Last updated: 13/01/2021

Terms and conditions

  1. What this agreement is about;

    1. This agreement describes how the User may use Bright software products.
    2. In this agreement, “Bright software products” refers to the on-line human resources (HR) and Health and Safety software and the “Services”.
    3. “Services” refers to the provision of the Provider’s website and other digital services, associated software, and other services provided by the Provider in accordance with these Terms of Use, together with the characteristics and features as described at www.brighthr.com from time to time The User understands and agrees that it cannot use a Service unless it is licensed by the Provider to use and has paid the applicable fee to use Bright software products.
    4. The Provider may change the terms and conditions of this agreement, and its privacy policy, at any time. The Provider will make reasonable efforts to communicate any changes to the User via a notification in Bright software products, or by sending an email to the User, but it is up to the User to ensure that it regularly checks, reads, understands and agrees to the most recent version of this agreement, and the Provider’s privacy policy, as it will be deemed to accept all changes if the User continues to access and use Bright software products.

  2. Who this agreement is between;

This agreement is between:

      1. “the User”- the person or organisation authorised to use Bright software products.
      2. “the Provider”- BrightHR Ltd, company registration number 9282467, Vat number GB927524217 and whose registered office is situated at The Peninsula, Victoria Place, Manchester, M4 4FB.

        By entering into this agreement, both the User and the Provider agree to be bound by its terms.
  1. How the User accepts this agreement, and when this agreement starts;
    1. The User accepts the terms and conditions of this agreement when they log into the system.
    2. This agreement will continue until terminated in accordance with clause 16 below.
    3. If the User is not willing to accept these terms and conditions and therefore decides not to enter into this agreement, it should contact the Provider and is not permitted to use Bright software products or any of the Services.

  1. The User's rights to use Bright software products, its obligations and 'cooling off';

    1. If the User accepts this agreement and pays the relevant fees, then the Provider gives to the User the right to use Bright software products in the way described in this agreement, and in accordance with any service announcements, administrative messages, sales support literature, and other information from the Provider. The User must not use Bright software products in any other way.
    2. The User shall only use Bright software products for internal business management Health and Safety and HR purposes, and shall input its own employee data information in order to assist it in managing that information. It is also authorised to allow its own employees to input their own information.
    3. Bright software products enables the User to submit content which is then stored in a document library. Such content will, generally, comprise employee data information, and will include such matters as their forename, surname, start date and job title. The User retains ownership of any Intellectual Property Rights that it holds in that content. However, access to this information is dependent upon the User complying with these terms and conditions, and ensuring that the applicable fee has been paid in full. The Provider will use all reasonable endeavours to implement technical and appropriate security measures to protect the information from loss or damage.
    4. The User cannot transfer its rights under this agreement to to use Bright software products (or any of the Services) to any other person or organisation.
    5. The User must comply with all applicable laws in respect of its use of Bright software products, and the User must also ensure that the content of any data it inputs into Bright software products does not, and will not, result in any injury, damage or harm to the Provider or any third party (including, without limitation, defamation or breach of confidentiality). Such content must not contain anything which is unlawful, obscene, indecent or immoral or which promotes or condones any illegal or unlawful activities. It is also a condition of use that the User does not upload content (for example music or videos) for which it does not hold the copyright.
    6. The User acknowledges that although the Provider forms part of a group of companies whose core business is the offering of professional HR and Health and Safety advice, Bright software products are not a substitute for seeking any employment law or health and safety advice.
    7. The User may purchase or subscribe to third party complimentary products or software services that integrate or work with Bright software products (“Additional Services”). It is The User’s responsibility to decide whether or not to access and use the Additional Services, and if the User chooses to do so, it must agree to the separate applicable terms and conditions presented to it by the Provider, or the third party, for those Additional Services. If there is a conflict between any of the terms of this agreement and the Additional Services terms, then the Additional Services terms will prevail in relation to the User’s use of the Additional Services. The Provider is not responsible for any issue with any third-party technology, information and/or services and will not be liable for those issues. The Provider may withdraw access to such third party technology, information or services via Bright software products at any time and without notifying the User.
    8. If the User is an ‘individual’ within the meaning of the Consumer Credit Act 2006 then they are entitled to a ‘cooling off’ period. A User falls within the definition of an ‘individual’ and is thereby entitled to a ‘cooling off’ period, if they are (1) a natural person ( i.e an individual) (2) a partnership consisting of two or three persons not all of whom are bodies corporate or (3) an unincorporated body of persons which does not consist entirely of bodies corporate and is not a partnership. The ‘cooling off’ period will entitle such a User to cancel their use of Bright software products and release them from any obligation to pay a fee, provided such notification is received by the Provider within 5 working days from when they accept the terms of this agreement and become a User. In those circumstances the User may become liable to pay the Provider a fee for the Services used, such fee to be agreed between the Provider and the User or accepted by the User at the point of purchase.

  2. (a) No longer in use
  1. (b) Setting up a Bright software products account on the basis of a fixed term contract;
    1. The Provider will give the User its sign-in details to enable it to use Bright software products (the “sign-in information”) as soon as the User has registered with the Provider and has accepted these terms and conditions of use.
    2. Following registration, the Provider will provide access to Bright software products until either the User or the Provider end this agreement either in one of the ways set out in clause 18 or by virtue of the operation of the terms of the contract signed by the Provider and the User. If at any time the Provider charges the User an incorrect fee, then the Provider reserves the right to rectify its invoice and claim the correct payment from the User which the User agrees to pay.
  1. Use of Bright software products;

    1. The User is solely responsible for obtaining and maintaining its internet and network connections and any associated connectivity problems are its own responsibility.
    2. The Provider will take reasonable steps to make sure that Bright software products are free from viruses but it cannot guarantee this. The Provider recommends that the User operates with its own virus-protection software as the Provider cannot be held responsible for any loss or damage caused by any viruses or other harmful technology that may infect the User’s computer systems, data or other material owned by it.
    3. The Provider cannot guarantee that Bright software products will be compatible with the User’s web browser or computer set-up or that the User’s access to Bright software products will be uninterrupted or error free (as this may on occasions be beyond the Provider’s control).
    4. The User is responsible for controlling access to its own Bright software products account. The User should not allow anyone else to use its sign in information and the User should also change its password at regular intervals.
    5. From time to time the Provider may temporarily suspend access to Bright software products for maintenance, repairs or other reasons. The Provider will try to do this outside normal business hours and provide the User with notice in advance but this might not always be possible.

  2. Adding Services to the User's Bright software products Account;
    1. To add Additional Services to Bright software products, the User must pay the applicable fee for each Additional Service in accordance with the terms and conditions of this agreement.
    2. The User can add Services via its Bright software products customer account portal. If the User wishes to add Additional Services to its Bright software products account but experiences difficulty, then the User must contact The Provider and must forthwith cease the addition of such Additional Services until the Provider has successfully cured the difficulty. When adding an Additional Service to its Bright software products account, the applicable fee payable) will be amended to reflect such Additional Service(s). To discuss any Additional Services the User must contact The Provider via email, telephone or web chat.

  1. (a) No longer in use

  1. (b) Fees for those Users who pay on a fixed term contract;

    1. Fees for using Bright software products are set out in the contract, signed when the User agreed to purchase the Services or accepted by the User at point of purchase.

