Privacy Policy | McCann Bristol

DATA PRIVACY POLICY (UK & EU OFFICES)

This policy sets out the personal information that we collect and process about you, the purposes of the processing and the rights that you have in connection with it.

Please also refer to our Data Privacy Charter.

1.Types of personal information we collect

As part of our recruitment process we may use a 3^rd party to obtain information about applicants such as a pre-employment screening service or the DBS (Disclosure Barring Service) where appropriate.

In the course of your employment, we may process personal information about you and your relatives or other individuals whose personal information has been provided to us. For example, emergency contacts or names on your expression of wish form for life assurance purposes.

The types of personal information we may process routinely include any of the following:

Employees:

Identification data: civil/marital status; first and last name; photograph; date and place of birth; nationality.
Family household composition: civil status (married, divorced, widow(er); number of children.
Contact details: address; telephone number (fixed and mobile); email address; emergency contact information.
Employment details: job title; company name; grade; geographic location; employee performance and evaluation data; employee discipline information; information regarding previous roles and employment; employee benefits information; leave/absence requests.
National identifiers: national ID/passport number; tax ID; government identification number; driver's license; visa or immigration status.
Academic and professional qualifications: degrees; titles, skills; language proficiency; training information; employment history; CV/résumé.
Financial data: bank account number; bank details; salary and compensation data; bonuses; pension qualification information; payroll data.
IT related data: computer ID; user ID and password; domain name; IP address; log files; software and hardware inventory; software usage pattern tracking information (i.e., cookies and information recorded for operation and training purposes).
Lifestyle: hobbies; social activities; holiday preferences.
Identification data: name; age; date of birth; place of birth.
Contact details: home address; telephone number (including mobile telephone number); email address.
Professional details: job title; employer; work address; email address; telephone number (including mobile telephone number).
Employees with authorised access and on a need-to-know basis only (including direct managers, senior management, office management and HR teams)
Other employee representatives (including for any disciplinary proceedings), subject to the employee's right to consent or to object to it
McCann/McCann World Group and IPG group entities
Third party service providers appointed by and acting on behalf of McCann/McCann World Group or IPG
Business associates and other professional advisers
The recipient's legal department
Any person or organisation to whom the recipient may be required by applicable law or regulation to disclose personal information, including law enforcement authorities, central and local government

Relatives:

Identification data: name; age; date of birth; place of birth.
Contact details: home address; telephone number (including mobile telephone number); email address.
Professional details: job title; employer; work address; email address; telephone number (including mobile telephone number).

Employee Applicants:

Identification data: civil/marital status; first and last name; photograph; date and place of birth; nationality.
Contact details: address; telephone number (fixed and mobile); email address.
Employment details: employment history; current job; company name; grade; geographic location.
Academic and professional qualifications: degrees; titles; skills; language proficiency; training information.

If you are an independent contractor, intern or temporary worker, the type of personal information we process is limited to that needed to manage your particular work assignment.

Sensitive personal information may include any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, ("Sensitive Personal Information"). As a general rule, we try not to collect or process any Sensitive Personal Information about you, unless authorised by law or where necessary to comply with applicable laws.

We may also, in some circumstances, need to collect, or request on a voluntary disclosure basis, some Sensitive Personal Information for legitimate employment-related purposes:

Race and ethnicity may appear indirectly on photos and other information available on passports and national IDs, which are necessary to comply with local immigration laws and for employee travel management. However, race/ethnicity are not processed purposefully in Europe with the exception of where we are tracking to measure the effectiveness of our diversity efforts.
Trade union membership may be collected but only where permitted and for the purposes defined under national privacy law.

In such circumstances we shall ensure that such Sensitive Personal Information is collected and processed in accordance with all applicable laws.

