Edrington is committed to safeguarding the privacy of the personal data that we hold concerning our prospective, current and former employees (“you” or “people”) for management, human resources and payroll purposes. Your personal information is collected by Highland Distillers Limited and Edrington Distillers Limited. You can contact us at 100 Queen Street, Glasgow, G1 3DN.
Data protection laws will change across the EU from 25 May 2018, and we are taking this opportunity to explain how Edrington uses and protects the personal data which it holds about its people.
What personal data do we collect about our people?
Names, addresses, contact details, home and mobile telephone numbers, date of birth, gender, photograph, marital status, emergency contacts, family details (including beneficiaries for life assurance purposes).
Nationality, work permit status, passport information.
Driving licence number, vehicle registration and driving history.
National insurance number, tax code and bank account details.
Sick pay, pensions, insurance, shares, and other benefits information.
Educational and employment background, professional certifications and registrations, training attended, references and interview notes.
Date of start and, where relevant, end of employment, and length of service.
Information captured on security systems, including CCTV, to the extent necessary to ensure the safety of our people and our sites.
Absence, maternity, paternity and annual leave records, salary history, performance appraisals (PDR information), disciplinary and grievance proceedings, records regarding completion of training.
Voicemails, e-mails, correspondence, documents, and other work product and communications created, stored or transmitted using our networks, applications, devices, computers or communications equipment.
Records of your use of our IT systems including email, internet systems, computers, laptops (including via remote access) telephone systems and mobile devices.
We may also collect the following "special categories" of personal data:
Where permitted by law and relevant to the role to be carried out by an employee or prospective employee, the results of credit and criminal background checks, the results of
drug and alcohol testing, screening, health certifications.
Racial and ethnic origin and information relating to disabilities, religious beliefs or sexual orientation for equal opportunities management (where relevant).
Immigration/naturalisation records for employees and workers where this discloses racial/ethnic origin information
Physical or mental health or condition (e.g. health and attendance records, any adjustments required for recruitment or employment, records of drugs and alcohol testing, medical exams and health and safety records resulting from injuries at work and accidents).
Information relating to trade union membership.
How do we collect data?
The personal information is either (a) provided by you, (b) obtained from third parties, (normally through the application and recruitment process), or (c) created by us in the course of job-related activities during your employment/engagement with us. Data may be obtained from the following third parties (former employers, employment agencies, credit reference
agencies or other background check agencies).
How do we use your personal data?
We may use your personal data for a number of purposes relating to your employment, or application for employment with Edrington, such as human resources management and staff
administration, including the following:
• to process any applications you make for employment with Edrington;
• to calculate, pay, and provide benefits, including dealing with any queries with you may have about your pay or benefits;
• to carry out reviews of your performance, and to support your training and development needs;
• detecting or preventing inappropriate behaviour or breach of our policies including protecting our confidential information, intellectual property and assets;
• making contact in an emergency;
• ensuring that our (or any of our group companies) systems are used primarily for business purposes, have sufficient capacity for the needs of the business, are protected against cybersecurity threats such as malware;
• for the purposes of any potential and/or actual litigation or investigations concerning us or
any group company or its officers;
• to carry out statistical, financial modelling and reference purposes;
• for internal record keeping;
• to comply with our legal obligations or demands and requests made by any regulators, government departments, law enforcement or tax authorities or in connection with any disputes or litigation.
Why do we use personal data?
We will use your personal data for the following reasons:
(1) where it is necessary to carry out our duties under your employment contract (eg paying you and providing you with benefits) or other applicable engagement contract with us or in
order to take steps prior to entering into that contract;
(2) to comply with a legal or regulatory requirement (for example we are required to send certain information to HMRC, or to report certain information in the event of an accident at one of our sites.);
(3) exceptionally it is necessary for the vital interests relating to you or another person (for example, avoiding serious risk of harm to you or others); or
(4) it is necessary for our ‘legitimate interests’ (or those of a third party) to process your personal data. These legitimate interests include: (a) maintaining the safety, health and welfare of our employees and applicants; (b) ensure that our assets are protected, kept confidential and not used for inappropriate or unlawful purposes; (c) prevent, detect or investigate unauthorised use of our systems and ensure we comply with law and our policies; (d) internal record-keeping and administration purposes; and (e) to communicate with you where you have requested certain information, for example if you have an enquiry about your Edrington shares.
How we use special category personal information
We process your special categories of personal data to (a) comply with employment, social security and other laws and to record and administer sickness and maternity leave, (b) to
ensure your health and safety in the workplace and to assess your fitness to work on health grounds subject to appropriate confidentiality safeguards (secure storage and shared with a very limited number of people) and to provide appropriate workplace adjustments and
to monitor and manage sickness absence and administer benefits, including medical insurance; (3) to ensure meaningful equal opportunity monitoring and reporting (where relevant), (4) to on board you as an employee and for administering your employment
contract, and (5) we will use trade union membership information to pay trade union premiums and to comply with employment law obligations.