  1. What happens if The User is in Default?

    1. If, at any time, the User is in breach of any term of this agreement, or if the Provider does not receive payment from it for the use of Bright software products (including, without limitation, any of the Services it has subscribed to receive), then without prejudice to any other right or remedy which the Provider may have, the Provider is entitled to suspend or limit the User’s use and any employees’ self - service use of Bright software products (including all Services). The Provider may at its sole discretion offer the User a grace period during the defaulted payment period and has the right to suspend the service at the end of this period if payment has not been made. The Provider will notify the User of any payment related defaults.
    2. Any suspension of the User’s use of Bright software products shall continue until such time that the breach in question has been remedied to the Provider’s reasonable satisfaction and/or the Provider have received payment from the User in full. Any failure by the User to remedy a breach of this agreement, or to pay any amount due to the Provider, shall (without prejudice to any other right or remedy which the Provider may have) entitle it to terminate this agreement in accordance with clause 16 below. The Provider will notify the User by email of any intention to terminate the agreement.
    3. The User shall indemnify and hold harmless the Provider from and against all Claims and Losses arising from (a) a breach of any part of this Agreement which results in loss, damage, liability, injury to the Provider and/or its employees, consultants, or other representatives and third parties, (b) infringement of third party Intellectual Property Rights or third party losses by reason or arising out of the User’s access and use of Bright software products outside of that expressly permitted by this Agreement, or (c) any information or other materials supplied to the Provider by the User within or outside the scope of this Agreement. “Claims” shall mean all demands, claims, proceedings, penalties, fines and liability (whether criminal or civil, in contract, tort or otherwise) and “Losses” shall mean all losses including without limitation financial losses, damages, legal costs and other expenses of any nature whatsoever.

  1. Restrictions on The User's use of Bright software products;

    1. The User must not introduce any viruses or harmful technology to Bright software products.
    2. The User must not access any Bright software products and Services when they have not paid the applicable fee to do so. If the User engages in such unauthorised usage, the Provider is entitled to charge the User a fee at the appropriate rate of the Bright software products and/or Services in force at the time. If the User does not pay the additional charges, the Provider has the right to suspend all the User’s services until the breach has been remedied to the Provider’s reasonable satisfaction.
    3. The User must not try to affect the availability of Bright software products to other registered users.
    4. Except as expressly permitted in this agreement, the User must not give anyone else any right (of any kind) to use or benefit from Bright software products in any way, or provide Bright software products to others, unless others are entitled to use Bright software products within the User’s business and are added to Bright software products as a user of the Service.
    5. The User must not use Bright software products to develop its own software. Specifically, the User must not use or copy all or any part of Bright software products ‘graphical user interface’, ‘operating logic’ or ‘database structure’ for it to be used as part of, or to develop, any software or other product or technology.
    6. The User must not make any use of the Services which damages or is likely to damage the Provider’s business or reputation, the availability or integrity of Bright software products, or which causes or threatens to cause the Provider to incur any legal, tax or regulatory liability.

  1. Support;

    1. The Provider aims to provide the User with 24-hour support 7 days a week through the self-help tools (although there may be times where the Provider is unable to do so for reasons outside its control). The Provider will also provide support by [email] or [telephone] during working hours Monday to Friday between the hours of 8am and 6pm GMT. In the event that the Provider is required to access the User’s system to provide such support the User duly authorises such access.
    2. The Provider reserves the right to change how it provides support to the User (and if any applicable charges will become payable) by posting a notification on Bright software products or emailing the User with details of the changes. The Provider will aim to give the User as much advance notice as possible of these changes.
    3. The Provider will not at any time however, give the User technical support or other assistance for any hardware, third-party software or other equipment issue on which Bright software products have been installed.
  1. Intellectual Property Rights;

    1. Although the User has the right to use Bright software products as described in clause 4, the User will not own any of the Intellectual Property Rights in Bright software products. The Provider (or the third party from whom the Provider obtains the rights if the Provider is not the owner) will continue to own the Intellectual Property Rights in Bright software products, including any software the Provider provides to replace all or part of Bright software products. The only rights the User will have to Bright software products are as set out in this agreement.
    2. The Provider (or its licensors) owns the rights to Bright software products and any related logos or images. By allowing the User to use Bright software products, the Provider does not give the User ownership of any of those rights, logos or images.
    3. The User undertakes not to use the Providers name or brand in any promotion or marketing or announcement without its prior written consent.

13. Obligations on The Provider;

(a) Whilst the Provider aims to provide uninterrupted use of Bright software products, this cannot be guaranteed. The Provider will not be responsible for any failure to perform its obligations under this agreement, in the event that it is prevented from providing a continuous service due to circumstances beyond its control. Wherever possible, the Provider will provide an advance warning notification on Bright software products or by email of any known or planned interruptions and the Provider will use its best endeavours to keep any interruption to as short as possible.

(b) The Provider gives no warranties to the User in respect of the following matters:

  1. That Bright software products will meet the User’s own needs;
  2. That the User will be able to use Bright software products in any particular way;
  3. That the User will get particular outputs from Bright software products;
  4. That the standard of the results the User derives from using Bright software products will meet a particular standard; or
  5. that, where the User uses the Provider’s technical support services, the Provider will be able to correct or remedy the User’s particular problem

(c) The User cannot rely on any statement or representation made by any party prior to the registration of the User as a user of Bright software products.

(d) The Provider agrees that it will use its reasonable skill and care to provide the Services to the User under this agreement.

14. Providers Responsibilities;

(a) The Providers liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise arising under or in connection with this agreement will be limited to an amount equal to the total of all fees paid or payable by the User for its use of Bright software products in the 1-month period in which the claim arose.

(b) The Provider will not be responsible, whether in contract, tort (including negligence or breach of statutory duty), misrepresentation, and restitution or otherwise for any of the following (even if the Provider knew or should have known there was a possibility the User could suffer or incur such loss or damage):

  1. Loss of profit;
  2. Loss of business or revenue;
  3. Depletion of goodwill or similar losses;
  4. Loss of use or loss of or damage to data/information inputted by the User into Bright software products;
  5. Any interruption to the User’s business or damage to information, however that interruption or damage is caused;
  6. Any loss or damage which the Provider could not have reasonably foreseen at the time the User entered into this agreement including, without limitation, any special, indirect or consequential loss or damage.

(c) Nothing in this agreement will exclude or limit the liability of either the User or the Provider in respect of:

  1. Fraud
  2. Death of or personal injury to any person as a result of negligence
  3. Any other matter which cannot be excluded or limited under applicable law including the European Union or a member state of the European Union.
  4. Any infringement of the General Data Protection Regulation 2016/679 (GDPR)

 

15. Force Majeure;

Neither party shall be liable for any default arising due to act of God, war, any industrial action including strike and lockout, fire, flood, drought, tempest or other natural disaster, or any other event beyond either party's reasonable control.

16. Termination;

(a) No longer used

(b) Termination of an agreement based on a fixed term contract.

  1. The termination provisions in the contract or terms accepted by the User at point of purchase are repeated and set out herein.

    (c) Termination generally;
    1. If either the User or the Provider discover that there has been a breach of the terms of this agreement by then it can:-
      1. Require the party in breach by notice in writing to rectify it within 30 days of the date of service of such notice.
      2. If the breach is not rectified within that period to terminate this agreement by giving written notice that this agreement will terminate forthwith.
    1. If either party shall;
        1. become insolvent or bankrupt or
        2. have a receiving order or administration order made against it or compound with its creditors, or
        3. being a corporation commences to be wound up (not being a member’s voluntary winding up for the purposes of reconstruction or amalgamation), or
        4. carries on its business under an administrator or administrative receiver for the benefit of its creditors or any of them then the other party shall have the right forthwith by notice in writing to that party or to the administrator, administrative receiver or to the liquidator or to any person in whom this agreement shall have become vested to terminate this agreement, to terminate this agreement.
    1. No matter how this agreement ends, the information the User stores in Bright software products remains the User’s information and the User can access it in a format provided by Bright software products before the end of the agreement. After this agreement ends, the information the User may have stored in Bright software products will be retained for a period of 6 years.

17. Miscellaneous;

  1. If any provision of this Agreement is held illegal or unenforceable such provision shall be severed and shall be inoperative, and, provided that the fundamental terms and conditions of this agreement remain legal and enforceable, the remainder of this agreement shall remain operative and binding on the Parties
    1. If the User or the Provider fails to, or delays in, exercising any rights under this agreement, that will not mean that those rights cannot be exercised in the future.
    2. This agreement and the documents the Provider refers to above (including the contract for those users who use Bright software products by virtue of that written contract) constitute is the entire agreement between the User and the Provider for use of Bright software products, and replaces all documents, information and other communications (whether spoken or written) between them for such use.
    3. This agreement is personal to the User and may not be transferred, assigned, subcontracted, licensed, charged or otherwise dealt with or disposed of (whether in whole or in part) by the User without the Provider’s prior written consent. The Provider may transfer, assign, subcontract, license, charge or otherwise deal with or dispose of (whether in whole or in part) this agreement at any time without the User’s consent.
    4. A person who is not a party to this agreement has no right to enforce any term of it.
    5. Where either party is required to notify the other party by email, the party shall be deemed to have received the email on the first business day following transmission.

