Privacy Policy

This website page explains the privacy practices of Bone Soup Productions (referred to as “we”, “us”, “our” or “Company”).

We are committed to safeguarding your information and will hold your information in line with current data protection legislation. Our Privacy Notices set out how we collect and use information about you in different situations.

Below, we have set out why we may be using your personal information including what information we may collect, why we collect it, how we use it, who we share it with and what your rights are with regard to your personal information. We have also included contact details for any queries you may have.

We may update these Privacy Notices from time to time and will post any changes on our website. The notices were last updated on 5th November 2019

PRIVACY NOTICE FOR PROGRAMME APPLICANTS, PARTICIPANTS, CONTRIBUTORS OR AUDIENCE

Introduction

This Privacy Notice concerns the personal information of people who are applicants, participants or contributors (including anyone nominated by another to participate) who we are considering, or have decided, to include in a programme which we intend to produce, and anyone when we are filming a programme.

Your information is very important to us and we will look after it in line with privacy and data protection laws, including the EU General Data Protection Regulation.

This policy explains what data we collect and why, how we use it and who we share it with, as well as your rights as a data subject.

We are committed to keeping your information secure with appropriate technical and organisational measures to ensure its confidentiality, integrity and availability.

It is important that you read this Privacy Notice together with any additional Privacy Notices which we give you, so that you are fully aware of how and why we are collecting and using your data. This Privacy Notice supplements these other notices (if provided) and is not intended to override them.

About us

Any reference to “we”, “us” and “our” is to Bone Soup Productions (company no. 10232047) and its subsidiary companies. We are known as the “data controller” of your personal data and you can contact us at privacy@bonesoup.co.uk or write to us at 32 Whiteladies Road, Bristol BS8 2LG for more information about how we process your data, including how to exercise your rights as a data subject.

What personal information do we process about you?

The information we process may include your name, address, email address, IP address, gender, date of birth, age, phone number, passport details or other national identifier, driving licence, your national insurance or social security number and income, employment information and details about your previous roles and personal history. We collect information about you from a number of sources, including from you directly.

Information that you give us and how we collect this information

From the forms and any associated documentation that you (or someone on your behalf) completes when you apply to contribute to a programme in the form of correspondence and conversations (eg application telephone interviews, pre-filming questionnaires and release forms).

When you apply, participate or contribute to a programme information which is relevant to your application or contribution.  The information will be dependent on the nature of the programme, but where relevant this could also include special category data such as medical information, political opinions, sexual orientation and where relevant your criminal history.  The nature of the programme and the information which we will asking for will be explained to you in advance and where appropriate a supplemental Privacy Notice will be provided to you.

With your consent, we will pass your email address to Silvermouse or Soundmouse who may contact you as part of Bone Soup’s commitment to monitoring diversity as part of Diamond managed by the Creative Diversity Network on behalf of broadcasters BBC, ITV, Channel 4, Sky and Channel 5.

Information we obtain from others and how we collect this information

  • Publicly available information
  • Social media platforms
  • Subscription databases eg Lexis Nexis
  • Government and regulatory authorities to whom we have obligations
  • Agents and other production companies
  • Fraud prevention and detection agencies and organisations
  • Where we need to do so for regulatory purposes and if it is in the public interest eg criminal records agencies

Why do we process your personal information?

  • We obtain personal information about you when you apply to take part in a programme or are confirmed as a participant or contributor to a programme which we are producing.
  • We need to process this information to consider your application or to make the programme should you be contributing.

We have set out below some more specific information about why we process your personal data.

  • Our contracts with you

We consider it necessary to process your personal data to perform our contracts with you in the following circumstances:

  • to meet the contractual obligations between us;
  • as part of any legally binding contract which you have entered into with us for your application, contribution and/or participation in a programme; and
  • if you are due any payment to provide to our in-house payments team in order for this to be paid.

Contracts are retained for a minimum of 6 years from the date of signature, or for the period during which we have rights in the programme whichever is the longest.

  • To comply with applicable laws

We process your personal data where it is necessary to do so to comply with applicable laws which apply to us as an organisation, including:

  • to verify your identity;
  • to carry out verification and anti-money laundering checks, prevent and detect fraud and carry out other legally mandated checks; and
  • if we are legally obliged to disclose your personal data.
  • Our legitimate interests

We consider that we have a legitimate interest in producing audio visual programming for commercial exploitation, as such, ‘on-screen’ and ‘off-screen’ contributions from individuals are crucial to this production activity and require the processing of personal information about these individuals.

