DATA PRIVACY POLICY (UK & EU OFFICES)

This policy sets out the personal information that we collect and process about you, the purposes of the processing and the rights that you have in connection with it.

Please also refer to our Data Privacy Charter.

1.Types of personal information we collect

As part of our recruitment process we may use a 3rd party to obtain information about applicants such as a pre-employment screening service or the DBS (Disclosure Barring Service) where appropriate.

In the course of your employment, we may process personal information about you and your relatives or other individuals whose personal information has been provided to us. For example, emergency contacts or names on your expression of wish form for life assurance purposes.

The types of personal information we may process routinely include any of the following:

Employees:

  • Identification data: civil/marital status; first and last name; photograph; date and place of birth; nationality.
  • Family household composition: civil status (married, divorced, widow(er); number of children.
  • Contact details: address; telephone number (fixed and mobile); email address; emergency contact information.
  • Employment details: job title; company name; grade; geographic location; employee performance and evaluation data; employee discipline information; information regarding previous roles and employment; employee benefits information; leave/absence requests.
  • National identifiers: national ID/passport number; tax ID; government identification number; driver's license; visa or immigration status.
  • Academic and professional qualifications: degrees; titles, skills; language proficiency; training information; employment history; CV/résumé.
  • Financial data: bank account number; bank details; salary and compensation data; bonuses; pension qualification information; payroll data.
  • IT related data: computer ID; user ID and password; domain name; IP address; log files; software and hardware inventory; software usage pattern tracking information (i.e., cookies and information recorded for operation and training purposes).
  • Lifestyle: hobbies; social activities; holiday preferences.
  • Identification data: name; age; date of birth; place of birth.
  • Contact details: home address; telephone number (including mobile telephone number); email address.
  • Professional details: job title; employer; work address; email address; telephone number (including mobile telephone number).
  • Employees with authorised access and on a need-to-know basis only (including direct managers, senior management, office management and HR teams)
  • Other employee representatives (including for any disciplinary proceedings), subject to the employee's right to consent or to object to it
  • McCann/McCann World Group and IPG group entities
  • Third party service providers appointed by and acting on behalf of McCann/McCann World Group or IPG
  • Business associates and other professional advisers
  • The recipient's legal department
  • Any person or organisation to whom the recipient may be required by applicable law or regulation to disclose personal information, including law enforcement authorities, central and local government

Relatives:

  • Identification data: name; age; date of birth; place of birth.
  • Contact details: home address; telephone number (including mobile telephone number); email address.
  • Professional details: job title; employer; work address; email address; telephone number (including mobile telephone number).

Employee Applicants:

  • Identification data: civil/marital status; first and last name; photograph; date and place of birth; nationality.
  • Contact details: address; telephone number (fixed and mobile); email address.
  • Employment details: employment history; current job; company name; grade; geographic location.
  • Academic and professional qualifications: degrees; titles; skills; language proficiency; training information.

If you are an independent contractor, intern or temporary worker, the type of personal information we process is limited to that needed to manage your particular work assignment.

Sensitive personal information may include any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, ("Sensitive Personal Information"). As a general rule, we try not to collect or process any Sensitive Personal Information about you, unless authorised by law or where necessary to comply with applicable laws.

We may also, in some circumstances, need to collect, or request on a voluntary disclosure basis, some Sensitive Personal Information for legitimate employment-related purposes:

  • Race and ethnicity may appear indirectly on photos and other information available on passports and national IDs, which are necessary to comply with local immigration laws and for employee travel management. However, race/ethnicity are not processed purposefully in Europe with the exception of where we are tracking to measure the effectiveness of our diversity efforts.
  • Trade union membership may be collected but only where permitted and for the purposes defined under national privacy law.

In such circumstances we shall ensure that such Sensitive Personal Information is collected and processed in accordance with all applicable laws.

2. Purposes for processing personal information

For the processing of anypersonal data to be legal, there has to be a satisfactory reason for that processing to take place. These reasons are specified by law and include:

  • We are processing your data for the performance of a contract:
  • Processing is necessary to comply with a legal obligation:
  • The processing is necessary for us to pursue our legitimate interests as an employer:
  • for example, we process your bank details so that we can pay your salary, as agreed under the employment contract between you and us.
  • for example, we are obliged to make national insurance and tax payments on your behalf, so we need your national insurance and tax reference numbers for this.
  • for example, we may track diversity measurements to ensure that we achieve our diversity ambitions, to do this we may need to record and process certain of your characteristics.

The HR team will review each processing activity to establish the lawful basis of processing. We will only process your personal data where we can do so based on one of these three reasons.

