitive personal information:
- Information about your race or ethnicity, religious beliefs or sexual orientation
- Information about your health, including any medical condition, health and sickness records
- Information about criminal convictions and offences
How your personal information is collected
We collect personal information about employees and contractors through the application and recruitment process, either directly from candidates, from recruitment agencies, through referrals or our background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.
We will collect additional personal information in the course of your employment-related activities while you work for us.
How your personal data will be used
We request, hold and process personal data about you for the following purposes:
Where processing is necessary for the fulfilment of a contract, or where specific steps have been taken before entering into a contract. These activities include:
- Determining the terms on which you work for us
- Providing benefits to you, including:
- Life assurance
- Income protection
- Childcare vouchers
- Private medical insurance
- Season ticket loan
- Conducting performance reviews, managing performance and determining performance requirements
- Assessing qualifications for a particular job or task, including decisions about promotions
- Making a hiring decision
- Making arrangements for the termination of our working relationship
- Education, training and development requirements
- Making decisions about your continued employment or engagement
- For disaster recovery cascading as part of our business continuity plans
Where the processing is necessary for the compliance with the law. These activities include:
- Checking you are legally entitled to work in the UK
- Paying you and, if you are an employee, deducting tax and National Insurance contributions
- Managing disciplinary and grievance procedures
- Gathering evidence for possible grievance or disciplinary hearings
- Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
- Ascertaining your fitness to work
- Managing sickness absence or maternity/paternity/adoption leave arrangements
- Complying with health and safety obligations
Where processing is necessary for legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect personal data which overrides those legitimate interests). These activities include:
- Making decisions about salary reviews and compensation
- Making budgeting decisions
- Monitoring your use of our information and communication systems to ensure compliance with our IT policies
- Ensuring network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
- Conducting data analytics studies to review and better understand employee retention and attrition rates
- Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme:
- To prevent fraud: preventing or detecting unlawful acts
- Equal opportunities monitoring
Disclosure of your information to third parties
Your information may be shared with our appointed third-party agents and suppliers in order to support our processing. These third parties will only have access to your information in order for them to perform specific tasks with a lawful basis and they may not use it for any other purposes.
We may also pass your information on to financial organisations, credit reference agencies and tracing agencies. We may disclose your information to our professional advisers for the purpose of obtaining professional advice or to other third parties if we have a legal obligation to do so. We may also disclose your information to a purchaser in the event of a sale of the whole or a relevant part of our business. We reserve the right to monitor, review, retain and/or disclose any information as necessary to satisfy any applicable law, regulation, legal process or governmental request.
Should there be any change to your personal details in the future (i.e. change of name, address, telephone number, bank account, next of kin, etc.) you are asked to notify us promptly. This will ensure we maintain accurate personal details. If it becomes our intention to use your information for any other reason, we shall advise you of those intentions prior to using the information for the additional purpose(s) as well as advising you of any other details within this statement which may be affected.
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to perform our contract with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How we use particularly sensitive personal information
”Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place appropriate policies and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Where we need to carry out our legal obligations or exercise rights in connection with employment.
- Where it is needed in the public interest, such as for equal opportunities monitoring, in relation to your occupational pension scheme or through protecting the public against dishonesty.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
Our obligations as an employer
We will use your sensitive personal information in the following ways:
- We will use information relating to leaves of absence, which may include sickness absence or family-related leave, to comply with employment and other laws.
- We will use information about your physical or mental health or disability status to ensure your health and safety in the workplace, to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
- We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
- Criminal record information.
Information about criminal convictions
We only request criminal record information for senior roles in the organisation. We will collect information about criminal convictions as part of the recruitment process, and it will be used to determine your suitability for a position that you have applied for.
We may have to share your data with third parties, including third-party service providers and other entities in the group.
We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your personal information outside the EEA. If we do, you can expect a similar degree of protection in respect of your personal information.
We might share your personal information with third parties.
We will only share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest for doing so.
Which third-party service providers process your personal information
”Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group.
The following activities are carried out by third-party service providers:
- Managing your employee data
- Pension administration
- Benefits provision and administration
DPR Group Ltd will take all steps reasonably necessary including policies, procedures and security features to ensure that your data is treated securely and protected from unauthorised and unlawful access and/or use, and in accordance with this notice. Unfortunately, the transmission of information via the internet is not completely secure and, although we will do our best to protect your personal data transmitted to us via the internet, we cannot guarantee the security of your data transmitted to our website from your device. Any transmission is at your own risk.
Sending personal data internationally
We do not envisage transferring any information about or relating to individuals to anyone located outside of the European Economic Area (EEA).
We will only send your data outside of the EEA to:
- Follow your instructions.
- Comply with a legal duty.
If we do transfer information to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We will use one of these safeguards:
- Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. You can find out more on the European Commission Justice website: http://ec.europa.eu/justice/dataprotection/international-transfers/adequacy/index_en.htm
- Put in place a contract with the recipient that means they must protect it to the same standards as the EEA. You can find out more about this on the European Commission Justice website: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
- For data sent to the USA, transfer it only to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA. You can find out more about data protection on the European Commission Justice website: http://ec.europa.eu/justice/dataorotection/data-collection/data-transfer/index_en.htm
How long we keep personal information for
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance applicable laws and regulations.
Data protection laws grant you, as a Data Subject, certain ‘information rights’, which are summarised below:
Right of access – You have the right to obtain a copy of information we hold about you.
Right of rectification or erasure – If you feel that any data that we hold about you is inaccurate, you have the right to ask us to correct or rectify it. You also have a right to ask us to erase information about you where you can demonstrate that the data we hold is no longer needed by us, or if you withdraw the consent upon which our processing is based, or if you feel that we are unlawfully processing your data. Please note that we may be entitled to retain your personal data despite your request, for example if we are under a separate legal obligation to retain it. Your right of rectification and erasure extends to anyone we have disclosed your personal information to and we will take all reasonable steps to inform those with whom we have shared their data about your request for erasure.
Right to restriction of processing – You have a right to request that we refrain from processing your data where you contest its accuracy, or the processing is unlawful and you have opposed its erasure, or where we do not need to hold your data any longer but you need us to in order to establish, exercise or defend any legal claims, or we are in dispute about the legality of our processing your personal data.
Right to Portability – You have a right to receive any personal data that you have provided to us in order to transfer it onto another data controller where the processing is based on consent and is carried out by automated means. This is called a data portability request.
Right to Object – You have a right to object to our processing your personal data where the basis of the processing is our legitimate interests including but not limited to direct marketing and profiling.
Right to Withdraw Consent – You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent.
Right of Complaint – You also have the right to lodge a complaint about any aspect of how we are handling your data with the UK Information Commissioner’s Office, which can be contacted at www.ico.org.uk.
Marketing Communications – To stop receiving marketing (such as email, postal or telemarketing), then please contact us using the contact us details below.
IP addresses and cookies
We may collect information about your computer including, where available, your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.
For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive.
You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting you may be unable to access certain parts of the Site.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any queries or you wish to speak to us about how your information will be used, then please contact us at:
Tel: 020 7553 8300
Postal Address: DPR Group, International House, 1 St Katharine’s Way, London E1W 1UN.