15below Limited, a company registered in England and Wales with company number 03945289, having its registered office at Lyndean House 43-46 Queens Road, Brighton, East Sussex, BN1 3XB (“15below” “We”).
If you have any questions regarding your personal data and how we may use it, including any queries relating to this Policy, please contact us at firstname.lastname@example.org or writing to the “Data Protection Officer” at the office address noted above.
It is important that the personal data we hold about you is accurate and current. Please keep us (or our clients, where appropriate) informed if your personal data changes.
15below’s data protection and privacy measures are governed by the (i) the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 2018 (“Data Protection Legislation”).
For the purpose of Data Protection Legislation:
1. where personal data is provided directly to 15below through use of the Website, email, or other means where 15below is determining the way in which that personal data is processed for its own use, then 15below will be a data controller of such information;
2. where 15below is provided personal data in its capacity of providing Services to its clients, then 15below will only process that personal data in accordance with the instructions of its clients and 15below will, therefore, act as a data processor in respect of such personal data; 15below’s client will be the data controller of that personal data for that purpose and will be responsible to data subjects for the way in which their personal data is processed as the data controller.
Personal data means any data or information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Where 15below is acting as a data controller, 15below may collect, use, store and transfer different kinds of personal data about you which 15below has grouped together as follows:
- Identity Data includes first name, last name, username or similar identifier, title, job title and date.
- Contact Data includes the billing address, delivery address, email address and telephone numbers.
- Usage Data includes information about how you use 15below’s Services or submit an enquiry or query through the Website.
- Preferences and interests including information about 15below’s Services that you might wish to hear about.
Where 15below needs to collect personal data by law, or under the terms of a contract 15below has with you (or our client whom 15below acts for) and you fail to provide that data when requested, 15below may not be able to perform the contract it has or is trying to enter. In this case, 15below may have to cancel the Services but it will notify you (or where appropriate, its client) if this is the case at the time.
15below uses different methods to collect personal data from and about you including through:
- Direct interactions.
You may give us your contact information by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when 15below provides its Services;
We may meet you at events and you may provide us with your contact details in order for us to contact you about our Services; or
- Third parties or publicly available sources.
We may receive personal data about you from various third parties and public sources such as:
- Contact data from providers, including third-party debt agencies.
- Internet / LinkedIn / websites.
15below will only use your personal data when the law allows us to, ie, if we have a legal basis for doing so, as outlined in this Policy or as notified to you at the time we collect your personal data, and for the purposes for which it was collected for, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do this. Please note that we may process your personal data without your knowledge or consent, where this is required or permitted by law.
Where we act as the data controller for client contact information, we have set out below in the table a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact 15below if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
|Purpose/ Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To register you or the company that you are connected to as a new client and verify your identity (where required)||(a) Identity,(b) Contact||Performance of a contract or Legitimate interests or Consent|
|To process and deliver the Services including: (a) Manage accounts, payments, fees and charge, (b) contacting you and corresponding about the Services||(a) Identity, (b) Contact||Performance of a contract or Legitimate interests|
|To respond to queries and enquiries and dealing with your preferences and interests||(a) Identity, (b) Contact||Performance of a contract or Legitimate interests|
|To undertake marketing to you||(a) Identity,(b) Contact||Legitimate interests or Consent|
Where we act as a data processor of personal data on behalf of our clients, we will process personal data in accordance with our clients’ instructions and for providing the Services, or in order to comply with a legal or regulatory obligation.
Where we act as the data controller for client contact information, or where permitted by 15below’s data controller clients, personal data processed by 15below may be shared as follows:
- with any member of the 15below Group, which means 15below’s subsidiaries, 15below’s ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006;
- with permitted third-party contractors of 15below for the purposes of providing Services to 15below or for performing its Services, helping us to deliver our products and information (“Data Processors” or “Sub-Processors”);
- where 15below is under a duty to disclose your personal data to comply with any legal obligation or to enforce or apply 15below’s or terms and conditions and other agreements;
- to protect the rights, property, or safety of 15below, 15below’s client, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and for compliance with laws; or
Where we provide your personal data to Data Processors or Sub-Processors we will have in place a written agreement with each third party confirming on what basis the third party will handle your personal data and will ensure that there are sufficient safeguards and processes in place to protect your personal data. We require all third parties to respect the security of your personal data and to treat it in accordance with the law and only process that personal data in accordance with our (or our client’s) instructions.The third parties that we may send your personal data to are either within the European Economic Area (“EEA”) or to third parties under suitable protection mechanisms as laid out inapplicable Data Protection Legislation.
