Contractor Privacy Statement

1. Introduction

The Dandara Group (the Group) is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with data protection legislation. It applies to all contractors, subcontractors, consultants, individuals working for suppliers, service providers or processors, and other individuals engaged to provide services to or on behalf of the Group. This includes individuals who process personal data on behalf of the Group, whether directly or through the organisation for which they work. It does not form part of any contract for services. 

The Group is a "Data Controller" which means we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

2. Data Protection Principles

We will comply with data protection legislation, which says that the personal information we hold about you must be:

• used lawfully, fairly and in a transparent way
• collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
• relevant to the purposes we have told you about and limited only to those purposes
• accurate and kept up to date
• kept only as long as necessary for the purposes we have told you about
• kept securely

3. What information does the Group collect?

Personal data means any information about an individual from which that person can be identified.  It does not include data where the identity has been removed (anonymous data).  There are special categories of more sensitive personal data which require a higher level of protection.

The types of information we hold about you may include:

• personal contact details such as your name, title, address, telephone numbers and email address
• date of birth, induction reference number and site induction records
• where relevant, details of your qualifications, skills, experience and employment history
• information relating to your engagement, including contracts for services, role, responsibilities and duration of engagement
• evidence of qualifications, training, competencies, trade cards, licences, registrations, site inductions, health and safety training and other accreditation or eligibility information required for the work, site access or services being provided
• correspondence with or about you, including communications relating to your engagement
• bank account details, payment records, tax information and invoicing details where relevant
• emergency contact details
• records of attendance and/or working hours, where relevant
• vehicle and travel information, where relevant, including whether you drive to site, vehicle type, vehicle size or class, fuel type and vehicle registration number
• records relating to work carried out, deliverables and performance
• where you are given access to Group systems, site induction systems, access systems or online portals, account records, access logs and security information relating to that access
• video surveillance footage and other information obtained through electronic means, such as swipe card records, access control records and site or development entry logs
• biometric data, where used, for access control, site or premises security and identity verification
• photographs, where relevant to your engagement
• records relating to any complaints, investigations or capability processes involving you (whether or not you were the subject of those proceedings).

We may hold more sensitive personal information, for example, information about your health where required for health and safety purposes and biometric data where this is used to uniquely identify you for access-control, site or premises security purposes.

Most of the information we hold about you will have been provided by you, but some may come from other internal sources or, in some cases, external sources, such as your employer or engaging organisation, recruitment agencies, referees, site induction providers, training or accreditation bodies, trade or professional registration bodies, and publicly available sources where relevant.  

Data will be stored in a range of different places, including SharePoint sites, local drives and email systems, which are access protected as appropriate.

4. Why does the Group process personal data?

We will only use your personal information when the law allows us to. We rely on the following lawful bases:

• where it is necessary to perform our contract with you or with the organisation through which you provide services
• where it is necessary to comply with a legal obligation
• where it is necessary for our legitimate interests (provided your rights do not override those interests)

The Group needs to process data to enter into and perform its contract with you or with the organisation through which you provide services, and to comply with its contractual obligations, for example processing payments, managing your engagement and administering services.

It also needs to process your data in order to comply with legal obligations, for example tax, health and safety and regulatory compliance.

The Group also needs to process personal data to pursue its legitimate business interests.

Processing personal data allows the Group to:

• engage contractors and manage contractual relationships
• determine terms and conditions of engagement
• maintain accurate and up-to-date records and contact details
• manage performance and delivery of services
• support site logistics, operational planning, environmental, sustainability and wider ESG monitoring, analysis and reporting, including assessing travel distances to and from sites, estimating travel-related emissions, and reporting on local labour or local supply-chain participation
• manage access to Group systems, sites and information
• undertake business management and planning, including accounting and auditing
• ensure network, system, site access and information security and compliance with relevant policies
• comply with applicable laws and regulations
• prevent and detect fraud or other unlawful activity and protect the Group’s property, systems and information
• establish, exercise or defend legal claims

Where we process special categories of personal information, this will be limited to what is necessary for health and safety or security purposes or to comply with legal obligations.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

We do not envisage that your personal information will be used to make solely automated decisions which produce legal or similarly significant effects, and we will notify you if this position changes.

5. Who has access to data?

Your information may be shared internally, including with site management, health and safety, procurement/commercial, finance, IT, Compliance, Legal and other managers or teams who need access for the purposes described in this notice.

We may also share your personal data with third parties where required by law, where it is necessary to administer our relationship with you, or where we have another lawful basis to do so. These may include:

• payment, finance and accounting providers
• tax authorities, regulators and other competent authorities
• site induction, attendance, access-control, training, competency, accreditation, health and safety, environmental, sustainability and ESG reporting system providers
• professional advisers, including legal, auditors and insurers
• IT service providers and system administrators
• third parties who provide services on our behalf
• other companies within the Dandara Group

We require third parties to respect the security of your data and to treat it in accordance with the law.

Some of our service providers may process personal data outside the UK, Isle of Man, Jersey or EEA. Where this happens, we will ensure that appropriate safeguards are in place.

6. How does the Group protect data?

The Group takes the security of your data very seriously and has internal policies and controls in place to protect your data from being lost, accidentally destroyed, misused or disclosed. Access is restricted to those who need it for legitimate business purposes.

Where required, the Group maintains an internal appropriate policy document covering its processing of special category personal data and criminal offence data relating to contractors and other individuals providing services to or on behalf of the Group. This sets out the additional safeguards, access controls, retention and erasure arrangements that apply to that data.

The Group has procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator where we are legally required to do so.

7. For how long does the Group keep data?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying legal, accounting, invoicing, contracting and reporting requirements.

Typically, your personal data will be retained for the duration of your engagement and in accordance with the company’s data retention schedule following its end, unless a longer retention period is required by law or to establish, exercise or defend legal claims.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you.

8. What if you choose not to provide personal data?

Certain information is required to enable the Group to enter into and perform its contract with you or with the organisation through which you provide services, and to comply with its legal obligations.

If you do not provide this information, we may be unable to engage you, process payments or provide access to systems or sites.

9. Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us. 

10. Your rights

As a data subject, under data protection legislation, you have various rights in relation to your personal data. You can:

• request access to your personal data
• request correction of inaccurate data
• request erasure of your data where appropriate
• request restriction of processing
• object to processing based on legitimate interests
• request the transfer of your personal data to another party
• in the limited circumstances where we rely on your consent, you may withdraw it at any time.

You have the right to make a complaint to the relevant Information Commissioner or data protection authority if you believe we have not complied with the requirements of data protection legislation in relation to your personal data. This may be the Information Commissioner’s Office in the UK, the Isle of Man Information Commissioner, or the Jersey Office of the Information Commissioner, depending on the relevant controller, location and processing. Further details are available at www.ico.org.uk (UK), www.inforights.im (Isle of Man) and www.jerseyoic.org (Jersey).

11. Data Protection Officer

If you wish to make an access request or assert any of the rights detailed above, please contact the Data Protection Officer at DPO@Dandara.com

12. Changes to this privacy notice

We reserve the right to update this privacy notice at any time and will notify you of any substantial changes.