Privacy Policy Contents

  • 1. Introduction

    This is the privacy policy or ‘privacy notice’ of Payzone Bill Payments Limited ("Payzone", "us" or "we"), which applies to all personal data we process, relating only to our employees and prospective employees (including temporary workers) and certain contractors or consultants.  This policy does not apply to personal data we may obtain relating to any such person which is obtained other than in connection with their employment or engagement by Payzone, such as personal data obtained through their use of our website (which are covered by a separate privacy policy). This policy also does not apply to personal data relating to others, such as the public and merchants (which are covered by a separate privacy policy).

    When we refer to personal data (or personal information) in this policy, this means any information about an individual from which that person can be identified.

    This privacy policy governs the collection and use of personal information by Payzone.  This includes any personal data you may provide as part of any contract you enter into with us, any personal data you provide (or is available to us) through your use of Payzone’s website and which we may obtain from other sources.

    We are committed to protecting and respecting your privacy. This privacy policy explains the types of personal information we collect, how we use that information, who we share it with, how we protect that information, and your legal rights in relation to your information.

    It is important that you read this privacy policy together with any other privacy notice (or ‘fair processing’ notice) we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This privacy policy supplements any such other notices and is not intended to override them.

    This version of the privacy policy is effective as of 1st August 2018.

  • 2. Who we are

    For the purpose of applicable data protection laws, the data controller is Payzone Bill Payments Limited whose registered office is Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ.  For more information about Payzone please see: www.payzone.co.uk.

    We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the Data Protection Officer using the contact details set out at the bottom of this policy.

  • 3. Keeping your information up to date

    It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes at any time, either by contacting our Customer Services teams, or by contacting the Data Protection Officer using the contact details set out at the bottom of this policy.

  • 4. Changes to this policy

    We reserve the right to amend this privacy policy at our sole discretion, without prior notice to you. We will notify you of any such changes (including when they will take effect) but this does not affect your rights set out in section 12 below.

  • 5. Information covered by this policy

    This policy covers all personal information collected and used by Payzone. In this policy "personal information" means information that (either in isolation or in combination with other information held by us) enables you to be identified as an individual or recognised directly or indirectly. This may include your name, title, date of birth, gender, postal address, email address, telephone number, bank account details or identification documents. In this policy, we may refer to any of this as ‘personal information’ or ‘personal data’

    The different types of data we may collect are referred to below.  We use these terms elsewhere in this policy to cover the information referred to:

    • Identity Data – which may include first name, surname, any applicable maiden name, title and date of birth.
    • Contact Data – which may include home address, email address and telephone numbers.
    • Contractual Data – which may include details about your contract of employment or engagement with us and/or any offer of employment or engagement with us.
    • Financial Data – which may include bank account details and details of your salary.
    • Sensitive Data – which may include details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, trade union membership and information about your health or medical history.
  • 6. Collection of personal information

    We may collect personal data about you from different sources detailed below. 

    Information you give us:

    You will provide us with your personal information in connection with any contract of employment or engagement with us and/or any offer of employment or engagement that we make to you (including before or during any interview relating to any prospective contract or offer).  You may also provide us with personal information throughout the duration of your employment or engagement with Payzone.  The information you give us may include your name, postal address, email address, landline and/or mobile telephone number, bank account information, identification documents, as well as other personal information (including any information you may provide on your CV and any information referred to below).

    In connection with any contract of employment or engagement with us or any offer of employment or engagement that we make, you will have a contractual obligation to provide certain personal data to us.

    For example, in some cases, it may be a term of your contract of employment or engagement (or a condition of any offer of employment or engagement) that you must provide us with information for the purposes of us conducting certain checks, including:

    • checks to verify your identity and/or address (which may require you to provide your passport, driving licence or other identification documents, or we may checks with agencies such as Experian);
    • employment history checks (including references from previous employers);
    • credit checks with licensed credit reference agencies and/or other relevant organisations (such as Experian); and/or
    • verification of your previous salary and tax information (which may require you to produce previous wage slips, P45s and/or P60s).

    You may also be contractually required to provide us with certain sensitive personal information (which the law refers to as ‘Special Categories of Personal Data’), particularly regarding information about your health and medical history.  We may also contractually require you to provide us with information about any criminal convictions or offences.