2. Purposes for processing personal information

For the processing of anypersonal data to be legal, there has to be a satisfactory reason for that processing to take place. These reasons are specified by law and include:

We are processing your data for the performance of a contract:
Processing is necessary to comply with a legal obligation:
The processing is necessary for us to pursue our legitimate interests as an employer:

for example, we process your bank details so that we can pay your salary, as agreed under the employment contract between you and us.
for example, we are obliged to make national insurance and tax payments on your behalf, so we need your national insurance and tax reference numbers for this.
for example, we may track diversity measurements to ensure that we achieve our diversity ambitions, to do this we may need to record and process certain of your characteristics.

The HR team will review each processing activity to establish the lawful basis of processing. We will only process your personal data where we can do so based on one of these three reasons.

We may process your personal information for the following purposes:

Employees:

the management of employment-related activities including but not limited to: employment records; payroll; administrative and managerial tasks; time-tracking; compensation; equity-related awards; healthcare and other benefit administration; employee traveling, expense tracking and reimbursement; appointments or removals; disciplinary matters; ensuring compliance with Group and company policies; working time management; determining and reviewing salaries; employee career development (including superannuation, employee evaluations); talent management; compliance with applicable legal and other requirements; management reporting and analysis; enabling internal contacts and communication; providing training and learning services; providing IT support to Employees; management and maintenance of the functioning and security of the IT systems and network; social activities and personnel representation.

Relatives:

Management of healthcare and other benefits for relatives of employees; providing social and cultural programs and activities to relatives of employees; storing emergency contact details.

Employee Applicants:

Management of internal and external hiring process across the different group entities; selecting and scheduling meetings with potential new hires; communicating with employee applicants.

3. Who we share your personal information with

We may share your personal information with the following recipients or categories of recipients:

4. Monitoring

The Company may engage in the monitoring of electronic messages and files processed by the Company’s Electronic Services for business purposes. This monitoring may consist of (but is not exclusive to):

Establishing evidence of the Company’s financial transactions,
Gaining routine access to the Company’s business communications,
Ensuring compliance with regulatory or self-regulatory rules or guidance,
Maintaining the effective operation of the Company’s systems and procedures (for example, so as to detect and prevent the spread of malicious code),
Ensuring that the Company’s standards of service are maintained and determining where employees may need further training, and
combating crime and investigating or detecting unauthorised use of the Company’s telephone, e-mail and Internet systems and procedure.

If the Company suspects that its electronic facilities are being abused or used inappropriately it may monitor anyone at any time. This may include opening any e-mails or messages sent or received, or content posted, to assess their content.

Please see the IT & Digital Acceptable Use & User Responsibilities policy for further information (SP & P 662).

5. Transfer of personal information abroad

As we operate on a global level, we may need to transfer personal information to countries other than the ones in which the information was originally collected. When we export your personal information to a different country, we will take steps to ensure that such data exports comply with applicable laws. IPG has in place a group wide EU data transfer agreement regulating how data exports are handled, this agreement includes EU standard contractual clauses for transfers of personal information from the European Economic Area to a country outside it, such as the United States.

6. Data retention periods

Personal information will be stored in accordance with applicable laws and kept as long as required in order to carry out the relevant purposes or as otherwise required by applicable law. For specific retention periods please refer to Appendix A (page 6 of this policy document).

7. Your data privacy rights

In the European Economic Area, you have certain rights under data protection laws which include the right: (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure if your personal information is inaccurate, no longer necessary in relation to the purposes for which it was collected, or is being unlawfully processed; (iii) to restrict or object to the processing of your personal information; and (iv) if applicable, to portability of your personal information.

To make such a request please contact Lisa Pemberton, see contact details below. We will consider and act upon any such requests in accordance with applicable data protection laws.

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal, and our collection and use of employee personal data is generally not based on consent but some other basis as permitted by law.

8. Updates to this Information

This information may be updated periodically to reflect any necessary changes in our privacy practices. In such cases, we will inform you via email updates and or staff intranet, and indicate in the information when it was most recently updated. We encourage you to check periodically in order to be aware of the most recent version of this information.

9. Questions and Concerns

You can address any questions or concerns relating to this or our privacy practices to the contact details below.

