Privacy Policy – Effective 25th May 2018- Version 2.0


Introduction

On the 25th May 2018, the General Data Protection Regulation (GDPR) will come into effect across all EU member states. The GDPR provides one framework data protection law for Europe, representing a significant harmonisation of data protection requirements and standards across the EU.

Contracting PLUS is commited to satisfying all GDPR requirements to provide confidence to our clients, that their data is being manged to the hightest standards. This policy has been updated to reflect the requirements of GDPR and hopefully will give you clarity on how we mange the lifecycle of your data.

If you have any questions about this policy or your data, you can email us at dpo@contractingplus.com

Definitions

Before we get into the policy, its important you understand some of the key terms used as they are mentioned within the policy document.

Personal Data: Information relating to a living individual who is, or can be, identified by that information, including data that can be combined with other information to identify an individual. This can be a very wide definition, depending on the circumstances, and can include data which relates to the identity, characteristics or behaviour of an individual or influences the way in which that individual is treated or evaluated.

Processing: means performing any operation or set of operations on personal data, including:

  • obtaining, recording or keeping data;
  • organising or altering the data;
  • retrieving, consulting or using the data;
  • disclosing the data to a third party (including publication); and
  • erasing or destroying the data.

Data Controller: A Data Controller is the person or organisation who decides the purposes for which, and the means by which, personal data is processed. The purpose of processing data involves ‘why’ the personal data is being processed and the ‘means’ of the processing involves ‘how’ the data is processed. For the purposes of this document, Contracting Plus is the Data Controller.

Data Processor: A person or organisation that processes personal data on the behalf of a data controller.

Data subject: A Data subject is the individual the personal data relates to.

Model Contract: A 'model contract' is a general type of contract that includes specific provisions dealing with data protection, and that has been approved either by the EU Commission or by the Data Protection Commissioner. A data controller in Ireland, which wishes to transfer personal data outside of the EEA, can use the model contract as the basis for its relationship with the third-country organisation.


Policy

1. Who we are

When we use the term “Contracting Plus “ or “us” or “we”, within this document, we are referring to Contracting Plus Consultants Ltd which includes all associated branch locations. Contracting Plus is Irelands most trusted and experienced provider of contractor solutions. We provide peace of mind to individuals that want to manage their tax, accounting and financial needs whilst protecting and growing their wealth. Our mission is to make Professional Contracting easier by providing accessible and friendly solutions to all your personal tax service needs.

2. Data Protection Officer

Contracting Plus has an appointed Data Protection Office (DPO) and has the following responsibilities:

  • to inform and advise the controller (Contracting Plus) or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions.
  • to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
  • to cooperate with the supervisory authority;
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

If you wish to contact Contracting Plus’s DPO, please email dpo@contractingplus.com.

3. How we collect information about you

Our data collection process aims to be open and transparent at all times. Contracting Plus gathers personal data via a number of mediums i.e. telephone, web forms, email, apps, social media, etc for the following reasons:

  • for assessment of application for service,
  • for planning service delivery,
  • for provision of information.

In addition, our web sites use ‘cookie’ technology. A cookie is a little piece of text that our server places on your device when you visit any of our websites or apps. They help us make the sites work better for you as well as provide Contracting Plus with analytics on how the service is being used.

4. How we keep your information safe

Contracting PLUS’ most important concern is the protection and reliability of customer data. Contracting PLUS use a mixture of Private and Public cloud infrastructure providers to ensure customer data is secure and available at all times. All our Cloud Providers are located within the EU and adhere to the highest compliancy standards including the following certifications/regulations:

- DoD SRG, FedRAMP, FIPS, IRAP, ISO 9001, ISO 27001, ISO 27017, ISO 27018, MLPS Level 3, MTCS, PCI DSS Level 1, SEC Rule 17-a-4(f), SOC 1, SOC 2, SOC 3

- EU Data Protection Directive, HIPAA

All client data is regularly backed up with robust disaster recovery procedures in place.

In addition, Contracting PLUS use a number of third-party web based systems for uses such as Survey gathering, form data collection, etc where the data gathered may reside outside of the EU jurisdiction. To comply with Data Protection Legislation, the countries must be considered as offering an adequate level of protection in accordance with Article 25 of the Data Protection Directive. In these cases, where the third-party companies reside in the US we will ensure that the party is either registered under the EU-U.S. Privacy Shield Framework or has a ‘Model Contract’ in place with us.

5. How long we keep your information

When a contractor contacts us initially to determine whether we can provide them with an appropriate solution, we term this contractor an “Interested Party’ as this is still considered the “Sales” stage of the engagement. If the contractor agrees to sign up with us they then become an “Active Contractor”. Once the contractor leaves our services they then become an “In-active contractor”

Below is the data retention policy for each class of contractor:

For “Interested Party” contractors it may sometimes take several weeks before its definitively clear that the contractor does not wish to sign up with us. Once it is clear that the contractor does not wish to sign up, then we will use an automated process to purge the personal data obtained within 30 days.

