Privacy Notice
Distilled SCH Shared Services Ltd
3rd Floor, Latin Hall, Golden Lane, Dublin 8(“the Company” “Us” “We”)

‍Introduction
‍
This policy does not form part of any employee's contract of employment and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal.

This Privacy Notice (“Notice”) has been developed to ensure our employees feel confident about the privacy and security of personal data and to meet our obligations under the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation (the “Legislation”). Under the Legislation, personal data is information that identifies you as an individual or is capable of doing so (“Personal
Data”).

To the extent we are a ‘data controller’, we must comply with the data protection principles set down in the Legislation and this Notice applies to all personal data collected, processed and stored by us in the course of our activities. The purpose of this Notice is to set out the procedures that are to be followed when dealing with personal data and to outline how we will collect and manage personal information in accordance with all relevant legislation and standards. The procedures set out herein must be followed at all times by us, our employees, agents, contractors, or other parties working on behalf of us.

This Notice extends to all personal data whether stored in electronic or paper format.‍

What Personal Information do we hold on Employees?
‍
We only hold personal data that is directly relevant to its dealings with a given data subject. That data will be collected, held, and processed in accordance with the data protection principles and with this Policy in a reasonable and lawful manner. As an employee you will be requested to provide the following information for payroll, your personal file and for the Human Resources Database.

The types of information that the Company may be required to handle include:

• Identification Data – name, address, phone number, date of birth, gender and relevant national identification number
• Bank Account details – sort code, account number and IBAN
• Emergency contacts
• Dependant data
• Prior work experiences and qualifications (CV)
• Property provided by us
• E-mail Addresses
• Marital status
• Gender
• Nationality
• Phone numbers
• Contract of employment and commencement details
• Interview notes
• Disciplinary issues
• Health and Safety issues
• Health data
• Passports
• Driving licences

Job Applicants
‍
Applications are currently made via our recruitment partners in writing, via bamboo or via e-mail, or directly to us. You will receive written notification from us of receipt of your application. Your CV will be reviewed and should your skill set and experience match a current vacancy your application will be progressed to interview stage. We hold applications and additional information which may
be obtained during the course of the interview process, such as interview notes, education qualifications etc. electronically and/or manually.

Our general retention period for applications and interview notes is 12 months and documents are then securely destroyed. All provisions of this Notice will apply to the processing of your application. Your information may be shared with our agents or partners in connection with services that these individuals or entities perform for us, including recruitment agencies. These agents or partners are restricted from using this data in any way other than to provide specified recruitment related services to us.

Data Protection Principles
‍
Anyone processing personal data must comply with six core principles of good practice. These provide that personal data must be:

• obtain and process personal data fairly, lawfully and in a transparent manner;
• collect the personal data only for one or more specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• keep the personal data adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• keep the personal data accurate and up-to-date;
• retain the personal data no longer than is necessary for the purpose for which the data is processed; and
• process the data in a manner that is safe and secure.

We are responsible for, and must be able to demonstrate compliance with, the above principles.

Processing Personal Data
‍
Any and all personal data collected by us (as further detailed in this Notice) is collected in order to ensure that we can provide the best possible service to our customers, and can work effectively with our partners, associates and affiliates and efficiently manage our employees, contractors, agents and consultants. We use employee personal data in order to ensure we are able to administer contracts of employment and in our legitimate interests. We may also use personal data in meeting certain obligations imposed by law.

Business processes or employee administration uses for personal data include:

• recruitment;
• background checks;
• changing salary;
• changing Department/ Job code;
• changing working hours;
• terminating an employee;
• process offers of employment and processing work permits and visas where applicable;
• systems set up;
• processing payroll;
• processing benefits and expenses;
• arranging travel visas;
• organising training programmes;
• booking travel;
• arranging insurance for company supplied vehicles; and/or
• other reasons for ordinary personnel administration not listed here.

We may also use your personal data to:

• carry out research and analysis on you;
• track your performance and keep records of your development for the purposes of annual reviews;
• communicate any changes to our policies, procedures or to your contract of employment (including changes to salary);
• contact you or your dependants if there are any health and safety or absence issues (including long term illness and maternity leave);
• calculate any changes in your salary, bonus or commission; and/or
• retain contact information for the purposes of returning our property e.g. security cards, mobile phones, laptops, in connection with your departure from us.

Accuracy
We shall employ reasonable means to keep personal data information accurate, complete and up to date in accordance with the purposes for which it was collected.

Employees are responsible for ensuring that they inform their Manager & HR of any changes in their personal details. We endeavour to ensure personal information held by us is up to date and accurate.

Employee Monitoring
We provide e-mail facilities and access to the internet. In order to protect against the dangers associated with e-mail and internet use, we may monitor e-mail and web usage. Please refer to the e-mail and internet usage policies for further details.

CCTV cameras are in operation at the entrance to the building and the primary purpose of having CCTV is for security and health & safety purposes. As an ancillary use, employee monitoring will only take place in the event of an incident that requires investigation. Access to the recorded material is strictly limited to authorised personnel.

All employees are supplied with a door access card which allows you access to the building.. The primary use of the door access card is for security and access. As an ancillary use, the Company may use data from the access cards to monitor time and attendance in certain circumstances. Access to access records is strictly limited to authorised personnel.

Do we disclose information about you to anyone else?
Personal data may be disclosed internally when passed from one department to another in accordance with the data protection principles and this Notice. Personal data is not passed to any internal department or any individual that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed. Sensitive and/or restricted employee information must have additional internal access restrictions as appropriate.