We may process your personal information for the following purposes:

Employees:

  • the management of employment-related activities including but not limited to: employment records; payroll; administrative and managerial tasks; time-tracking; compensation; equity-related awards; healthcare and other benefit administration; employee traveling, expense tracking and reimbursement; appointments or removals; disciplinary matters; ensuring compliance with Group and company policies; working time management; determining and reviewing salaries; employee career development (including superannuation, employee evaluations); talent management; compliance with applicable legal and other requirements; management reporting and analysis; enabling internal contacts and communication; providing training and learning services; providing IT support to Employees; management and maintenance of the functioning and security of the IT systems and network; social activities and personnel representation.

Relatives:

  • Management of healthcare and other benefits for relatives of employees; providing social and cultural programs and activities to relatives of employees; storing emergency contact details.

Employee Applicants:

  • Management of internal and external hiring process across the different group entities; selecting and scheduling meetings with potential new hires; communicating with employee applicants.

3. Who we share your personal information with

We may share your personal information with the following recipients or categories of recipients:

4. Monitoring

The Company may engage in the monitoring of electronic messages and files processed by the Company’s Electronic Services for business purposes. This monitoring may consist of (but is not exclusive to):

  • Establishing evidence of the Company’s financial transactions,
  • Gaining routine access to the Company’s business communications,
  • Ensuring compliance with regulatory or self-regulatory rules or guidance,
  • Maintaining the effective operation of the Company’s systems and procedures (for example, so as to detect and prevent the spread of malicious code),
  • Ensuring that the Company’s standards of service are maintained and determining where employees may need further training, and
  • combating crime and investigating or detecting unauthorised use of the Company’s telephone, e-mail and Internet systems and procedure.

If the Company suspects that its electronic facilities are being abused or used inappropriately it may monitor anyone at any time. This may include opening any e-mails or messages sent or received, or content posted, to assess their content.

Please see the IT & Digital Acceptable Use & User Responsibilities policy for further information (SP & P 662).

5. Transfer of personal information abroad

As we operate on a global level, we may need to transfer personal information to countries other than the ones in which the information was originally collected. When we export your personal information to a different country, we will take steps to ensure that such data exports comply with applicable laws. IPG has in place a group wide EU data transfer agreement regulating how data exports are handled, this agreement includes EU standard contractual clauses for transfers of personal information from the European Economic Area to a country outside it, such as the United States.

6. Data retention periods

Personal information will be stored in accordance with applicable laws and kept as long as required in order to carry out the relevant purposes or as otherwise required by applicable law. For specific retention periods please refer to Appendix A (page 6 of this policy document).

7. Your data privacy rights

In the European Economic Area, you have certain rights under data protection laws which include the right: (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure if your personal information is inaccurate, no longer necessary in relation to the purposes for which it was collected, or is being unlawfully processed; (iii) to restrict or object to the processing of your personal information; and (iv) if applicable, to portability of your personal information.

To make such a request please contact Lisa Pemberton, see contact details below. We will consider and act upon any such requests in accordance with applicable data protection laws.

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal, and our collection and use of employee personal data is generally not based on consent but some other basis as permitted by law.

8. Updates to this Information

This information may be updated periodically to reflect any necessary changes in our privacy practices. In such cases, we will inform you via email updates and or staff intranet, and indicate in the information when it was most recently updated. We encourage you to check periodically in order to be aware of the most recent version of this information.

9. Questions and Concerns

You can address any questions or concerns relating to this or our privacy practices to the contact details below.

You also have a right to lodge a complaint with your local data protection authority (DPA). We will cooperate with the relevant DPA in investigations and resolutions of complaints relating to this information, and will seek to comply in good faith with the advice of these authorities, including any remedial measures they advise

10. Contact details

Please address any questions or requests relating to this policy to lisa.pemberton@mccann.com or alternatively, you can raise any concerns with your manager, local HR team, local GDPR Champion or IPG’s Data Protection Officer (DPO).

A list of our current DPO and their contact details can be accessed here

Lisa Pemberton HR GDPR Champion
T: 0121 713 379
E: lisa.pemberton@mccann.com

Anil Mangal: IT GDPR Champion
T: 0121 713 394
M: 07900 138 05
E: Anil.Mangal@mccann.com

Karen McCoy: Recruitment GDPR Champion
T: +44 713 387
M: +44 775703008
E: karen.mccoy@mccann.com

Dr Deborah Prince: Data Protection Officer (IPG)
T: +44 207 961 248
M: +44 777308053
P: 7-11 Herbrand Street, London, WC1N 1E
E: deborah.prince@interpublic.com

APPENDIX

Retention Periods for Personal Data (subject to ongoing review)

TALENT ATTRACTION & ACQUISITION

TYPES OF PERSONAL DATA RETENTION PERIOD

Speculative Applications (i.e. CVs, Cover Letters, References, etc.)