For Active contractors Contracting PLUS deletes permanently the following classes of information where the information in question is over seven years old post the end of the accounting year end (end Dec for Ire, end Apr for UK). This may include but not limited to:

  • Contractor expenses (both electronic and paper)
  • Contractor payslips (both electronic and paper)
  • Contractor/Agency invoices (both electronic and paper)
  • Contractor timesheets (both electronic and paper)
  • Contractor P60's (both electronic and paper)
  • Submitted Tax returns information on our portal.
  • Any other paper based information received > 7 years old.

For In-active contractors Contracting PLUS deletes permanently all classes of information (electronic and paper) where the information in question is over seven old post the inactivity date of the contractor. We may maintain basic contact information for the purpose of Marketing but this will be done only on a consentual basis post 25th May 2018.

6. Meeting our legal and regulatory obligations / Consent

To use your information lawfully, we rely on one or more of the following legal bases:

A.   processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

B.   the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

As it is contractors themselves that typically contact Contracting Plus in order to obtain both a quotation as well as an outlined of our services, paragraph A above allows us to process a minimal amount of personal data (i.e. Name, email, contact number, etc) without having to ask for consent.

When a contractor decides to fully sign-up with us there is typcially a requirement to gather more personal data and as such we will typically ask for consent in order to initiate this data gathering exercise.

7. How we use your information

Contracting PLUS holds and processes information about clients and agencies for all necessary and customary business purposes, such as:

  • Identity management i.e. your personal/working situation and validation of your work status.
  • Pay and review compensation
  • Contract Management.
  • Agency Management.
  • Provide and administer benefits.
  • Comply with applicable taxation or other legal obligations
  • Protect the rights, interests, or property of the Company.
  • Facilitate compliance with Company policies, industry standards, and legal requirements.
  • Communications i.e. marketing, industry updates, etc.

We do not ask for more information than is required in order to provide you a service and we only use that data in the provision of that service.

8. Your information and third parties

Contracting PLUS, as a rule do not disclose any information on our clients or agencies to third parties, but when necessary may make such data available to its advisors and regulatory authorities (including the Revenue Commissioners). We do share your information with our sister company CWM Wealth Management Ltd who specialise in tailoring financial products such as retirement planning, pensions, income protection, etc for contractors.

If disclosure of personal data to a third party is required which exceeds the terms of the provision within the consent declaration on the Contracting PLUS info pack/application form, consent will always be sought in such cases.

There are special circumstances under which disclosure of personal data to third parties is allowed. These are provided for under the Data Protection legislation and are:

  • As ordered by the Gardai, or army personnel
  • For the purpose of investigating an offence
  • To prevent urgent injury or damage to person or property
  • Under a court order or other rule of law
  • Required for the purposes of obtaining legal advice or for legal proceedings in which the person making the disclosure is a party or a witness
  • Made at the request of and with the consent of the subject of the data

9. International transfers of data

We may transfer your personal information to Contracting Plus offices outside of the European Economic Area (EEA) to help us provide your products and services. We expect the same standard of data protection is applied outside of the EEA to these transfers and the use of the information, to ensure your rights are protected.

10. Your personal information rights

In accordane with the GDPR, you have the right as a data subject to:

  • Know what personal data we have, why we have it and how we process it,
  • Have the data updated if the data is incomplete or inaccurate,
  • Have your data deleted where one of the reasons as per Article 17 applies applies.
  • Note:an individual’s right to erasure (in accordance Article 17 GDPR) does not apply where said information is required to be retained in accordance with relevant legislation. Our policy would be that :-

  • - we retain data for as long as statute or regulations demand; and
  • - we normally destroy files after seven years as per section 5.
  • Have the data processing restricted where one of the reasons as per Article 18 applies applies.
  • Have the right to receive your personal data, which you have provided in a structured format (see section 13).
  • Have the right to restrict or object to us using your personal information or using automated decision making.
  • Remove consent for processing and/or for direct marketing

Note: When you contact us to ask about your information, we may ask you to identify yourself. This is to help protect your information. Any questions or queries please email dpo@contractingplus.com.

11. Making a complaint

If you have a complaint about the use of your personal information, please contact us at dpo@contractingplus.com to allow us to quickly rectify the situation.

12. Updates to this notice

This policy will be reviewed regularly in light of any legislative or other relevant developments.You can always find an up-to-date on our web site at http://contractingplus.com/index.php/privacy-policy

13. Access to Personal Data

As a client of Contracting Plus you are entitled to receive a copy of your personal data held by Contracting PLUS upon written request, at no cost (for the initial request, subsequent requests will be charged).

In order to respond to your request we ask you to download the Access Request Form

  • Please complete, sign and date the form and be specific as possible about the information you wish to access.
  • Attach a photocopy of your proof of identity and address, to the “Access Request Form”.
  • Post the “Access Request Form” to: Data Protection Officer, Contracting PLUS, Unit 26J, Block 6500, Cork Airport Business Park, Cork, Ireland or email same to dpo@contractingplus.com
  • If you cannot download the Access Request Form from the internet please write to us requesting a form from: Data Protection Officer, Contracting PLUS, Unit 26J, Block 6500, Cork Airport Business Park, Cork, Ireland and we shall send you a copy by return post. Use of the “Access Request Form” is not mandatory. Completing the Access Request Form should enable us to process your request more efficiently.

We do not accept access requests via telephone or text message

Review
This Policy will be reviewed regularly in light of any legislative or other relevant developments