18. Which laws govern this agreement?

  1. If the User subscribes to Bright software products in the United Kingdom, then this agreement (and all non-contractual claims and disputes) is governed by the laws of England and Wales and the User and the Provider both agree that the courts of England and Wales shall be the only courts competent to decide disputes in relation to this agreement.

19. Disclaimer;

The Furlough Navigator is a tool to assist employers with their submission of information to HMRC in respect of any furloughed workers. The Furlough Navigator tool is based on guidance published by the Government on its website (www.gov.uk) which is regularly being updated.. The information provided by BrightHR Limited in relation to the Coronavirus Job Retention Scheme does not amount to ‘advice’ and Bright HR Limited does not accept any liability or responsibility for the submission or accuracy of information provided to HMRC. All claims submitted to HMRC remain the sole responsibility of the employer.

Privacy

This privacy policy explains how we collect and use any personal information we collect about you. The policy depends on whether you are “The User” (person or organisation authorised to use BrightHR), an Employee of“The User”or a Visitor to the website.

Privacy Notice for Customers and Website Visitors

Privacy Notice for User’s Employees

Cookies Policy

Privacy Policy

Welcome to Bright HR’s privacy policy. We appreciate you taking the time to read all our notices carefully.

Bright HR Limited (“Bright HR”) is committed to protecting your privacy by ensuring that any personal data is collected and used lawfully and transparently. When delivering our professional services, we are the Data Processor of the personal data that you supply to the software platform under your contract with us.

This Privacy Notice explains:

  • Who we are
  • Personal data we collect
  • Our legal basis for processing
  • Who we may share information with and why
  • Where we may transfer data to
  • How we keep information secure and deal with security incidents
  • How long we may keep your data for
  • Your data privacy rights
  • How to contact our DPO and the ICO

Who is Bright HR?

Bright HR specialises in the provision of HR services software to businesses within the UK and Ireland. The group has global reach, providing a diverse range of clients with access to products and services covering a broad spectrum of HR and Legal compliance within the employment field.

When providing these services, we take our responsibilities regarding data protection very seriously and are bound by all applicable data protection laws in respect of the handling, processing and collection of data. All employees who handle personal and business data are fully trained to ensure that the data is processed in line with the General Data Protection Regulations 2018 (GDPR) as well as The Data Protection Act 2018 (DPA).

Personal data we collect

The type and frequency of any personal data collected will always depend on how our website and services are used.

Personal Data provided to us:

We use electronic contact forms and chat facilities across our websites. These forms will prompt users to input basic contact details so we can generate service quotes, provide newsletter updates and respond to enquiries. You may also provide data to us when registering for an event, seminar or vacancy or when corresponding with us by phone, email, letter or social media. It is important that the personal data we hold about you is accurate and current. You should keep us informed if your personal data changes during your relationship with us.

Personal Data collected by us:

Where you ask us to provide services, we may be required to process additional categories of personal data relating to you or other parties to ensure the provision of our services can be met effectively, for example, software users with a disability who may need additional support. We may also collect additional data from you as part of our recruitment process, during your employment or when you visit our offices via CCTV. We may also ask to verify your identity in limited circumstances by providing valid photographic identification.

Personal Data from other sources:

We may receive information about you and/or your company from specific third parties such as business partners, sub-contractors, advertising networks, analytics providers, hosting providers and search information providers. Bright HR also receives referrals from other clients and purchases marketing lists from external companies. 

Special Categories of Data:

There may be instances where we process Special Category Data provided by you or other users of our services during the lifetime of our service. Special category data is a more sensitive type of data which reveals insights about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation. We may also process data that relates to criminal and/or civil offences as well as child data in some very limited circumstances. Sensitive data collection will only take place where it is applicable to the provision of the services that we are contracted to provide or if this is input into the platform by software users. To undertake our core service functions to software users, we do not need to actively collect this category of data, however, if provided in the course of service it will be held securely and confidentially.   

Online Identifiers:

When you visit our website, a record of your device’s IP address is retained which is used anonymously in order to determine website and page visitors. This enables us to continually update and refine the site. If you use any forms on the website to send an email to us, a record will also be made of your email address and your telephone number. For more information on how we use online identifiers or cookies please visit our

 .

Our legal basis for processing

Before processing any personal data, we ensure that at least one lawful basis under GDPR is met. We will not disclose personal data for any purpose other than what the data was originally collected for; unless there is an overriding legal basis that enables this processing.

We may collect, hold, use and disclose the information collected to compile statistical data and to maintain our database; to develop or improve our website; respond to any queries; notify you of any upcoming marketing, training or other events that we think may be of interest to you; provide you with publications; manage quality control and compliance issues; manage systems administration; provide you or your organisation with advice; notify you about important changes or developments to our services; contact you for your views on our services or to determine the suitability for employment.

We may also process your personal data in the following circumstances:

 

To Perform Our Service Under the Contract:

We process information in order to support and maintain our existing or potential contractual relationships under the lawful basis ‘performance of a contract’. We may process personal data in order to provide various supporting client services, take payments and to make improvements to our website. We record calls made to our staff members including internal, inbound or outbound calls. The lawful basis which we often rely on to process data for the duration of servicing on your account and for the decision to enter an initial or any subsequent contract is under our legitimate interests’. Ensuring our administrative and IT systems are secure and robust against unauthorised access also falls under this basis.

For Fraud Prevention:

Due to the products we offer to companies, we also have a legal obligation’ to validate the status of companies we work with which may involve identifying and verifying individual data subjects as part of our ‘legitimate interests’ to safeguard against criminal or fraudulent activities.  We also need to ensure that VAT and premium tax is paid.

To Defend Legal Issues:

We have a legitimate interest’ to process data which may assist us in connection with the establishment, exercise or defence of legal claims.

To Process Sensitive Data:

In some cases, where the processing is deemed high risk or highly sensitive, we may ask for your ‘consent’ before we undertake the processing. For example, when providing information on reasonable adjustments before an interview. Where consent is used as the lawful basis for the processing, you will be entitled to withdraw that consent at any time as well as exercise your data privacy rights. 

When you apply for a vacancy:

You provide several pieces of data to us directly during the recruitment exercise. In some cases, and to facilitate our ‘Legitimate Interests’ we will collect data about you from third parties, such as employment agencies and former employers when gathering references or credit reference agencies. Should you be successful in your job application, we will gather further information from you, for example, your bank details and next of kin details, once your employment begins. We have a Legal Obligation to ensure you have a right to work in the UK and make reasonable adjustments for you if you have a disability. The ongoing lawful basis we rely on to process your data will be under our legal obligations or legitimate interests which may include assessments made on salary. 

For Marketing Purposes:

Bright HR Limited is one of several companies within The Peninsula Group. There may be occasions where several divisions in the group are involved in the delivery of the services you are contracted to receive. On occasion, we may share data with our affiliated divisions under our legitimate interests’ to enhance the delivery of any services you have. Please refer to the footer of this page for details on the identity of our other group divisions.

 

You can opt out of group marketing by emailing us at:

GDPR@BrightHR.com

 

As part of our business-to-business sales strategy we may contact companies and individuals of companies about our products and services. To do this, we rely on our shared legitimate interests’ in doing business together. This lawful basis also applies to any purchased data we may use from our various lead sources and when we share your data across our group databases.

For more detailed information on our lead sources please visit the respective company privacy notices below to learn more about their individual data acquisition and handling practices. You can also opt out of updates and marketing by clicking on the unsubscribe button at the footer of our email communications.

·        118 Data Resource Limited: http://www.118information.co.uk/privacy/

 

Full information about our data processing obligations for each product we sell can be obtained via our Group Data Protection Officer upon request. Their contact details are disclosed at the bottom of this notice.