12 months from submission + rolling consent

Applications for Job Posting or Direct Approach (i.e. CVs, Cover Letters, References, etc.)

12 months from completion of recruitment + rolling consent

Applications from Recruitment Agents/ Third Party Vendors (i.e. CVs, Candidate profile summary, References, etc.)

12 months from completion of recruitment + rolling consent

Job Descriptions

Perpetuity

Interview Notes

12 months from completion of recruitment

Ability Tests

12 months from completion of recruitment

Internships and Apprenticeships

12 months from completion of recruitment

Job Offer and Contract of Employment

12 months from non-acceptance

Visa Application and Immigration Specialists

12 months from non-acceptance

ONBOARDING & INDUCTION

TYPES OF PERSONAL DATA RETENTION PERIOD

Personal details (i.e. Name, Personal Contact Details, NINO, Home Address, DOB/Age, Gender, Bank Account, Dependent Personal Detail, Emergency Contact Personal Details, Diversity Questionnaires, etc.)

Refer to Active Refresh During Employment and Offboarding

Employment References

Refer to Active Refresh During Employment and Offboarding

Signed Policies & Procedures

Refer to Active Refresh During Employment and Offboarding

Beneficiary Information

Refer to Active Refresh During Employment and Offboarding

Emergency Contact Details

Refer to Active Refresh During Employment and Offboarding

Right to Work: Passport and Visa, Visa Entry and Exit Stamps

Refer to Active Refresh During Employment and Offboarding

PAYROLL ADMINISTRATION

TYPES OF PERSONAL DATA RETENTION PERIOD

HRLink

Refer to Active Refresh During Employment and Offboarding

ADP/Sage

End of Tax Year + 6 years.

Online Payslips, P45s, P60s, P11Ds and all other tax return documentation

End of Tax Year + 6 years.

HMRC Requests and Notifications

End of Tax Year + 6 years.

Financial References

Refer to Active Refresh During Employment and Offboarding

BENFITS & PENSION ADMINISTRATION

TYPES OF PERSONAL DATA RETENTION PERIOD

Pension: Auto-Enrolment and Private Plans

End of Tax Year of departure + 6 years

Independent Financial Advice

End of Tax Year of departure + 1 year

ChildCare Vouchers: Enrolment, Queries and Leavers

End of Tax Year of departure + 6 year

Medical Insurance: Enrolment, Queries and Leavers

End of Tax Year of departure + 6 years

Leisure Travel Insurance: Enrolment, Queries and Leavers

End of Tax Year of departure + 6 years

Permanent Health Insurance, Life Insurance and Critical Insurance

End of Tax Year of departure + 6 years

Permanent Health Insurance: Claims, Processing and Requests

End of Tax Year of departure + 6 years

Cycle to Work Scheme: Application and Repayment

End of Tax Year of departure + 6 year

Payroll Giving: Application and Repayment

End of Tax Year of departure + 6 year

TIME & ATTENDANCE

TYPES OF PERSONAL DATA RETENTION PERIOD

Holiday and Absence Management System

Refer to Active Refresh During Employment and Offboarding

Client Profitability

Refer to Active Refresh During Employment and Offboarding

Rate Card

Refer to Active Refresh During Employment and Offboarding

Family Need Leave: Maternity, Paternity, Parental and Adoption Leave

Refer to Active Refresh During Employment and Offboarding

Sickness Absence Management: Fit Notes, Self-Certifications, Doctor’s Letter and Occupational Assessment

Refer to Active Refresh During Employment and Offboarding

Personal Assistant Emails and/or Files

No retention.

EMPLOYEE MONITORING

TYPES OF PERSONAL DATA RETENTION PERIOD

Entry Systems

No Retention of Security Pass post-employment. Not routinely monitored but may be accessed

CCTV

Server Room recorder set to overwrite every 30 days. Not routinely monitored but may be accessed

Email

No Retention. Not routinely monitored but may be accessed

Internet

No Retention. Not routinely monitored but may be accessed

EMPLOYEE PERFORMANCE MANAGEMENT

TYPES OF PERSONAL DATA RETENTION PERIOD

Manager Communications: Coaching & Mentoring, Annual Performance Reviews & Performance Correspondence, Disciplinary Correspondence, Grievance Correspondence, Settlement Agreement and Termination Details.