We are part of a Group of companies with offices in locations in the UK, Lithuania and Australia.
From time to time we may transfer your personal data from within the EEA to our offices outside of the EEA, such as those listed above, or other countries where we have put in place adequate security measures to ensure your personal data will be handled in a way that matches applicable Data Protection Legislation, so that where your personal data is being transferred to one of our global companies it will be processed in line with our EEA-based companies, regardless of which country they are in (even if they are outside of the EEA).
Separate to the above, we may also transfer your personal data to countries outside of the EEA to other people or companies for one of the legal bases for processing your personal data as indicated above, or at the request of our data controller clients. Where we do so, we will take all steps to ensure that any country to which the personal data has been transferred has suitable protection mechanisms in place to protect personal data, including (if applicable) use of EU Model Clauses in any contract with that third party for steps to be taken to keep personal data secure.
We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed and have an Information Security Policy in place to which we adhere to. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain personal data in accordance with our retention policy, which includes:
- where we act as a data controller in connection with client contact information, for as long as necessary to fulfil the purposes we collected it for, eg, contracts information is kept for 7 years;
- where we act as a data processor on behalf of its clients, for the period as notified or agreed with the data controller client;
- in either case, for the period required for the purposes of satisfying any legal, accounting, regulatory or reporting requirements.
Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:
- The right to be informed – this is information on for what purpose we are processing it and what personal data we are processing.
- The right of access – you have the right to be provided with copies of the personal data of you that we are processing as well as confirmation of the processing we are doing. You can do this by sending a “subject access request” to the contact details noted above for our consideration.
- The right to rectification – if you think the personal data that we hold on you is wrong you can tell us and we will fix it.
- The right to erasure (also known as the right to be forgotten) – if you want us to permanently delete the personal data we hold for you then you can ask us to do so.
- The right to restrict processing – if you do not like how we are using your personal data then you can let us know and we will stop processing it in that way.
- The right to data portability – if you want us to pass on your personal data to someone else then please let us know. This transfer should not affect the integrity or otherwise damage your personal data.
- The right to withdraw your consent – you can withdraw your consent for us to process your personal data (if we have relied on your consent to process your personal data) at any time by contacting us. If we have relied only on your consent as the basis to process your personal data then we will stop processing your personal data at the point you withdraw your consent. Please note that if we can also rely on other bases to process your personal data aside from consent then we may do so even if you have withdrawn your consent.
- Rights in relation to automated decision making and profiling – if we use either automated decision making or profiling then you have a right to know. Also, we need your consent if either of these are used to make a decision that affects you. As with all consent, you can withdraw it at any time.
To exercise any of the above rights please email your request to email@example.com.
Where you exercise your right to erasure (and we do not have another legal basis to hold on to that personal data) or where information is deleted in accordance with 15below’s retention policy, please note that after the deletion of your personal data, it cannot be recovered, so if you require a copy of this personal data, please request this during the period 15below retains the data.
Where you exercise your right to request access to the information 15below processes about you, you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. 15below will try to respond to all legitimate access requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
The Website is not intended for children and 15below will not knowingly collect any personal data from persons under the age of 18 and will immediately delete any such data subsequently so determined.
If you would like to make a complaint in relation to how 15below may have stored, used or processed your personal data, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). 15below would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
We would like to place cookies on your computer to help us make your use of our Website better. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Just so you know, the main cookies on our Website are from Google Analytics tracking and there’s also a session cookie generated by the Website that is essential to the running of the Website but holds no personal data.
Most web browsers allow some control of most cookies through the browser settings.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
Other tracking technologies: Some of our website pages utilize cookies and other tracking technologies. A cookie is a small text file that may be used, for example, to collect information about website activity. Some cookies and other technologies may serve to recall personal data previously indicated by a website user. Most browsers allow you to control cookies, including whether or not to accept them and how to remove them.
You may set most browsers to notify you if you receive a cookie, or you may choose to block cookies with your browser, but please note that if you choose to erase or block your cookies, you will need to re-enter your details to gain access to certain parts of the website.
We may also analyse information that does not contain personal data for trends and statistics.
15below is committed to ensuring that your information is secure and has in place reasonable and proportionate safeguards and procedures to protect your personal data. While 15below does its best to protect your personal data, 15below cannot guarantee the security of any information that you transmit to 15below and you are solely responsible for maintaining the secrecy of any passwords or other account information.