Data Sharing and International Transfers

Personal data will only be disclosed on a confidential basis to external service providers so that they can provide services such as financial, technological or administrative assistance. When we share data with an external third party; these operations are governed by a Data Processing Agreement (DPA) and we perform regular due diligence on any external companies we work with to ensure that high levels of data integrity are maintained.

Any transfers taking place outside the EEA are only permitted with the provision of an Adequacy decision, Standard Contractual Clauses (SCC’s) or any other lawful transfer mechanism. Where necessary, we may need to share data with external organisations such as law enforcement, regulatory bodies, fraud prevention agencies, partners or advisors. Before any data is shared, we ensure that all technical and organisational controls are firmly in place and a data protection impact assessment is undertaken, where applicable, if the sharing or transfer is considered high risk. We do not sell your data to any third parties.

We will not use or disclose your personal information for any other purpose which is not related (or in the case of sensitive information, directly related) to the above purposes without your consent, unless otherwise authorised, required or permitted under the laws of England and Wales.

Data Storage and Security

We have a dedicated Information Security team who are in place to offer protection across all our networks and IT assets to assist with data security and data loss prevention. All our systems are robustly secured, and we are ISO27001 and ‘Cyber Essentials Plus’ certified. We also have a specialised Incident Response Team on hand to respond quickly to any data related issues including the prevention and detection of cyber criminals. For our UK and Irish clients, cloud providers we use have servers based within the UK and EEA jurisdictions so that data can be held locally to each user. As a company we promote a ‘paperless’ culture.

Data Retention

We will only keep your data for as long as necessary and only when the retention is compatible with the terms of your contract, and we will not retain data if it is deemed unlawful to do so. As we are a processor; we cannot keep data longer than is necessary unless specified by the client account holder. When using our software, there is a facility to download and transport any data input into the platform for later use so that our clients can facilitate any Data Subject Access Requests they may receive from employees at a later date. We do not retain copies of the data once the user account has been shut down. When you become a client of ours, we will retain information relating to your contract terms and our mutual business relationship as per our legitimate interests for up to 7 years.

If you opt for services off our affiliated group company; Peninsula Business Services, the retention on any data you may provide to them will be different. This is because they are a Data Controller and will keep data concerning your account for at least seven years from the date you end your contract with them. Peninsula provide employment law and health and safety advice which is available as an optional service in line with your Bright HR account. If you opt for services with Peninsula, please refer to their privacy notice which is available at: https://www.peninsulagrouplimited.com/privacypolicy/

Some data may be deleted before this time period depending on the category of that data in line with our commercial legitimate interests and retention schedule, for example, data provided to us in the course of an unsuccessful job application will be retained no longer than 6 months after the recruitment exercise.

Personal data that is no longer necessary is deleted securely in line with Bright HR’s Data Disposal Policy. Our Data Retention and Data Disposal policies are available upon request

Your Data Privacy Rights

All data subjects have individual rights. On a case by case basis, you have the following rights in relation to your personal data processed by Bright HR:

  • The right to be informed about how your personal data is collected and used
  • The right to request access to a copy of any personal data that we hold about you
  • The right to rectify personal data we may hold which is identified as incorrect or misleading
  • The right to erasure of any personal data; also known as ‘the right to be forgotten’
  • The right to restrict further processing of your personal data
  • The right to data portability where technology allows us to send personal data onto a new controller
  • The right to object to the processing or certain processing activities
  • Rights in relation to automated decision-making including profiling.

As an organisation we do not operate any automated decision-making systems. Please be aware that the rights listed in this section only apply to individuals and cannot be used to request data relating to business entities. Please be aware that your rights of access do not entitle you to physical or digital copies of any documentation we hold.

Queries and Complaints

Bright HR has a dedicated representative who can be approached for any questions, comments and requests regarding this privacy policy or our Data Privacy Management System.

Our Group Data Protection officer welcomes communication around our policies and practices and they can be directly contacted on the details below, which are also publicly available on the ICO register. You can also write to us at Bright HR, Victoria Place, Manchester, M4 4FB, United Kingdom.

GDPR Oversight Team: GDPR@BrIghtHR.com

Data Protection Officer: GDPR@brighthr.com 

If you’re not satisfied with our response, or believe we’re not processing your personal data in accordance with the law, you can approach the UK regulator for further guidance at www.ico.org.uk/concerns

Additional Information

This version was last updated and reviewed October 2020.

We regularly review and monitor regulatory guidance for any industry changes which may impact our business operations or your rights and freedoms.

We are legally known as Bright HR Limited, and our registered office is at The Peninsula, Victoria Place, Manchester, M4 4FB, United Kingdom. We are registered in England and Wales under company number 09283467. ICO Registration Number: ZA534578

We form part of a larger group of undertakings known as ‘The Peninsula Group’. Other Companies that sit within our Group of companies within the global group:

Croner (UK), Croner-I (UK), Croner Taxwise (UK), Peninsula Busines Services (UK), Health Assured (UK), Peninsula Employment Services (Ireland), Graphite HRM (Ireland), Employsure (Australia), Employsure (New Zealand), Peninsula Business Services (Canada).

Copyright © Bright HR Limited 2020

Privacy Policy for Bright HR User’s Employees

In accordance with the General Data Protection Regulations (GDPR), Bright HR has implemented this privacy notice to inform you, our client’s employee, about how we may manage and process your personal data. This notice applies to users of the Bright HR software who are employees of our Users.

Bright HR Limited (“Bright HR”) is committed to protecting your privacy by ensuring that any personal data is collected and used lawfully and transparently. When delivering our professional services, we are the Data Processor of the personal data that you supply to the software platform under your user account with us.  Your data may have been provided to us by the data controller (your employer) or by you as the data subject. We comply with the seven principles of the GDPR for the duration of any data processing we do.

This Privacy Notice explains:

  • Who we are
  • Personal data we collect
  • Our legal basis for processing
  • Who we may share information with and why
  • Where we may transfer data to
  • How we keep information secure and deal with security incidents
  • How long we may keep your data for
  • Your data privacy rights
  • How to contact our DPO and the ICO

Who is Bright HR?

Bright HR specialises in the provision of HR services software to businesses within the UK and Ireland. The group has global reach, providing a diverse range of clients with access to products and services covering a broad spectrum of HR and Legal compliance within the employment field.

When providing these services, we take our responsibilities regarding data protection very seriously and are bound by all applicable data protection laws in respect of the handling, processing and collection of data. All employees who handle personal and business data are fully trained to ensure that the data is processed in line with the General Data Protection Regulations 2018 (GDPR) as well as The Data Protection Act 2018 (DPA).

Personal data we collect

The type and frequency of any personal data collected will always depend on how our website and services are used.

Personal Data provided by you:

We use electronic contact forms and chat facilities across our websites. These forms will prompt users to input basic contact details so we can generate service quotes, provide newsletter updates and respond to enquiries. You may also provide data when corresponding with us by phone, email, letter or social media. Any data input into the Bright HR software platform should be accurate and up to date.   

Personal Data provided to us from your employer or other third parties:

We may receive information about you from you or your employer if this is input into the platform by a user. Data provided to us may relate to your key employment information such as name, age, salary, length of service, gender, job title, job descriptions, employment contracts, employee handbooks, wider conditions of employment, details of formal and informal procedures, performance records, annual leave and sick/emergency leave records. We may also receive data about you from specific third parties affiliated with your employer such as business partners, health professionals, other staff members, colleagues or witnesses, government organisations or councils.

Personal Data collected by us:

We may receive information about you and/or your company from your employer which is input into the user platform due to your position in the company, for example, if you are an authorised caller o the account and have enhanced user access rights.

Special Categories of Data:

There may be instances where we process Special Category Data provided by you, your employer or other authorised users of our services during the lifetime of our service. Special category data is a more sensitive type of data which reveals insights about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation. We may also process data that relates to criminal and/or civil offences as well as child data in some very limited circumstances. Sensitive data collection will only take place where it is applicable to the provision of the services that we are contracted to provide or if this is input into the platform by software users. To undertake our core service functions to software users, we do not need to actively collect this category of data, however, if provided in the course of service it will be held securely and confidentially. We will not over collect this category of data in any circumstances. The fundamental rights of data subjects are always assessed to ensure that the processing is fair, transparent and lawful. 