Refer to Active Refresh During Employment and Offboarding

Annual Performance Reviews (incl. 360 feedback)

Refer to Active Refresh During Employment and Offboarding

Performance Improvement Plans

Refer to Active Refresh During Employment and Offboarding

Disciplinary Correspondence

Refer to Active Refresh During Employment and Offboarding

Grievance Correspondence

Refer to Active Refresh During Employment and Offboarding

Feedback Using an eSurvey

Refer to Active Refresh During Employment and Offboarding

LEARNING & DEVELOPMENT

TYPES OF PERSONAL DATA RETENTION PERIOD

Assessing Training Needs

Refer to Active Refresh During Employment and Offboarding

Development Activities

Refer to Active Refresh During Employment and Offboarding

Obtaining Training Feedback

Refer to Active Refresh During Employment and Offboarding

ACTIVE REFRESH DURING EMPLOYMENT

TYPES OF PERSONAL DATA RETENTION PERIOD
  • Current Address, Personal Mobile and Landline Phone No., Email Addresses and Bank Account Details
  • Current Dependent, Emergency and Beneficiary Personal Details
  • HRLink Employee ID, Title, Marital Status, Name and Preferred Name, DOB/Age, Gender, National Insurance No. and Diversity Data
  • Contract of Employment and Amendment to Contract Letters
  • Salary Increment Letters and Salary Sacrifice Letters
  • Bonus and Incentive Plan Details and Confirmations
  • CV, Interview Notes, Recruiter Profile, Ability Tests, Certificates, Diplomas & Degree Documentation and Employment References
  • Benefit & Pension Administration, Documentation and Correspondence
  • Passport and Visa documentation *
  • Skills and Experience (Entered by Employee Self-Service)

Retained for the Perpetuity of Employment

* All Migrant application data and supporting documentation should be retained where Company Sponsorship has occurred

  • Payroll Administration and Backup Documentation (Joiners P45, Starter Declaration Form)
  • Grievance and Disciplinary - Correspondence and Documentation
  • Performance Reviews and 360 Feedback Data, Performance Improvement Plans - Documentation and Correspondence
  • Learning and Development – Records, Documentation and Correspondence *
  • Holiday and Absence records – Absence Management Systems, Timesheets, Family Need Leave, Sickness Absence and discretional leave
  • General Correspondence - References, Letters and Emails and Signed Policies and Procedures

Current Year + 6 Years of Historical Data

*HRLink training records are retained for 7 years to comply with SOX compliance

  • Historical Address, Personal Mobile and Landline Phone No., Email Addresses, and Bank Account Details
  • Historical Dependent, Emergency and Beneficiary Personal Details

No Retention During the Course of Employment

OFFBOARDING

TYPES OF PERSONAL DATA RETENTION PERIOD

Archived Employee File: Level 1

  • HRLink Employee ID, Title, Marital Status, Name and Preferred Name, DOB/Age, Gender, National Insurance No.
  • Last Personal Mobile and Email Address
  • Contract of Employment and Amendment to Contract Letters
  • Salary Increment Letters and Salary Sacrifice Letters
  • Bonus and Incentive Plan Details and Confirmations
  • Payroll Administration and Backup Documentation (Joiners P45, Starter Declaration Form, etc.)
  • Benefit Documentation and Correspondence
  • Resignation Letter, Leaver Letter, Termination Letter, Severance Template and Agreements & Copy Issued of P45
  • Benefit Documentation and Correspondence
  • Grievance and Disciplinary - Correspondence and Documentation
  • Performance Reviews and 360 Feedback Data, Performance Improvement Plans - Documentation and Correspondence
  • CV, Interview Notes, Recruiter Profile, Ability Tests and Employment References
  • Learning and Development – Records, Documentation and Correspondence
  • Holiday and Absence records – Absence Management Systems, Timesheets, Family Need Leave, Sickness Absence and Discretional Leave
  • Signed Policies and Procedures
  • Exit Interview, Internal and External Leavers Communications

End of Tax Year of departure + 6 Tax Years

Archived Employee File: Level 2

  • Last Address, Landline Phone No. and Bank Account Details
  • General Correspondence - References, Letters and Emails
  • Independent Financial Advice and Correspondence
  • Corporate AMEX Card details
  • Skills and Experience (Entered by Employee Self-Service)
  • Passport and Visa documentation *
  • Employee Biographies**

End of Tax Year of departure + 1 Tax Year

* Perpetuity of ICT Visa or End of Tax Year of departure + 2 years only.

** Retained for End of Tax Year of departure + 2 years

Archived Employee File: Level 3

  • Last Dependent, Emergency and Beneficiary Personal Details

End of departure month

Employment Reference – employer issued post departure

End of Tax Year of departure + 1 year