Why we use special category personal information
We use special categories of personal information collected about you because (1) you have provided your explicit consent, (2) we need to do so to carry out our legal obligations, (3) it is necessary for the establishment, exercise or defence of legal claims, (4) it is necessary for the purposes of preventative or occupational medicine, for the assessment of your working capacity, medical diagnosis or provision of health care (for example, in relation to occupational Health referrals and reports); (5) where it is needed for reasons of substantial public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme, and in line with our data protection policy; (6) exceptionally, where it is necessary for vital interests relating to you or another person (for example, avoiding serious risk of harm to you or others) and where you are not capable of giving consent; (7) Where you have already made the relevant personal information public.
Information about criminal convictions
We will only collect information about criminal convictions via background screening if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment
process or we may be notified of such information directly by you. We will use information about criminal convictions and offences in the following ways (1) where it is necessary to protect your interests, our interests and those of other employees or to protect clients and
other third parties from theft, fraud and similar risks; and (2) where it is necessary in relation to legal claims. We are allowed to use your personal information in this way where it is necessary to carry out our employment rights and obligations and in accordance with our data protection policy.
Automated decision making
We do not envisage that any decisions will be taken about you using automated means. However, we will notify you if the position changes.
What are your rights?
You have a number of rights under the data protection laws in relation to the way we process your personal data, namely:
• to access your data;
• to have your data rectified if it is inaccurate or incomplete;
• in certain circumstances, to have your data deleted or removed;
• in certain circumstances, to restrict the processing of your data;
• a right of data portability, namely to obtain and reuse your data for your own purposes across different services;
• not to be subject to automated decision making (including profiling), where it produces a legal effect or a similarly significant effect on you; and
• to claim compensation for damages caused by a breach of the data protection laws.
If you wish to exercise any of these rights, please email to email@example.com.
Please note that we may be unable to delete or remove your data which we need as part of your employment with Edrington.
Who do we share your personal data with?
We will share your personal information with other employees and companies in our group for administrative, management and accounting purposes, and as part of our regular reporting activities on company performances, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.
To effectively fulfil our obligations to you, and to provide you with certain benefits, we use a number of trusted and reliable third parties to carry out functions which involve the processing of your personal data such as (a) pre-employment screening providers, (b) payroll providers, (c) pension providers, (d) employee benefit providers (such as those providing private medical cover, childcare vouchers, (e) IT administrators, (f) medical providers (such as occupational health), (g) building security providers, (h) future and
prospective employers (i) employee life insurance providers.
Examples of the third parties Edrington typically uses:
to process your employment application for a role within Edrington we use an external application to store your Personal data.
external payroll provider whose uses your Personal data to pay you.
external DC pension scheme provider, with whom we share your personal data to enrol you within the pension scheme.
to provide you with health insurance cover, we share the medical information which you provide.
to maintain a register of all shareholders, and to help us effectively process all purchases and sales of Edrington shares.
to effectively administer our annual ShareSave scheme.
to allow you to book travel and accommodation, and to process expenses incurred, as part of your employment with Edrington.
to provide you with life insurance cover during your employment with Edrington.
to provide you with a total rewards statement.
We also share personal data with HMRC to comply with legal requirements, namely to demonstrate that we are deducting the appropriate employment taxes from your pay. In limited circumstances, we may share your personal data with financial, pensions, and legal advisors, auditors and consultants. Where we share personal data with third parties we ensure that the third parties are bound by strict confidentiality obligations and we reserve the right to audit their systems and processes to verify the security of your personal data.
Where is your personal data stored?
If you are an employee or shareholder based within the UK or the EU, your personal data will primarily be stored within Europe. If you are an employee who is moving to a new role based outside of Europe, we will need to share your personal data outside the EU to allow you to transition to this new role.
We may transfer personal data outside the EU where third party service providers, professional advisers or auditors host personal data outside the UK or the EU. Where we do this, we will ensure that the transfer is to a country covered by a decision of the Commission
of the European Union or is otherwise made in circumstances where we have put appropriate safeguards in place to protect your data in accordance with data protection laws. If you would like to obtain copies of such safeguards you can request them from
How long do we keep your information for?
We strive to only keep your personal data for so long as is necessary, in connection with the purpose for which we collected the personal data. To help you understand the length of time we keep specific personal data, we have a document retention schedule which is available on our intranet. If you would like a printed copy, please email to firstname.lastname@example.org.
If you have any questions about the way in which your personal data is processed, please contact your line manager or email@example.com.
You have the right to complain about data protection matters to the information commissioner’s office (ICO). The ICO is the UK's independent body set up to uphold information rights. You can find out more about the ICO on its website (https://ico.org.uk/). The ICO can be contacted by calling 0303 123 1113.
We follow strict security procedures as to how your personal information is stored and used, and who sees it, to help stop any unauthorised person accessing it.
This notice will be changed from time to time. If we change anything important about this notice (the information we collect, how we use it or why) we will notify you.