Recruitment Privacy Notice
About this document
15below Limited is a “data controller” when making decisions about the recruitment of employees. Being a data controller means that we are responsible for deciding how we hold and process personal information about you during the recruitment process. “Processing” includes collecting, storing, handling, sharing, transferring, accessing and deleting your personal information. This notice sets out:
i. Why we collect your personal information during the recruitment cycle;
ii. What information we ask for;
iii. What we do with the information we collect;
iv. How long we retain information for; and
v. Your rights.
1. Why do we collect your personal information?
We collect information through the application and recruitment process, either directly from you as a candidate or sometimes from an employment agency. We collect this information in order to progress your application, or to fulfil legal or regulatory requirements, if necessary.
There are three stages to our recruitment process:
i. Application: we ask candidates to submit CVs.
ii. Assessment: once applications have been shortlisted then we will invite shortlisted candidates for an assessment which is made up of interviews, presentations and technical assessments.
iii. Pre-employment checks: once an offer has been made to successful candidate it will be subject to obtaining satisfactory references from former employer(s). We have an equality and diversity monitoring form, which you do not have to complete and it will not affect your application if you choose not to.
2. What information do we ask for?
The information obtained during the recruitment process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
In connection with your application for work with us, we will collect, store and use the following personal information about you:
• details that appear on CVs and cover letters such as names, address and date of birth, education/professional qualifications;
• interview notes/results from assessments;
• references from former employers;
• right to work information;
• salary, benefits and bonus information for the purposes of making an offer of employment.
We will also ask whether there are any reasonable adjustments that may have to be made as part of the recruitment process in order to comply with our legal obligations.
We may also collect information about ‘special categories’ of more sensitive personal information such as your race or ethnicity, religious beliefs, disability sexual orientation for the purposes of equal opportunities monitoring.
We do not ask for information about criminal convictions as part of the recruitment process.
3. What will we do with the information you provide to us?
During the recruitment process, we will collect, store, and use information relating to right to work documentation, references and other information included in a CV or cover letter or as part of the application process.
The information obtained during the recruitment process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary. In the event you are successful we will use some of the information obtained in order to perform an employment contract with you.
We will use the other information provided to assess your suitability for the role you have applied for and for progressing your application. Should your application be successful we will need to complete on-boarding processes. We may have a need to share your information internally, and if this is required it will only be to the extent necessary to enable the recruitment process to progress.
Your information may be shared internally with employees who are involved in the recruitment for their team, employees in HR who have responsibility for recruitment and onboarding, employees in IT for user access and employees in security for access to our premises.
Third party data collection and sharing
We may collect and/or share your information with third party organisations such as:
• companies we work with for recruitment purposes;
• former employers/educational institutions for the purposes of obtaining references/information validation
The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format and will not be transferred outside of the European Economic Area. We do not allow our third-party service providers to use your personal data for their own purposes.
We may share your personal information with other third parties, for example with a regulator or to otherwise comply with the law.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
4. Processing grounds
We process your information based on a number of grounds as set out in law. Most commonly, we will use your personal information in the following circumstances:
1. Where it is necessary for our legitimate interests such as for progressing your application and for making recruitment decisions.
2. Where we need to comply with a legal obligation, such as right to work checks.
3. Where we need to perform the contract we have entered into with you in the event you are successful in your application.
We may also use your personal information here it is needed in the public interest, such as equal opportunities monitoring.
5. Automated decision making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You will not be subject to recruitment decisions based solely on automated decision-making, other than where there are objective criteria that are mandatory for the role, for example, having the Right to Work in the country where the role will be based, or possession of very specific skills that a successful candidate must have. Automated decision-making can therefore be applied without subjectivity or bias.
6. How long will you retain my information for?
Information generated throughout the recruitment process will be retained by us for 12 months either following the closure of the recruitment process or from any subsequent communication about 15below recruitment we might have with you.
If you are successful, the information you provided during the application process will be retained on your employee file for the duration of your employment plus 6 years following the end of your employment.
If we wish to retain personal information on file for future opportunities we will write to you separately and ask for your consent to retain this information.
7. Your rights
Under certain circumstances, by law you have the right to:
• See the information that we hold about you (a data subject request)
• Ask us to make a change if you think any information we hold about you is incomplete or inaccurate
• Ask us to delete your personal information or ask us to stop/restrict the processing of your data if you believe that we should not be processing it, or we are processing it incorrectly.
• Ask us to transfer your personal information to another party
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our data protection officer in writing.
8. Compliance with this notice
We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO. You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.