You also have a right to lodge a complaint with your local data protection authority (DPA). We will cooperate with the relevant DPA in investigations and resolutions of complaints relating to this information, and will seek to comply in good faith with the advice of these authorities, including any remedial measures they advise

10. Contact details

Please address any questions or requests relating to this policy to lisa.pemberton@mccann.com or alternatively, you can raise any concerns with your manager, local HR team, local GDPR Champion or IPG’s Data Protection Officer (DPO).

A list of our current DPO and their contact details can be accessed here

Lisa Pemberton HR GDPR Champion
T: 0121 713 379
E: lisa.pemberton@mccann.com

Anil Mangal: IT GDPR Champion
T: 0121 713 394
M: 07900 138 05
E: Anil.Mangal@mccann.com

Karen McCoy: Recruitment GDPR Champion
T: +44 713 387
M: +44 775703008
E: karen.mccoy@mccann.com

Dr Deborah Prince: Data Protection Officer (IPG)
T: +44 207 961 248
M: +44 777308053
P: 7-11 Herbrand Street, London, WC1N 1E
E: deborah.prince@interpublic.com

APPENDIX

Retention Periods for Personal Data (subject to ongoing review)

TALENT ATTRACTION & ACQUISITION

TYPES OF PERSONAL DATA	RETENTION PERIOD
Speculative Applications (i.e. CVs, Cover Letters, References, etc.)	12 months from submission + rolling consent
Applications for Job Posting or Direct Approach (i.e. CVs, Cover Letters, References, etc.)	12 months from completion of recruitment + rolling consent
Applications from Recruitment Agents/ Third Party Vendors (i.e. CVs, Candidate profile summary, References, etc.)	12 months from completion of recruitment + rolling consent
Job Descriptions	Perpetuity
Interview Notes	12 months from completion of recruitment
Ability Tests	12 months from completion of recruitment
Internships and Apprenticeships	12 months from completion of recruitment
Job Offer and Contract of Employment	12 months from non-acceptance
Visa Application and Immigration Specialists	12 months from non-acceptance

ONBOARDING & INDUCTION

TYPES OF PERSONAL DATA	RETENTION PERIOD
Personal details (i.e. Name, Personal Contact Details, NINO, Home Address, DOB/Age, Gender, Bank Account, Dependent Personal Detail, Emergency Contact Personal Details, Diversity Questionnaires, etc.)	Refer to Active Refresh During Employment and Offboarding
Employment References	Refer to Active Refresh During Employment and Offboarding
Signed Policies & Procedures	Refer to Active Refresh During Employment and Offboarding
Beneficiary Information	Refer to Active Refresh During Employment and Offboarding
Emergency Contact Details	Refer to Active Refresh During Employment and Offboarding
Right to Work: Passport and Visa, Visa Entry and Exit Stamps	Refer to Active Refresh During Employment and Offboarding

PAYROLL ADMINISTRATION

TYPES OF PERSONAL DATA	RETENTION PERIOD
HRLink	Refer to Active Refresh During Employment and Offboarding
ADP/Sage	End of Tax Year + 6 years.
Online Payslips, P45s, P60s, P11Ds and all other tax return documentation	End of Tax Year + 6 years.
HMRC Requests and Notifications	End of Tax Year + 6 years.
Financial References	Refer to Active Refresh During Employment and Offboarding

BENFITS & PENSION ADMINISTRATION

TYPES OF PERSONAL DATA	RETENTION PERIOD
Pension: Auto-Enrolment and Private Plans	End of Tax Year of departure + 6 years
Independent Financial Advice	End of Tax Year of departure + 1 year
ChildCare Vouchers: Enrolment, Queries and Leavers	End of Tax Year of departure + 6 year
Medical Insurance: Enrolment, Queries and Leavers	End of Tax Year of departure + 6 years
Leisure Travel Insurance: Enrolment, Queries and Leavers	End of Tax Year of departure + 6 years
Permanent Health Insurance, Life Insurance and Critical Insurance	End of Tax Year of departure + 6 years
Permanent Health Insurance: Claims, Processing and Requests	End of Tax Year of departure + 6 years
Cycle to Work Scheme: Application and Repayment	End of Tax Year of departure + 6 year
Payroll Giving: Application and Repayment	End of Tax Year of departure + 6 year