Online Identifiers:

When you visit our website, a record of your device’s IP address is retained which is used anonymously in order to determine website and page visitors. This enables us to continually update and refine the site. If you use any forms on the website to send an email to us, a record will also be made of your email address and your telephone number. For more information on how we use online identifiers or cookies please visit our

 .

Our Legal basis for processing

Before processing any personal data passed to us from your employer or by you, we ensure that at least one lawful basis under GDPR is met. We will not disclose personal data for any purpose other than what data was originally collected for; unless there is an overriding legal basis that enables this processing.

We may also process your personal data in the following circumstances:

To Perform services under the Contract we have with your Employer:

We process information in order to support and maintain our existing or potential contractual relationships with your employer/ex-employer under the lawful basis ‘performance of a contract’. We may process personal data in order to provide various supporting client services and to make improvements to our website. We record all calls made to our staff members including internal, inbound or outbound calls. The lawful basis which we often rely on to process data for the duration of servicing on your employers account is under our legitimate interests’.  As part of our ‘legitimate interests’, we may also need to work with third parties in the delivery of the services we provide to your employer. Where necessary, we may need to process data that is in the ‘public interest’.

To Defend Legal Issues:

We have a legitimate interest’ to process data which may assist us or our clients in connection with the establishment, exercise or defence of legal claims. We may also need to share certain details we hold about a person with law enforcement agencies and other regulatory bodies where necessary.

To Process Sensitive Data:

Any data deemed as more sensitive that is provided by you or your employer is given to us voluntarily and is not a condition of using our services but will be retained securely in line with all other data as per our Data Security policy.

Data Sharing and International Transfers

Personal data will only be disclosed on a confidential basis to external service providers so that they can provide services such as financial, technological or administrative assistance. When we share data with an external third party; these operations are governed by a Data Processing Agreement (DPA) and we perform regular due diligence on any external companies we work with to ensure that high levels of data integrity are maintained.

Any transfers taking place outside the EEA are only permitted with the provision of an Adequacy decision, Standard Contractual Clauses (SCC’s) or any other lawful transfer mechanism. Where necessary, we may need to share data with external organisations such as law enforcement, regulatory bodies, fraud prevention agencies, partners or advisors. Before any data is shared, we ensure that all technical and organisational controls are firmly in place and a data protection impact assessment is undertaken, where applicable, if the sharing or transfer is considered high risk. We do not sell your data to any third parties.

We will not use or disclose your personal information for any other purpose which is not related (or in the case of sensitive information, directly related) to the above purposes without your consent, unless otherwise authorised, required or permitted under the laws of England and Wales.

Data Storage and Security

We have a dedicated Information Security team who are in place to offer protection across all our networks and IT assets to assist with data security and data loss prevention. All our systems are robustly secured, and we are ISO27001 and ‘Cyber Essentials Plus’ certified. We also have a specialised Incident Response Team on hand to respond quickly to any data related issues including the prevention and detection of cyber criminals. The providers we use have servers based within the UK and EEA jurisdictions so that data can be held locally to each user. As a company we promote a ‘paperless’ culture.

Data Retention

Bright HR will only keep your data for as long as necessary, unless there is an overriding legal ground. We will not retain data if it is deemed unlawful to do so. Data may be held for purposes relating to the establishment, exercise or defence of legal claims which the group or our clients may face. As we are a processor; we cannot keep data longer than is necessary unless specified by the client account holder. When using our software, there is a facility to download and transport any data input into the platform for later use so that your employer can facilitate any Data Subject Access Requests they may receive from employees at a later date. Onus would be on them as the Data Controller, to respond and handle any rights of access you may have.

Where we represent your employer or ex employer in any legal case via our affiliated company Peninsula Business Services, we retain the data for seven years from the conclusion of the litigation case. We only keep your data for as long as we need it for, which will be for the duration of your employer’s contract due to the provision of services and for seven years after that contract comes to an end. Some data may be deleted before this time period depending on the category of that data in line with our commercial legitimate interests and retention schedule. Personal data that is no longer necessary is deleted securely in line with Bright HR Data Disposal Policy.

Your Data Privacy Rights

All data subjects have individual rights. On a case by case basis, you have the following rights in relation to your personal data processed by Bright HR:

  • The right to be informed about how your personal data is collected and used
  • The right to request access to a copy of any personal data that we hold about you
  • The right to rectify personal data we may hold which is identified as incorrect or misleading
  • The right to erasure of any personal data; also known as ‘the right to be forgotten’
  • The right to restrict further processing of your personal data
  • The right to data portability where technology allows us to send personal data onto a new controller
  • The right to object to the processing or certain processing activities
  • Rights in relation to automated decision-making including profiling.

As an organisation we do not operate any automated decision-making systems. Please be aware that the rights listed in this section only apply to individuals and cannot be used to request data relating to business entities. Please be aware that your rights of access do not entitle you to physical or digital copies of any documentation we hold.

Queries and Complaints

Bright HR has a dedicated representative who can be approached for any questions, comments and requests regarding this privacy policy or our Data Privacy Management System. Our Group Data Protection officer welcomes communication around our policies and practices and they can be directly contacted on the details below, which are also publicly available on the ICO register. You can also write to us at Bright HR, Victoria Place, Manchester, M4 4FB, United Kingdom.

GDPR Oversight Team: GDPR@BrIghtHR.com

If you’re not satisfied with our response, or believe we’re not processing your personal data in accordance with the law, you can approach the UK regulator for further guidance at www.ico.org.uk/concerns

Additional Information

This version was last updated and reviewed October 2020.

We regularly review and monitor regulatory guidance for any industry changes which may impact our business operations or your rights and freedoms.

We are legally known as Bright HR Limited, and our registered office is at The Peninsula, Victoria Place, Manchester, M4 4FB, United Kingdom. We are registered in England and Wales under company number 09283467. ICO Registration Number: ZA534578

We form part of a larger group of undertakings known as ‘The Peninsula Group’. Other Companies that sit within our Group of companies within the global group:

Croner (UK), Croner-I (UK), Croner Taxwise (UK), Peninsula Busines Services (UK), Health Assured (UK), Peninsula Employment Services (Ireland), Graphite HRM (Ireland), Employsure (Australia), Employsure (New Zealand), Peninsula Business Services (Canada).

Copyright © Bright HR Limited 2020

Cookies Policy

This notice explains how we use cookies and similar technologies on our websites and mobile applications to help provide you with the best possible online experience. New regulations will change the way in which the use of cookies is governed in the future and we'll update this notice once those changes come into effect.

 

What are Cookies?

A “Cookie” is usually a small text file that contains a unique identifier, made up of letters and numbers.

How do I change my cookie settings?

You can change your cookie preferences at any time by clicking on the ‘Opting Out links provided for each cookies listed below.

Alternatively, most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.

Find out how to manage cookies on popular browsers:

To find information relating to other browsers, visit the browser developer's website.

To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.

You can also amend your general cookie settings at: www.youronlinechoices.eu by selecting your country and ‘your ad choices’.

 

How do Cookies work?

Cookies are created when you use your browser to visit another website. The identifier which forms part of the Cookie is sent from a web server to a web browser and is then stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. This is in turn stored on your device when you visit a website on your computer or an app on your phone.

A Cookie can be a ‘Session Cookie’ or a ‘Persistent Cookie’.

  • A Session Cookie will expire when the user session is terminated and the web browser closed.
  • A Persistent Cookie, however, will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date.

Cookies are used to collect visitor behaviour information as well as tracking your movements within the site or web page. Cookies can help you to resume where you left off, remember your registered login details, and content preferences as well as other customisation functions. They do not typically contain any information that personally identifies a user. 

At a basic level Cookies will: 

  • Allow the site to work properly, and help keep it secure
  • Help us understand how people use the website
  • Make the site easier to use by remembering information that you've entered,
  • Improve your experience by showing you information that's relevant to you.

How do we use Cookies?