We shall disclose employee information to third parties only when it is necessary as part of our business practices or when there is a legal or statutory obligation to do so. Such third parties may include, but are not limited to:

• payroll, bank
• pension provider
• health insurers
• legal advisors

Whenever we disclose employee information to third parties, we will only disclose that amount of personal information necessary to meet such business need or legal requirement. Third parties that receive employee information from us must satisfy us as to the measures taken to protect the personal data such parties receive.

Appropriate measures will be taken to ensure that all such disclosures or transfers of employee information to third parties will be completed in a secure manner and pursuant to contractual safeguards.

We may provide information, in response to properly made requests, for the purpose of the prevention and detection of crime, and the apprehension or prosecution of offenders. We may also provide information for the purpose of safeguarding national security. In the case of any such disclosure, we will do so only in accordance with the Legislation.

We may also provide information when required to do so by law, for example under a court order.

We may also transfer data to legal counsel where same is necessary for the defense of legal claims. If there is any change in the ownership of Distilled SCH or any of its assets, we may disclose personal information to the new (or prospective) owner. If we do so, we will require the other party to keep all such information confidential.

How long do we keep personal information?
The time period for which we retain information varies according to the use of that information. In some cases there are legal requirements to keep data for a minimum period of time. Unless specific legal requirements dictate otherwise, we will retain information no longer than is necessary for the purposes for which the data were collected or for which they are further processed.

The following is a guideline as to how long information of certain types are kept once you are no longer an employee of Distilled SCH:

• Terms and Conditions of Employment – for duration of employment and 6 years thereafter
• Equality – 6 years
• Health and Safety – 10 years
• Leave of Absence – 8 years
• Termination of Employment – 3 years
• Transfer of Undertakings – 1 year
• Payroll data – 10 years
• Time and Attendance Records – 3 years

How do we protect data about you when it is transferred out of Europe?
Countries in the European Economic Area (EEA) are required to have a similar standard of protection of personal data. This is not always the case outside that area. We do not transfer data outside the EEA, but in the event we did, before doing so take steps to ensure that there is adequate protection, as required by the Legislation.

How can you exercise your rights in respect of personal information we hold about you?
We shall vindicate all your rights under the Legislation. These rights are as follows:

• your right to request from us access to personal data, and to have any incorrect personal data rectified;
• your right to the restriction of processing concerning you or to object to processing;
• your right to have your personal data transferred to another employer;
• your right to have personal data erased (where appropriate); and
• information on the existence of automated decision-making, if any, as well as meaningful
• information about the logic involved, its significance and its envisaged consequences.

Vindication of your rights shall not affect any rights which we may have under the Legislation.

If you want to know what personal information the we hold about you or exercise any of the above rights, you can do so by making your specific request in writing to Eoin Clarke (dpo@distilled.ie)

We will confirm your request within 21 days of receipt, and process your request within 30 days of receipt. If the information we hold about you is inaccurate, we request that you advise us promptly so that we can make the necessary amendments and confirm that these have been made within 30 days of receipt of your request.

How do we protect personal information about you?
We shall employ reasonable appropriate administrative, technical, personnel procedural and physical measures to safeguard employee information against loss, theft and unauthorised uses access, uses or modifications. All personal information stored is either password protected or is locked away in cabinets. Only a limited number of authorised personnel have access to this information.

The following principles apply:

• Confidentiality - that only people who are authorised to use the data can access it.
• The Company will ensure that only authorised persons have access to an employee’s personnel file and any other personal or sensitive data held by the Company.
• Employees are required to maintain the confidentiality of any data to which they have access, including all data relating to fellow employees, customers, clients as well as Company
• Website users, members, moderators and administrators
• Integrity - that the personal data is accurate and suitable for the purpose for which it is processed.
• Availability - that authorised users should be able to access the data if they need it for authorised purposes.

How can you make a complaint to us about the use of your personal data?
Complaints on the use, retention and disposal of personal data can submitted via e-mail to the Group’s Data Protection Officer Eoin Clarke.

As an employee you also have the right to lodge a complaint with your national data protection supervisory authority, the Data Protection Commission.

Review
This Notice will be reviewed and updated from time to time to take into account changes in the law and the experience of the Notice in practice. Any and all changes will be advised to employees.

Intellectual Property
You agree and acknowledge the following:

1. Any Intellectual Property Rights acquired, made, created, developed or discovered by you (whether alone or with others) directly or indirectly during the course of your employment with Distilled SCH (“the Company”) shall belong to and be the absolute property of the
Company and you hereby assign to the Company all such Intellectual Property Rights for their full term throughout the world (the “IP Rights”).

2. You, if and whenever required to do so (whether during or after the termination of your employment) shall at the request and expense of the Company do all things necessary, execute such deeds and documents and provide all such assistance to enable the Company to obtain and maintain the benefit of all IP Rights, and you acknowledge that you will not be entitled to any further compensation or remuneration in respect of the performance of your obligations under this letter save as may be required by law.

3. To the extent permitted by law, you agree that you will, at the Company’s expense, exercise any moral rights you have or may have in any IP Rights against such third party or parties, or waive such rights, as the Company may reasonably request from time to time and you further agree not to exercise such moral rights as against the Company, its employees, servants or agents.

4. You hereby irrevocably appoint the Company to be attorney in your name and on your behalf to execute any such documentation and to do such things and generally to use your name for the purpose of giving to the Company the full benefit of the provisions of this letter and a certificate in writing in favour of any third party signed by any director of the Company that any instrument or act falls within the authority hereby conferred shall be conclusive evidence that such is the case.

The term “Intellectual Property Rights” shall have the meaning set out in the appendix to this letter. This letter forms part of the terms and conditions of your employment contract with the Company.

‍