    You may also be required, in connection with statutory obligations (and as a term of any contract with us, or as a condition of an offer we make), to provide personal data to us to verify your right to work in the United Kingdom.  This may include requiring you to provide your passport, driving licence, birth certificate or other identification documents, your National Insurance number (if you live in the UK) or your Visa (if you live outside the UK). 

    Where the terms of our contract (or the conditions of any offer we make) require you to provide certain personal data, there may be consequences for you if you do not provide it.  Where there is no contract already in place and you do not give us such personal data then we may not be able to conclude a contract with you.  If you do not give us such personal data where a contract is already in place then you may be in breach of contract (which may result in you incurring financial liability to us) and we may be entitled to terminate your contract.  There may also be other legal consequences for you if you do not give us any information which you are required by law to provide.

    Some information you provide to us may constitute sensitive personal information (which the law refers to as ‘Special Categories of Personal Data’).  This may include details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, trade union membership and information about your health or medical history.  

    Information we collect about you:

    We may collect various personal information about you throughout the duration of your employment or engagement with Payzone (and occasionally afterwards).  This may include:

    • details of any changes to your contract of employment or engagement;
    • salary and other financial information;
    • performance data relating to your employment or engagement, including details of appraisals and feedback to or from your managers;
    • details of any grievances you may raise;
    • details of any disciplinary action and/or complaints made against you.

    Information we receive and collect from other sources:

    We may receive information about you from third parties such as your previous employers, credit reference agencies (such as Experian) and doctors.  Information from doctors may include information about your health and medical history.

    The different kinds of personal data about you which we may collect and process from third parties are: Identity Data, Contact Data, Financial Data and Sensitive Data.

    We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Such aggregated data may be derived from your personal data but is not considered personal data in law (as this data does not directly or indirectly reveal your identity). However, if we combine or connect any such aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

  • 7. How we use your personal information

    We will only use your personal data when the law allows us to.  Each basis on which we are lawfully permitted to process your personal data is known as the ‘legal basis’ for processing.  

    The purposes for which we may use your personal data and the types of legal basis that we will rely on to process your personal data are set out in the table below.  Note that we may process your personal data for more than one legal basis depending on the specific purpose for which we are using your data (as shown in the table). Where more than one is shown, please contact us if you would like details about the specific legal basis we are relying on to process your personal data.

    Purpose/Activity

    Type of data

    Legal basis for processing

    To arrange an interview for prospective employment.

    (a) Identity Data

    (b) Contact Data

    (a) Processing undertaken with your consent.

    (b) Necessary to take steps before entering into a contract.

    To process and enter into any contract of employment or engagement.

    (a) Identity Data

    (b) Contact Data

    (c) Contractual Data

    (d) Financial Data

    (a) Processing undertaken with your consent.

    (b) Necessary to take steps before entering into a contract.

    To make checks about to verify your identity, address and your right to work in the UK.

    (a) Identity Data

    (b) Contact Data

     

    (a) Processing undertaken with your consent.

    (b) Necessary for our legitimate interests (to ensure we can be satisfied of your identity and address and your right to work in the UK).

    (c) Necessary to comply with a legal obligation.

    To make financial checks about you (including checking your credit history and making searches with licensed credit reference agencies) and seeking employment references and checking salary information.

    (a) Identity Data

    (b) Contact Data

    (c) Financial Data

    (a) Processing undertaken with your consent.

    (b) Necessary for our legitimate interests (to ensure that you do not have any financial problems that might affect your duties, that you are a suitable person to employ or engage and that information about your salary or tax status is accurate).

    (c) Necessary to comply with a legal obligation.

    To check and understand your medical history and any relevant health information about you.

    (a) Identity Data

    (b) Contact Data

    (c) Sensitive Data

    (a) Processing undertaken with your consent.

    (b) Necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract.

    (c) Necessary for our legitimate interests (to check if there are any health problems that might affect your work and to manage your health and safety).

    To manage our relationship with you, which will include administration of your contract and notifying you about changes to our terms or privacy policy.

    (a) Identity Data

    (b) Contact Data

    (c) Contractual Data

    (d) Financial Data

    (e) Sensitive Data

    (a) Necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract.

