1. Introduction

Computacenter (UK) Limited ("Computacenter", "we" or "us") has issued this Privacy Notice (this "Notice") to describe how we handle personal information that we hold about our staff members (collectively referred to as "you"). Depending on their relationship with Computacenter the term "staff member" may include those who work on a non-permanent basis with us. Where contingent workers, temporary and contract workers, independent contractors, consultants, professional advisors, secondees, interns and other third parties are engaged by a third party to carry out work for us the third party’s privacy notice shall apply.

We respect the privacy rights of individuals and are committed to handling personal information responsibly and in accordance with applicable law. This Notice sets out the personal information that we collect and process about you, the purposes of the processing
and the rights that you have in connection with it.

If you are in any doubt regarding the applicable standards, or have any comments or questions about this Notice, please contact us at the contact details in Section 11 below.

2. Types of personal information we collect

In the course of your employment or engagement at Computacenter, we may process personal information about you and your dependents, beneficiaries and other individuals whose personal information has been provided to us.

The types of personal information we may process include, but are not limited to:

• Identification data – such as your name, gender, photograph, date of birth, staff member IDs.
• Contact details – such as home and business address, telephone/email addresses, emergency contact details.
• Employment details – such as job title/position, office location, employment contract, performance and disciplinary records, grievance procedures, sickness/holiday records.
• Background information – such as academic/professional qualifications, education, CV/résumé, nominated referees contact details, criminal records data (for vetting purposes, where permissible and in accordance with applicable law).
• National identifiers – such as national ID/passport, immigration/visa status, social security or national insurance numbers.
• Information on your spouse / partner and/or dependents – such as your marital status, identification data on them and information relevant to any Computacenter benefits extended to such people.
• Financial information – such as bank details, tax information (including information provided to us, withholdings, salary, benefits, expenses, company allowances, stock and equity grants.
• Travel information – such as destination, reasons for travelling, means of transport, hotels and related expenses.
• Information from Computacenter systems, devices and property – including:
  1. - information related to and collected through your access to company IT systems and networks such as IP addresses, log files and login information, electronic signature, and communications information (including metadata relating to emails and other messages sent using Computacenter devices / systems).
  2. - information on Computacenter devices and property assigned to you (e.g. laptop, phone, tablet, personal protective equipment).
  3. - telephone call records for quality and monitoring purposes (e.g. Service Desk).

We may also process sensitive personal information relating to you (and your spouse / partner and/or dependents). Sensitive personal information includes any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, genetic data, biometric data for the purposes of unique identification, trade union membership, or information about your health/sex life ("Sensitive Personal Information"). As a general rule, we try not to collect or process any Sensitive Personal Information about you, unless to comply with applicable laws.

However, in some circumstances, we may need to collect, or request on a voluntary disclosure basis, some Sensitive Personal Information for legitimate employment-related purposes: for example, information about your racial/ethnic origin, gender and disabilities for the purposes of equal opportunities monitoring, to comply with immigration and anti-discrimination laws and for government reporting obligations; information about your physical or mental condition to provide work-related accommodations and/or preventative measures, health and insurance benefits to you and your dependents, or to manage absences from work; and information which you voluntarily make available about your membership of a trade union, in order to accommodate a request to pay membership fees through payroll and/or in connection with any collective bargaining on pay, hours, holiday and other matters with any trade union which represents you or that you represent as part of employee/employer assemblies (e.g. Workers Councils) or information requested by law enforcement organisations (e.g. traffic offences).

3. Sources of personal information

Usually you will have provided the information we hold about you but there may be situations where we collect personal information or Sensitive Personal Information from other sources.