There are several different types of cookies which we use for a range of objectives when you visit and accept them through our webpage when you initially visit our website. We may use Cookies to authenticate you as a new visitor to our website, which in turn improves your browsing experience as you navigate through our pages and services.

Essential Cookies

These are required for the operation of the website. They let you move around our websites and use all the features. Without them, you wouldn't be able to do things such as submitting an enquiry to us via our contact form.

If you block these cookies we cannot guarantee access to the services provided through the website or be sure how the website will perform during your visit.

Performance Cookies

These simply help us improve the way our website works. They tell us how people use each page, which ones are most commonly viewed, or whether any errors occurred.

Targeting Cookies

These cookies help make sure the adverts you see on your screen are relevant to your personal preferences and are useful to you. For example, if you're shopping online for a personal loan, you might see more advertisements for personal loans pop up. This is simply because the cookie has detected what you're looking for.

Social Media Cookies

These cookies enable you to share content on this website via your social media platforms such as Linked In, Facebook and Twitter.

 

We also use cookies to add additional security to our user accounts in order to protect our website and services and similar technologies in emails. These help us to understand whether you’ve opened an email and how you’ve interacted with it. Cookies may also be set if you click on a link within the email. We may also use cookie data to compile statistical reports on website activity. We may also maintain data which confirms when Cookie consent was attained.

What Third Party Providers do we use?

As well as using first party cookies directly from us, from time to time, we may use targeting cookies from a number of our third party providers and marketing partners. We may also use their Cookies to also help deliver adverts relevant to your interests. These cookies can track your browsing history across various websites.

The Third Party Cookies we currently use are:

  • Google Analytics
  • Bing
  • Livechat
  • LinkedIn
  • Twitter
  • Facebook
  • YouTube
  • Turn
  • Marketo
  • Google Tag Manager
  • Hotjar
  • Google Optimizely
  • VWO
  • Unbounce
  • Ruler
  • Google call tracking

 

Our website uses the performance Cookie, Google Analytics, which is a web analytics service provided by Google. This is a type of targeting cookie and does not directly identify anyone. You can opt-out of having your anonymised browsing activity within websites recorded by analytics cookies.

For more information on Google Analytics, including details of how to block these cookies specifically, please see:

https://support.google.com/analytics/answer/181881?hl=en 

Our group companies may receive the personal data of end users as a consequence of using a google product, depending on the nature of your interaction with us.

Our website may contain links to other sites. This cookie policy only applies to this website so when you link to other provider’s websites, you should read their own privacy policy.

How can you Manage Cookies?

You are within your rights to restrict or block Cookies we set and you can do this through your browser settings, device settings or amending your preferences below. You may withdraw your consent and amend your cookie settings at any time.

You can set your browser not to accept cookies. Each of our third party provider’s individual policies will also tell you how to remove their cookies from your browser. However, please be aware that in a few cases some of our website features may not function as a result.

If you don’t want to accept cookies in e-mails, you can set your internet browser to restrict or reject cookies, or you can close the email before downloading any images or clicking any links. Each browser will have different settings to enable you to do this, for example, Mozilla Firefox, Apple Safari and Google Chrome. Please visit their individual cookie policies for further information.

TABLE ON DOMAIN COOKIES BELOW

What is Pixel Tracking?

Some pages on the website and our emails contain pixel tags, which are also referred to as web beacons, web bugs, tracking pixels, java tags and clear gifs.

The tags on our website do not collect or store any personal/identifiable data and we only associate with reputable advertisers or services, who share the same values in keeping compliant to data protection laws and regulations.

Pixel Tracking allow us and our advertisers or service providers to:

  • Collect non-identifiable cookie data;
  • Customise the communications we send you and the content provided to you on our website when required;
  • Retarget users who have been directed to us from social media platforms such as Facebook, Twitter and LinkedIn; and
  • Collect statistics regarding the way you use the website and interact with the emails we send you

Bright HR Compliance Statement

Welcome to Bright HR’s statement on GDPR and Data Security. This document should be read in conjunction with our main Privacy Policy.

We are committed to ensuring that employee information is kept secure at all times, and we will implement appropriate technical and organisational measures against the unauthorised or unlawful disclosure of such information, and so as to prevent its accidental loss, destruction or damage.

Physical Security of our Site…

Buildings

Reception areas are staffed 24/7 and door access control systems are in place throughout the building and all entrances are monitored by CCTV including the data centre.

Secure areas

Secure access areas are protected by entry controls to ensure only authorised staff can enter via an access control card. Access rights are removed when staff move roles and access rights are limited to necessary personnel required.

Business Continuity

A BCP/DR policy has been implemented. A full annual DR test is conducted within salesforce (our CRM provider) and individual components are tested at Bright HR on a regular basis. All necessary remediation has been carried out.

Systems Security…

Software and Applications
  • Software applications are managed through a standard Agile software develop methodology. Once a change is completed, end to end testing is performed to ensure the accuracy of the change and the existing system functionality.
  • Only approved software is manged and patched centrally and permitted on user machines which is managed through Software Centre.
  • Software is then packaged and released.
  • All operating systems in place are fully supported and patched.
  • We use desktops and laptops which use Windows 10 with window updates being installed automatically.
  • Sensitive data is processed on several systems including salesforce.
  • No sensitive information would be stored on non-complaint systems.

User Access
  • Personal access to Bright Software Products will only be via a secure username and password. The username and password for everyone is unique and only allows access to their own personal information.
  • Only certain authorised staff, who are required to have access to the personal information of other employees for the purposes of their job role, will be authorised and will have the necessary access rights to do so.
  • They will receive relevant training and will be asked to agree to abide by the terms of our Privacy and Data Protection statements.
  • All users of Bright Software Products should keep their unique user and password strictly confidential. Users of Bright Software Products must notify us if they become aware of any unauthorised access, and we will notify clients of Bright Software Products should we become aware of any security breach involving loss, corruption or theft of employee information.

Network Access 

  • Internal network access is controlled through internal Active Directory security.
  • Access to Salesforce is accessed via https secure internet browser.
  • Internal systems can only be accessed within the secure Corporate network.
  • Passwords on devices are changed every 90 days and complexity requirements are enforced.
  • All access is controlled by ADS permissions and limited access given.

VPN Access
  • All remote access via remote working employees is secured by VPN log on technology and you are unable to access the networks unless a secure VPN connection has been established.

Encryption
  • By leveraging the benefits of Cloud Computing all Bright Software Products data is stored on highly secure systems. These utilise the latest encryption and security technologies which are ISO/IEC 27001:2013, ISO/IEC 27017:2015 and ISO/IEC 27018 compliant. To maintain our PCI compliance, approved independent security vendors are used by BrightHR to ensure all our systems are scanned for any vulnerabilities.
  • All databases, software and hardware/devices are protected with high levels of encryption. Encryption keys are managed with strict policies and procedures. The key is stored in a secure location which is only accessible to database admins. 

Testing
  • On our equipment all patches are governed by the change control process which includes evaluation, testing and deployment.

System Updates
  • We update systems when the time is appropriate to ensure we are always using the most advanced technical and organisational tools out there.

Data Back Ups
  • Data is backed up daily and a data restore process has been tested.
  • Measures are in place to ensure that the business can continue to function should a compromise occur.
  • Data is backed up to physical media stored offsite at our secure data backup facility which is owned by the group and secured with CCTV, physical locks and limited access controls.
  • The data restore process is tested monthly or as required.
  • Performance monitoring and file integrity monitoring is in place to ensure our business continuity plan can take full effect.

Monitoring and testing
  • A standard build procedure ensures that all default admin and back door accounts are removed.
  • Regular Network monitoring identifies any non-compliance to data loss prevention controls.
  • Penetration testing at application and network level is carried out on a regular basis.  

Cloud Providers
  • We may use cloud storage facilities for processing and storing data and when we do this, we ensure that the security is maintained and tested regularly.
  • Our CRM is built on cloud-based infrastructure.
  • All data resides in the EU or UK area and no data is transferred out of the EEA. 