    (b) Necessary to comply with a legal obligation.

    (c) Necessary for our legitimate interests (including to keep our records updated).

    To comply with legal requirements (including where you exercise any of your rights referred to in this policy), to exercise our legal rights and to bring or defend legal claims.

    (a) Identity Data

    (b) Contact Data

    (c) Contractual Data

    (d) Financial Data

    (e) Sensitive Data

    (a) Necessary to comply with a legal obligation.

    (b) Necessary for our legitimate interests to exercise our legal rights and to bring or defend legal claims.

    We will only use your personal data for the purposes shown above. If we need to use your personal data for a different purpose, we will update this policy and notify you of the change before starting any such new processing.

    Please note that in some circumstances we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

  • 8. Transfers of personal information

    We may have to share your personal data with the parties set out below for the purposes shown:

    • any member of the Payzone group of companies, including subsidiaries and holding companies, in order to enable you to access the products and services we provided, provide you with customer support and conduct the other activities described in this privacy policy;
    • licensed credit reference agencies and/or other relevant organisations (such as Experian), to make checks to verify your identity and to make financial checks about you (including checking your credit history);
    • your previous employers, for the purposes of seeking employment references relating to you;
    • third parties such as:
    • service providers (acting as our data processors) who provide us with services relating to IT, hosting and other infrastructure and IT system administration, training, payroll and payment processing;
    • professional advisers (acting as our data processors) including lawyers, bankers, accountants, auditors and insurers based who provide legal, banking, accounting, auditing and insurance services to Payzone;
    • HM Revenue & Customs, the Financial Conduct Authority, other regulators and government authorities, for purposes required by law; and
    • the police and fraud prevention agencies, for the purposes of crime detection and prevention.

    We may also disclose your personal information to third parties:

    • in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
    • if any member of the Payzone group or substantially all of its assets are acquired by a third party, in which case your personal data may be one of the transferred assets and disclosed to them accordingly; and
    • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or in order to enforce our terms and conditions or other agreements, or to protect the rights, property or safety of the Payzone group.

    We may share information about you with credit reference agencies and this information may be linked to records relating to other people living at the same address with whom you may be financially linked.  Other credit grantors may use this information to make credit decisions about you and the people with whom you are financially associated.

    We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Our third-party service providers (to the extent they are acting as our data processors) are contractually bound to use personal information only to perform the services that we have engaged them to provide and they are only permitted to process your personal data in accordance with our instructions.

    Please note that some of our external third-party service provides are based outside the European Economic Area (EEA), so their processing of your personal data will involve a transfer of data outside the EEA.  Please see section 9 about data being processed outside of the EEA.

  • 9. Where we store your data

    Usually your personal data will be stored in the United Kingdom.  However, some of our external third-party service provides are based outside the European Economic Area (EEA), so your personal data may be transferred to a destination outside of the EEA.  This means it may also be stored and processed at a destination outside of the EEA, including by staff operating outside the EEA who work for one of our service providers.

    Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it than applies within the EEA, by ensuring that certain minimum legal safeguards are met or implemented.  We take all steps that are mandatory or reasonably necessary to ensure that your personal data is treated securely and in accordance with applicable data protection laws.

    Please contact us if you want further information about the circumstances in which we transfer your personal data out of the EEA or the safeguards we use.

  • 10. How long we store your data for

    We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

    To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

    Details of the periods for which we retain different aspects of your personal information can be found in our Data Retention Policy at https://www.payzone.co.uk/data-retention-policy/.

    In some circumstances, you can ask us to delete your data.  Please see section 12 regarding ‘Your Rights’ for further information.

  • 11. Security of your personal information

    We use administrative, technical, and physical measures to safeguard personal information against loss, theft and unauthorised uses, access or modifications. Our staff and our third-party service providers are under a duty to process your personal data only in accordance with our instructions and they are subject to a duty of confidentiality regarding your personal data.

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

  • 12. Your rights

    You have the rights set out below with respect to the personal information that we hold about you.  To exercise any of these rights, you should contact us by using the contact details set out at the bottom of this policy.

    You will not normally have to pay a fee to exercise any of these rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

    We may need to request specific information from you to help us confirm your identity when you seek to exercise any of your rights. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to help clarify the scope of your request.