For example, we may collect the following:

• Certain information on your performance, conduct or other information relevant to formal internal procedures (e.g. disciplinary or whistleblowing procedures), from clients/ customers or other organisations you routinely work with.
• Information on your training and development from external training or certification partners.
• Information about your health, including your fitness to carry out work and/or any accommodations or adjustments to be considered from your Doctor, other specialist medical adviser or Computacenter's appointed occupational health advisers.
• Information on accidents or incidents from Computacenter's insurers and their appointed agents, where they are involved.
• Information on tax payable from local tax authorities and our appointed payroll agents and tax / financial advisers.
• Information collected through our IT systems and other devices as set out in our policies.
• Information about your entitlement to participate in, or receive payments or benefits under, any insurance, benefit or pension scheme provided by Computacenter, from the relevant benefit provider or its appointed agent.

4. Purposes for processing personal information

(i) Employment or work related purposes

Once you become a staff member at Computacenter, we collect and use your personal information for the purpose of managing our employment or working relationship with you, for example:

• your employment records and contract information (so we can manage our employment relationship with you and make decisions about your education, training and development requirements at Computacenter);
• your bank account and salary details (so we can pay you and deduct tax and national insurance contributions and liaise with your pensions, tax and social administration and other benefits provider);
• your driving licence details (so we can provide you (if appropriate) with a company car and ensure you remain eligible); and
• details of your spouse and dependents (for emergency contact and benefits purposes and for the administering private health insurance, dental cover, childcare and other benefits, tax and social administration).

We process our staff members' personal information in part through a human resources system ("HR System"), which is a tool that helps us to administer HR and staff member compensation and benefits and which allows staff members to manage their own personal information in some cases. This will involve storing your personal information on our HR System provider's
servers.

(ii) The Computacenter global directory

We maintain a global directory of staff members which contain your professional contact details (such as your name, location, photo, job title and contact details). This information will be available to everyone in the Computacenter Group to facilitate global cooperation, communication and teamwork.

(iii) Other legitimate business purposes

We may also collect and use personal information when it is necessary for other legitimate purposes, such as:

• to help us conduct our business more effectively and efficiently – for example, for general HR resourcing and processes, IT security/management, accounting purposes, financial planning and budgeting, pitching for new business and/or to consider, negotiate and/or finalise sales or purchases of part or all of the business;
• to investigate violations of law or breaches of our own internal policies – whether by you or any other staff member. For instance, and where appropriate subject to local supervisory authority agreement, workers council consultation and if permitted by law, we may monitor your browsing or communications activity or location when using our devices or systems, if we suspect that you have been involved in phishing scams, fraudulent activity or activities in competition with or inconsistent with your work for Computacenter.
• to meet the security requirements of our customers and suppliers in term of security and safety regarding access to their sites, confidential data, IT systems, etc. by providing them with your identity card, passport, driving license or other identity information.

(iv) Law-related and other purposes

We also may use your personal information (and Sensitive Personal Information) where we consider it necessary for complying with laws and regulations, including collecting and disclosing staff member personal information as required by law (e.g. for tax, health and
safety, anti-discrimination, immigration and other employment laws), to protect your vital interests (or those of another person), or to exercise or defend the legal rights of the Computacenter global group of companies.

(v) Processing necessary for performance of contracts

Some processing activities are necessary in order to ensure Computacenter performs its contract with you (or to take steps requested by you before entering a contract). That includes, for example, processing necessary to:

• pay you and to administer any benefits to which you are contractually entitled;
• provide and monitor training and qualifications necessary for performance of your role;
• manage your performance, consider your career development and administer formal procedures; and
• ensure appropriate protection for your health and safety.

Where that is the case, we require the information. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

(vi) Consent

In some limited circumstances, we may use your personal and Sensitive Personal Information where we have obtained your consent to do so. Where we seek your consent, you will always have an opportunity to refuse or subsequently withdraw it.

5. Who we share your personal information with

We take care to allow access to personal information only to those who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. Whenever we permit a third party to access personal information, we will
implement appropriate measures to ensure the information is used in a manner consistent with this Notice and that the security and confidentiality of the information is maintained.

(i) Transfers to other group companies

As mentioned above, we will share your personal information with other members of the Computacenter group around the world in order to administer human resources, staff member compensation and benefits at an international level on the HR System, as well as for other legitimate business purposes such as IT services/security, tax and accounting, and general business management.