TIME & ATTENDANCE

TYPES OF PERSONAL DATA	RETENTION PERIOD
Holiday and Absence Management System	Refer to Active Refresh During Employment and Offboarding
Client Profitability	Refer to Active Refresh During Employment and Offboarding
Rate Card	Refer to Active Refresh During Employment and Offboarding
Family Need Leave: Maternity, Paternity, Parental and Adoption Leave	Refer to Active Refresh During Employment and Offboarding
Sickness Absence Management: Fit Notes, Self-Certifications, Doctor’s Letter and Occupational Assessment	Refer to Active Refresh During Employment and Offboarding
Personal Assistant Emails and/or Files	No retention.

EMPLOYEE MONITORING

TYPES OF PERSONAL DATA	RETENTION PERIOD
Entry Systems	No Retention of Security Pass post-employment. Not routinely monitored but may be accessed
CCTV	Server Room recorder set to overwrite every 30 days. Not routinely monitored but may be accessed
Email	No Retention. Not routinely monitored but may be accessed
Internet	No Retention. Not routinely monitored but may be accessed

EMPLOYEE PERFORMANCE MANAGEMENT

TYPES OF PERSONAL DATA	RETENTION PERIOD
Manager Communications: Coaching & Mentoring, Annual Performance Reviews & Performance Correspondence, Disciplinary Correspondence, Grievance Correspondence, Settlement Agreement and Termination Details.	Refer to Active Refresh During Employment and Offboarding
Annual Performance Reviews (incl. 360 feedback)	Refer to Active Refresh During Employment and Offboarding
Performance Improvement Plans	Refer to Active Refresh During Employment and Offboarding
Disciplinary Correspondence	Refer to Active Refresh During Employment and Offboarding
Grievance Correspondence	Refer to Active Refresh During Employment and Offboarding
Feedback Using an eSurvey	Refer to Active Refresh During Employment and Offboarding

LEARNING & DEVELOPMENT

TYPES OF PERSONAL DATA	RETENTION PERIOD
Assessing Training Needs	Refer to Active Refresh During Employment and Offboarding
Development Activities	Refer to Active Refresh During Employment and Offboarding
Obtaining Training Feedback	Refer to Active Refresh During Employment and Offboarding

ACTIVE REFRESH DURING EMPLOYMENT

TYPES OF PERSONAL DATA	RETENTION PERIOD
Current Address, Personal Mobile and Landline Phone No., Email Addresses and Bank Account Details Current Dependent, Emergency and Beneficiary Personal Details HRLink Employee ID, Title, Marital Status, Name and Preferred Name, DOB/Age, Gender, National Insurance No. and Diversity Data Contract of Employment and Amendment to Contract Letters Salary Increment Letters and Salary Sacrifice Letters Bonus and Incentive Plan Details and Confirmations CV, Interview Notes, Recruiter Profile, Ability Tests, Certificates, Diplomas & Degree Documentation and Employment References Benefit & Pension Administration, Documentation and Correspondence Passport and Visa documentation * Skills and Experience (Entered by Employee Self-Service)	Retained for the Perpetuity of Employment * All Migrant application data and supporting documentation should be retained where Company Sponsorship has occurred
Payroll Administration and Backup Documentation (Joiners P45, Starter Declaration Form) Grievance and Disciplinary - Correspondence and Documentation Performance Reviews and 360 Feedback Data, Performance Improvement Plans - Documentation and Correspondence Learning and Development – Records, Documentation and Correspondence * Holiday and Absence records – Absence Management Systems, Timesheets, Family Need Leave, Sickness Absence and discretional leave General Correspondence - References, Letters and Emails and Signed Policies and Procedures	Current Year + 6 Years of Historical Data *HRLink training records are retained for 7 years to comply with SOX compliance
Historical Address, Personal Mobile and Landline Phone No., Email Addresses, and Bank Account Details Historical Dependent, Emergency and Beneficiary Personal Details	No Retention During the Course of Employment