    We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

    Your right to access the information we hold about you

    You have the right to ask us whether or not we process your personal information and to request information on the purposes of data processing as well as confirmation on whether we use your personal information for these purposes only.

    In some circumstances, we may not be able to give you access to the personal information we hold about you (for example, we may not be able to give you access if it would unreasonably affect someone else's privacy or if giving you access poses a serious threat to someone's life, health or safety).

    You also have the right to be informed of the third parties to which we transfer your personal information within the scope of this privacy policy.

    Your right to have your information corrected

    You can contact us to have any incomplete or inaccurate data we hold about you corrected, although we may need to verify the accuracy of the new data you provide to us.

    Your right to erasure of your information

    You can ask us to delete or remove your personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law.

    Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, after you make your request. 

    Your right to request restriction of the processing of your information

    You may ask us to suspend the processing of your personal information:

    • if you want us to establish the accuracy of the personal information;
    • where our use of the personal information is unlawful but you do not want us to erase it;
    • where you need us to hold the personal information even if we no longer require it, as you need it to establish, exercise or defend legal claims; or
    • you have objected to our use of your personal information but we need to verify whether we have overriding legitimate grounds to use it.

    We will inform you when you decide to lift any such restriction on processing.

    Your right to object to us processing your information

    You have the right to ask us to stop processing your personal data where the processing is based on legitimate interests and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. We will comply with your right to object in these circumstances, unless:

    • we can demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms; or
    • the processing is for the establishment, exercise or defence of legal claims.

    Where we are relying on your consent to process your personal information, you may withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

    Your right to object to automated decision making

    You have the right not to be subject to a decision which is based exclusively on automated processing and produces a legal effect or a similarly significant effect on you.  In these circumstances, you are entitled to obtain human intervention, express your point of view and obtain an explanation of the decision and challenge it.  However, this right does not apply if the automated decision is necessary for entering into or performance of a contract between you and us, is authorised by law  or is based on your explicit consent.

    Please note that when we undertake credit checks in connection with the entry into a contract with you, we may use an automated decision making service provided by third parties (such as Experian).  Whilst this is an automated service, if the results of any such check reveal any adverse information then we use human intervention to assess those results and to make any decision which may affect your status under that contract.

    Your right to have your information transmitted to another organisation

    Where we process personal information about you which:

    • has been provided by you directly to us; and
    • is processed by automated means; and
    • is processed with your consent or for the performance of a contract with you,

    you have the right to ask us to provide you with the personal information we hold about you in a structured, commonly used and machine-readable format or, where technically feasible, to transmit that data to another organisation.

    Making a complaint

    You have the right to lodge a complaint to the Information Commissioner's Office, the UK supervisory authority for data protection issues (www.ico.org.uk), if you believe that we have not complied with applicable data protection laws. You also have a right to claim damages if processing of your personal information violates applicable data protection law.

    We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

  • 13. Contacting us

    If you have any questions about this privacy policy, or if you wish to exercise your rights as referred to in this privacy policy, please contact us by:

    • writing to us at:

    The Data Protection Officer

    Payzone Bill Payments Limited

    Finsbury Dials

    20 Finsbury Street

    London

    EC2Y 9AQ

     

    or

    • emailing our Data Protection Officer by sending an email to: data.protection@postoffice.co.uk.

DOCUMENT CONTROL RECORD

 

 

SUMMARY

 

 

PZBP Policy Sponsor

 

Policy Owner

 

Policy Implementer

 

Policy Approver

 

 

 

PZBP Board

 

Andrew Goddard

Managing Director

 

Beverley Madeley

HR Business Partner

 

 

PZBP Board

 

Version

 

Document Review Period

 

Policy – effective date

 

 

 

 

1

 

24 months

 

24/10/18

 

 

 

 

 

REVISION HISTORY

 

 

Version

 

Date

 

Changes

 

Approved by

 

 

 

N/A

 

N/A

 

N/A

 

 

N/A

 

 

 

QUALITY STATEMENT

 

 

This document is periodically reviewed, and at least every 2 years starting from the last effective date. 

 

This policy has been reviewed against legislative requirements.

 

October 2018

 

witch default to ‘off’ when centre accessed by user