Cyber Security

  • All networks have firewalls, antivirus and malware protection in place which is deployed on all endpoints to detect, alert and neutralise any threats.
  • Any applications accessible from the internet are constantly safeguarded to prevent the existence and exploitation of web application vulnerabilities such as cross-scripting or SQL injection.
  • External connections are protected with enterprise, resilient firewalls and dedicated security monitoring ex SIEM, IDS, IDP.
  • All internet access is controlled by a dedicated web filtering appliance which restricts the types of traffic and URLS.
  • Firewalls and monitoring control and monitor traffic entering and leaving the organisation.
  • Sensitive data is processed on several systems including salesforce.
  • Security monitoring has also been deployed including a dedicated SIEM platform. 

Third Party Security…

Third Party 

  • All contractual IT security requirements are in place with any third parties we use which ensures the relationship remains subject to GDPR compliance.
  • Where necessary, our contract with them includes Data Processing Terms or terms are built into our products terms and conditions.
  • We also use alternative data protection safeguard mechanisms where appropriate in the form of standard contractual clauses where required.
  • Our CRM systems is called Salesforce and we can confirm that they also have a dedicated security team which regularly tests and verifies that all controls are operational.
  • All Salesforce data resides in the Primary Data centre in the UK and secondary in Germany. All group data bases reside in a primary and secondary data centre which are both based in the UK.
  • Bright HR’s data is segregated from other salesforce customers.

Staff Security…

Staff Security
  • All staff are screened prior to their engagement and interviews are face to face where possible.
  • All staff get an induction focused on data protection and all our staff’s CV statements and qualifications are checked for validity before the offer of employment can commence.
  • Each staff member is issued with an Employee Handbook which we regularly review and update where necessary.
  • We update our staff when additions and updates are made.
  • A restrictive covenant is signed by staff prior to employment and a confidentiality agreement is signed on the first day on employment.
  • All staff receive security training as part of their induction which is reinforced periodically during training sessions and presentations.
  • Staff are expected to change their passwords regularly and we enforce complex password requirements.
  • When an employee leaves the business, all accounts and access is suspended immediately, blocking all access to our systems and buildings.
  • A clear desk policy is in place across the group and staff know to lock screens when they are away from their desks for any period.
  • We operate policies for data security for our remote and field workers so that integrity is always maintained.
  • Staff are not permitted to store any data via removable media (USB’s) or on device hardware.

Data Retention and Disposal…

Data Retention 

  • All data retention is handled in line with our retention policy. We are committed in taking a practical approach in line with legal, contractual and commercial requirements relating to the ownership, retention and disposal of information relating to our business activities within the UK and Ireland. We tend to keep our client data for 7 years until the contract end date. 

Data Disposal
  • As a company we have made a conscious effort to become more digitally focused and we steer away from paper records wherever possible.
  • Confidential waste bins are located on each floor for confidential paper waste and this is securely shredded by a vetted third party who provide a certificate of destruction upon completion.
  • We have a hardware disposal policy in place which ensures that all hardware is commercially wiped before final destruction via an accredited third party who also provide certificate of destruction

GDPR Principles we Operate by…

Accountability: We are committed to the principles of the GDPR by adopting the concept of ‘data privacy by design’ within our operational model. We remain accountable by having detailed policies and systems in place as well as a Data Protection Officer to oversee our overall compliance to data protection regulations including the management of access rights requests. Our policies are regularly reviewed and updated, and our staff are periodically trained on data protection and security throughout the year.

Transparency, Fairness and Lawfulness: We process data with data subjects’ interests in mind and ensure that we approach processing activities with transparency to maintain fairness in what we do. This way we can be sure that we are processing data lawfully. We have a robust process in place to allow us to deal efficient with any access requests we may receive.

Data Integrity and Confidentiality: We hold data on secure systems, and we are IS027001 and cyber essentials plus certified. We can provide evidence of our certifications on request. Information security and integrity is key to our smooth operation and we have dedicated cyber security team who protect our systems. We also have an Incident Response Team on hand to support us in the event data may become compromised.

Data Minimisation and Data Storage: We will not keep data for longer than is necessary and only keep data if there is a lawful basis which allows fair retention. When we do need to remove data from our possession, we do so by using industry approved standards so the disposal or anonymisation is thoroughly compliant.

Data Accuracy: Keeping data accurate is very important to us and we train our staff to ensure they are maintaining data to a high quality and with all the facts available.

Purpose Limitation: We use the data we attain for a specific purpose. This means that data is not processed for any alternative reasons other than what the data was originally collected for.

The tables below explain our stance on different operational areas of our business, so that you can easily see the standards we work by.

If you have any further queries about any topics raised in this document please contact our Data Protection Officer on GDPR@BrIghtHR.com for further assistance and clarity.

Queries and Complaints

Bright HR has a dedicated representative who can be approached for any questions, comments and requests regarding this privacy policy or our Data Privacy Management System.

Our Group Data Protection officer welcomes communication around our policies and practices and they can be directly contacted on the details below, which are also publicly available on the ICO register. You can also write to us at Bright HR, Victoria Place, Manchester, M4 4FB, United Kingdom.

GDPR Oversight Team: GDPR@BrIghtHR.com

Data Protection Officer: GDPR@brighthr.com 

If you’re not satisfied with our response, or believe we’re not processing your personal data in accordance with the law, you can approach the UK regulator for further guidance at www.ico.org.uk/concerns

Additional Information

This version was last updated and reviewed October 2020.

We regularly review and monitor regulatory guidance for any industry changes which may impact our business operations or your rights and freedoms.

We are legally known as Bright HR Limited, and our registered office is at The Peninsula, Victoria Place, Manchester, M4 4FB, United Kingdom. We are registered in England and Wales under company number 09283467. ICO Registration Number: ZA534578

We form part of a larger group of undertakings known as ‘The Peninsula Group’. Other Companies that sit within our Group of companies within the global group:

Croner (UK), Croner-I (UK), Croner Taxwise (UK), Peninsula Busines Services (UK), Health Assured (UK), Peninsula Employment Services (Ireland), Graphite HRM (Ireland), Employsure (Australia), Employsure (New Zealand), Peninsula Business Services (Canada).

Copyright © Bright HR Limited 2020

Data Processing

Data Processing

SCC information for EEA clients

BrightHR will only process personal data in accordance with the User’s instructions, the User retains the responsibilities of the data controller and determines the purposes and means of processing personal data.

  1. During Processing the Provider shall

    1. comply with the General Data Protection Regulation and the Data Protection Act 2018;
    2. only process the Personal Data for the purposes of performing its obligations under this Agreement and in accordance with the written instructions given by the User from time to time, unless the party is subject to an obligation under applicable law (including Data Protection Law) of the European Union or a member state of the European Union to do otherwise, in which case the party shall (unless prohibited by law) notify the User in advance of that legal obligation;
    3. notify the User immediately if an instruction from the User breaches a requirement of Data Protection Law;
    4. not disclose the Personal Data to any third party in any circumstances other than on the User's written instructions, with the User's specific written consent or where required to do so by applicable law (including (without limitation) Data Protection Law);
    5. with respect to the Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the GDPR , and the measures shall, at a minimum, comply with the requirements of Data Protection Law, including Article 32 of the GDPR;.
    6. ensure that all personnel with access to Personal Data:
      1. are subject to a contractual duty of confidence to hold the Personal Data in strict confidence;
      2. only process the Personal Data in the manner permitted by this Schedule;
    7. at the User's request, provide the User with such assistance as is contemplated by Article 28(3)(f) of the GDPR;
    8. immediately notify the User in writing of each Security Incident of which it becomes aware;
    9. assist the User with all data subject rights requests received from data subjects of the Personal Data, including (without limitation) by providing to the User such assistance as is contemplated by Article 28(3)(e) of the GDPR;
    10. if it receives any complaint, notice, request (including any subject access request) or communication (whether from a data subject, data protection regulator or other person) which relates directly or indirectly to the processing of Personal Data or to either party's compliance with Data Protection Law, it shall immediately notify the User in writing and it shall provide the User with full cooperation and assistance in relation to the same, and shall not respond to the complaint, notice, request or communication without the prior written consent of the User (except to the extent required by law), provided that the Supplier may acknowledge receipt;
    11. only transfer access or process Personal Data outside the EEA when expressly authorised or instructed by the User in writing. Any transfers taking place between the EEA and the UK will be governed by a safeguard mechanism in the form of an Standard Contractual Clause (SCC).  Where the User is based in the EEA, for example Ireland, we commit to retaining the User data in the EEA jurisdiction. When data is held outside the EEA, for example, in the United Kingdom for UK Users; all Personal Data will be held in the UK jurisdiction.
    12. not subcontract the processing of Personal Data to a sub-processor without the prior written consent of the User and in the event that the User provides its consent, the party shall (prior to the sub-processor processing the Personal Data) enter into an agreement with the sub-processor on terms that provide no less protection for the Personal Data than those set out in this Schedule and meet the requirements of Data Protection Law, and the party shall remain fully liable for the acts and omissions of each sub-processor; The processor shall notify the controller concerning the addition or replacement of sub-processors in advance and allow the controller to raise any objections to such changes
    13. at the User's option, securely return to the User or securely destroy the Personal Data, together with all copies in any form and in any media, in the party's power, possession or control promptly following the earlier of:
      1. termination or expiry of this Agreement;
      2. a request from the User; or
      3. if the party no longer needs the Personal Data in connection with the performance of its obligations under the Agreement;
    14. provide the User with all information requested by the User to enable the User to verify the party's (and each sub-processor's) compliance with this Schedule;
    15. on request supply the User with written confirmation that all facilities, premises, equipment, systems, documents and electronic data used for the processing of Personal Data by the party are compliant with the GDPR and assist with any audit that may be required.
  2. Data Processing Details