(ii) Transfers to third party service providers

In addition, we make certain personal information available to third parties who provide services to us. We do so on a "need to know basis" and in accordance with applicable data privacy law. For example, some personal information will be made available to:

• our benefit service providers and third party companies who provide us with payroll support services and tax services;
• the providers of our HR System and providers of other HR systems and services;
• third parties who provide, support and maintain our IT and communications infrastructure, mobile phone services and provide business continuity services;
• those who lease, hire or provide us with the Computacenter devices and property you use;
• training providers;
• providers of occupational health services;
• providers of outplacement support services;
• third parties who support us with employee surveys;
• third party providers of leased company cars;
• those who support us with employee expenses and travel; and
• third parties who provide support and advice including in relation to legal, financial / audit, management consultancy, insurance, health and safety and security services.

(iii) Transfers to other third parties

We may also disclose personal information to third parties on other lawful grounds, including:

• To comply with our legal obligations, including where necessary to abide by law, regulation or contract, or to respond to a court order, administrative or judicial process, including, but not limited to, a subpoena, government audit or search warrant;
• In response to lawful requests by public authorities (including for national security or law enforcement purposes);
• As necessary to establish, exercise or defend against potential, threatened or actual litigation;
• Where necessary to protect the vital interests of you or another person;
• In connection with the sale, assignment or other transfer of all or part of our business;
• To our customers where our services require it;
• With your consent.

6. Legal basis for processing personal information

Our legal bases for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. Some of the bases we rely on are set out above in Section 4.

However, we will normally collect personal information from you only where the processing is in our legitimate interests (which are summarized above) and not overridden by your data protection interests or fundamental rights and freedoms, where we need the personal information to perform a contract with you (i.e. to administer an employment or work relationship with us), where the processing is necessary to comply with a legal obligation or (in limited circumstances) where we have your consent to do so. In some cases, we may also need the personal information to protect your vital interests or those of another person.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided at Section 11 below.

7. Transfer of personal information abroad

As set out above in Section 5(i), as we operate at a global level, we may need to transfer personal information to countries other than the ones in which the information was originally collected. When we export your personal information to a different country, we will take steps to ensure that such data exports comply with applicable laws. For this purpose the Computacenter Group shall maintain an Intra Group Agreement.

8. Data retention periods

Personal information will be stored in accordance with applicable laws and kept as long as needed to carry out the purposes described in this Notice or as otherwise required by applicable law. Generally this means your personal information and Sensitive Personal Information will be retained until the end of your employment, employment application, or work relationship with us plus a reasonable period of time thereafter to respond to employment or work-related inquiries or to deal with any legal matters (e.g. judicial or disciplinary actions), document the proper deductions during and on termination of your employment or work relationship (e.g. to tax authorities), or to provide you with ongoing pensions or other post-employment benefits.

9. Your data privacy rights

You may exercise the rights available to you under applicable data protection laws as follows:

• If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided at Section 11 below.
• In addition you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability (where applicable) of your personal information. Again, you can exercise these rights by contacting us using the contact details provided at Section 11 below.
• Although we do not typically process information processed during your employment pursuant to consent, if that is the case, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
• You have the right to complain to a data protection authority about our collection and use of your personal information. Your local data protection authority is the Information Commissioner’s Office, and you can contact them via email (casework@ico.org.uk) or phone (0303 123 1113). Of course, we would prefer you to raise any concerns with Computacenter directly first (on the contact details set out in section 11 below).

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

10. Updates to this Notice

This Notice may be updated periodically to reflect any necessary changes in our privacy practices. In such cases, we will inform you and indicate at the top of the Notice when it was most recently updated. We encourage you to check back periodically in order to ensure you are aware of the most recent version of this Notice.

11. Contact details

We have appointed Fraser Phillips as our Group Data Protection Officer (GDPO) to oversee compliance with this Notice. If you have any other questions about this Notice or how we handle your personal information, please contact Fraser at GDPR@computacenter.com.