TYPES OF PERSONAL DATA

RETENTION PERIOD

Current Address, Personal Mobile and Landline Phone No., Email Addresses and Bank Account Details
Current Dependent, Emergency and Beneficiary Personal Details
HRLink Employee ID, Title, Marital Status, Name and Preferred Name, DOB/Age, Gender, National Insurance No. and Diversity Data
Contract of Employment and Amendment to Contract Letters
Salary Increment Letters and Salary Sacrifice Letters
Bonus and Incentive Plan Details and Confirmations
CV, Interview Notes, Recruiter Profile, Ability Tests, Certificates, Diplomas & Degree Documentation and Employment References
Benefit & Pension Administration, Documentation and Correspondence
Passport and Visa documentation *
Skills and Experience (Entered by Employee Self-Service)

Retained for the Perpetuity of Employment

* All Migrant application data and supporting documentation should be retained where Company Sponsorship has occurred

Payroll Administration and Backup Documentation (Joiners P45, Starter Declaration Form)
Grievance and Disciplinary - Correspondence and Documentation
Performance Reviews and 360 Feedback Data, Performance Improvement Plans - Documentation and Correspondence
Learning and Development – Records, Documentation and Correspondence *
Holiday and Absence records – Absence Management Systems, Timesheets, Family Need Leave, Sickness Absence and discretional leave
General Correspondence - References, Letters and Emails and Signed Policies and Procedures

Current Year + 6 Years of Historical Data

*HRLink training records are retained for 7 years to comply with SOX compliance

Historical Address, Personal Mobile and Landline Phone No., Email Addresses, and Bank Account Details
Historical Dependent, Emergency and Beneficiary Personal Details

No Retention During the Course of Employment

OFFBOARDING

TYPES OF PERSONAL DATA	RETENTION PERIOD
Archived Employee File: Level 1 HRLink Employee ID, Title, Marital Status, Name and Preferred Name, DOB/Age, Gender, National Insurance No. Last Personal Mobile and Email Address Contract of Employment and Amendment to Contract Letters Salary Increment Letters and Salary Sacrifice Letters Bonus and Incentive Plan Details and Confirmations Payroll Administration and Backup Documentation (Joiners P45, Starter Declaration Form, etc.) Benefit Documentation and Correspondence Resignation Letter, Leaver Letter, Termination Letter, Severance Template and Agreements & Copy Issued of P45 Benefit Documentation and Correspondence Grievance and Disciplinary - Correspondence and Documentation Performance Reviews and 360 Feedback Data, Performance Improvement Plans - Documentation and Correspondence CV, Interview Notes, Recruiter Profile, Ability Tests and Employment References Learning and Development – Records, Documentation and Correspondence Holiday and Absence records – Absence Management Systems, Timesheets, Family Need Leave, Sickness Absence and Discretional Leave Signed Policies and Procedures Exit Interview, Internal and External Leavers Communications	End of Tax Year of departure + 6 Tax Years
Archived Employee File: Level 2 Last Address, Landline Phone No. and Bank Account Details General Correspondence - References, Letters and Emails Independent Financial Advice and Correspondence Corporate AMEX Card details Skills and Experience (Entered by Employee Self-Service) Passport and Visa documentation * Employee Biographies**	End of Tax Year of departure + 1 Tax Year * Perpetuity of ICT Visa or End of Tax Year of departure + 2 years only. ** Retained for End of Tax Year of departure + 2 years
Archived Employee File: Level 3 Last Dependent, Emergency and Beneficiary Personal Details	End of departure month
Employment Reference – employer issued post departure	End of Tax Year of departure + 1 year