(a)

Subject matter, nature and purpose of the processing of Personal Data under this Agreement

Subject matter
The provision of online human resource management tools and other information services and materials.
Nature
Processing activities, such as storage, retrieval, analysing, data collection and data transfer will all be undertaken by the Supplier.
Purpose
Personal Data is processed in order to enable the Supplier to provide access to the services to the Authorised Users of the User, to provide insights to your employer in order to help them manage your employment and for administration of the contract and the services.

(b)

Duration of the processing of Personal Data under this Agreement

For the term of this Agreement.

(c)

Type of Personal Data processed under this Agreement

Personal Data

  • Name
  • Address
  • Date of Birth
  • Job title
  • Contact details, for example, details of next of kin
  • Immigration status details i.e. passport number/visa number and expiry dates
  • National Insurance Number
  • If you are a BrightHR user information relating to employment, i.e. absence records, development records and annual leave entitlement. This information may be collected via application for employment forms, personal details forms, personnel files and records and any subsequent amendments to such documents.
  • If you are a BrightSafe user information relating to health and safety i.e. accident records, your role in managing health and safety.

 

 

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

Controller to Processor SCC

These terms and conditions are for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. As of 1 January 2021, the United Kingdom, where Bright HR limited is based, will become a third country under legislation definitions.

As Bright HR will remain a Data Processor for its client’s data who may reside in the European Economic Area; this document has been designed as a tool to implement consistent and appropriate safeguards within the existing contract terms and conditions which demonstrate ongoing GDPR compliance; enabling the smooth continuation of a cross border data flows.

This document acts a Standard Contractual Clause between Bright HR (Data Importer) and its clients based in the European Economic Area (Data Exporters).

By taking out products with Bright HR our EEA based clients have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.


Companies party to this Agreement

(the data exporter)

 

EEA Client using Bright HR Software solutions
  • And -

(the data importer)

 

Name of the data importing organisation:

Bright HR Limited  

Address:

The Peninsula, Victoria Place, Manchester, M4 4FB

Tel.

0800 783 2806

E-mail:

GDPR@peninsula-uk.com

Other information needed to identify the organisation:

 

https://www.brighthr.com/

 

Clause 1

Definitions

For the purposes of the Clauses:

  1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1);
  2. ‘the data exporter’ means the controller who transfers the personal data who will always be our client
  3. ‘the data importer’ means the processor, (known as Bright HR limited), who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  4. ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  5. ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  6. ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
  7. ‘EEA’ means the European Economic Area which includes the countries of member states of the European Union. The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.


Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.


Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.


Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

  1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  2. that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  3. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  5. that it will ensure compliance with the security measures;
  6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  7. to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  9. that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  10. that it will ensure compliance with Clause 4(a) to (i).


Clause 5

Obligations of the data importer 

The data importer agrees and warrants:

  1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  3. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  4. that it will promptly notify the data exporter about:
    • any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
    • any accidental or unauthorised access; and
    • any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
  5. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  6. at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  7. to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  8. that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
  9. that the processing services by the sub-processor will be carried out in accordance with Clause 11;
  10. to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.


Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
    The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.


Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against its third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
    • to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    • to refer the dispute to the courts in the Member State in which the data exporter is established.
  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.


Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).


Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely Ireland and the Data Protection Commission.


Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.


Clause 11

Sub-processing

  1. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  2. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely Ireland
  3. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.


Clause 12

Obligation after the termination of personal data-processing services

  1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the Data Exporter:

Clients of Bright HR limited

 

On behalf of the data importer:

Bright HR Limited

Group In House Legal Team

 

The Peninsula, Victoria Place, Manchester, M4 4FB

 

 

Appendix 1

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data Exporter

The client is the Data Exporter

The Exporter sends data to the Importer so that a HR management software platform can be utilised where the client and any assigned users can input data and personnel information relating to their employment HR/business activity.

Data Importer

Bright HR Limited is the Data Importer when receiving client personal data from a location outside the EEA.

The Data Importer process the data on behalf of the Data Exporter for the purpose of providing the contracted services that the client has purchased. Processing data input into software by the Data Exporter enables the Data Importer (Bright HR) to offer the service and to perform ongoing account servicing requirements for clients and users.

Data subjects

Any personally identifiable information provided and subsequently transferred may concern the following categories of Data Subjects and may arise out of prospective, historic, or existing relationships between the parties and:

  • Partners, employees and any other workers;
  • Clients, customers and consumers;
  • Advisors, consultants, other professional experts;
  • Affiliates, business partners (including suppliers), associates and contacts made in the course of business; and
  • Any other data subjects who have a relationship with the Data Exporter (our client)

Categories of data

The personal data transferred concern the following categories of data:

  • Data relating to data subjects provided to Bright HR limited in the course of the services upon the direction of our clients, another third party appointed by the client, or by data subjects

This may include:

  • Names of data subjects
  • Contact details for data subjects
  • Employment information including performance data and personnel files
  • Gender
  • Date of birth
  • Payroll data and financial details (bank account info for payroll/commissions)
  • Recruitment data and educational details
  • Social, lifestyle and family related circumstances

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data:

  • Race and ethnic origin
  • Political opinions
  • Religious or other beliefs
  • Trade union membership
  • Physical or mental health details including occupational health information and sickness records
  • Genetic/biometric data
  • Details on sexual orientation

The above will only be input on a case by case basis depending on user and client use of the software where applicable and if input by users. The Data Importer cannot control what information users input into the software; therefore, all categories and possibilities are covered in this section.

Processing operations

The personal data transferred will also be subject to the details contained within the Service Level Agreement and the Bright HR product terms and conditions.  

Appendix 2

to the Standard Contractual Clauses

This Appendix forms part of the Clauses agreed by the parties that form part of the contractual agreement.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

  • Bright HR personnel. The Data Importer’s personnel will not process personal data without authorisation. Personnel are obligated to maintain the confidentiality of any client data and this obligation continues even after their engagement ends.
  • Technical and organisational Measures. Details of the relevant technical and organisational measures are set out on the Data Importers website located here: https://www.brighthr.com/terms/
  • Data privacy Contacts
  • The Data Importers Data Protection Officer can be reached at the following address: GDPR@BrightHR.com

 

DATA EXPORTER

Bright HR client


DATA IMPORTER

Name: Bright HR Limited


Our European Representative

Bright HR’s European Representative is Graphite HRM Limited based in Dublin, Ireland. They are a company within our corporate group who will deal with any data related queries or complaints on behalf of Bright HR limited for our European Economic Area located clients and software users.

European Representative Contact Details: GDPR@graphitehrm.com