We consider that it is in our legitimate interests (or those of a third party) to process your personal information, namely:

  • to produce audio-visual programming for commercial purposes, such as processing ‘on-screen’ and ‘off-screen’ contributions from individuals. When we refer to a “programme” in this notice we mean not just the finished programme but all rushes, clips and unused material;
  • to assess your continuing involvement for the programme that you are contributing to (if your application to participate in a programme is unsuccessful, your information will be deleted within 12 months of the programme going into production unless you have agreed you may be contacted about future programmes, where your information will be deleted after 3 years);
  • to deal with any questions or complaints arising in relation to your participation in the programme;
  • to deal with any agents acting on your behalf;
  • to retain the programme and your personal data in it in our archive, for the purposing of repeating the programme or otherwise using it for commercial purposes
  • to commercially make full use of either the entire programme or clips from it in the UK and around the world, for the period in which we have rights in the programme. We also keep an archive copy of the programme after our rights have expired – as a record of programming we have either made and/or broadcast;
  • if applicable, to provide to any third parties (e.g. travel agencies, airlines, resorts and/or hotels) who require it to supply any prizes and/or benefits to you during your participation in a programme, or to facilitate your participation in the programme.
  • to share with our professional advisors and/or the commissioning entity or commissioning broadcaster that we are producing the programme for and/or within the ITV plc group of companies and/or any co-producer that we are producing the programme with;
  • to verify your age, identity and other information as we may require for the production and exploitation of the programme we are producing;
  • to comply with applicable regulatory obligations;
  • to pass on to a competent regulator, prosecutor or competent authority or law enforcement authorities including without limitation the UK Information Commissioner and/or the Office for Communications (OFCOM) should it be requested from us;
  • to comply with our accounting and tax reporting requirements;
  • to comply with our audit requirements;
  • to protect our business against fraud, breach of confidence, theft of proprietary materials, and other financial or business crimes (to the extent that this is not required of us by law);
  • to monitor communications to/from us using our systems;
  • to protect the security and integrity of our IT systems; and
  • to arrange for you to attend the live recording of our programmes.

We only process data on this legal basis where we have considered that, on balance, our legitimate interests are not overridden by your interests, fundamental rights or freedoms.

To monitor communications to/from us using our systems

We monitor communications where the law requires us to do so. We will also monitor where we are required to do so to comply with our regulatory rules and practices and, where we are permitted to do so, to protect our business and the security of our systems.

Special Purposes

Please note that the GDPR and DPA say that we do not have to comply with some aspects of data protection law (including this privacy notice) if we believe that doing so would be ‘incompatible’ with journalism and/or artistic purposes (i.e. it would stop us from doing our job as a producer) and there is a public interest in broadcasting the programme.  This is known as the “special purposes exemption”. Where we are producing certain programmes, we may process your personal data under the “special purposes exemption”.

Future Participation

Where you have agreed to this, we process your personal data in connection with your consideration for future series of programmes and/or other shows produced by us. This information may be kept by us for period of up to 3 years from date of the applicable agreement, unless you ask us to delete it earlier.

Diversity Monitoring

Bone Soup Productions is part of an industry-wide diversity monitoring initiative called Diamond. The Diamond project uses personal information regarding on and off-screen contributors to programmes to report on the diversity of TV production in the UK.

If you have provided us with your email address (unless you have asked us not to) we will share this with Creative Diversity Network Limited, Soundmouse and Silvermouse and you will be invited to participate in the Diamond project.

The company running the Diamond project will contact you to ask whether you are willing to contribute to the project by providing certain information regarding your diversity characteristics such as; gender, ethnicity, disability, age, gender identity and sexual orientation. This information is collected, processed and stored anonymously on the Diamond system, with the relevant data being jointly controlled by the main UK broadcasters including the BBC, ITV, C4, C5, CDN and Sky (not ITV Studios). If you provide Diamond with your diversity data, they will issue you with a separate privacy notice.

What do we do with children’s personal information?

We are committed to protecting the privacy of children aged under 18 years old. If you are aged 17 or under‚ please get your parent/guardian’s permission beforehand whenever you provide us with any personal information. We will take reasonable steps to verify this by contacting your parent or guardian to confirm their consent.

Who else do we share data with?

Your information will be used by the relevant production team for the purposes of making the programme. It may also be shared internally with our Business Affairs team to prepare contractual documentation or provide legal advice, and with any other Bone Soup teams involved in commercial exploitation such as the finance teams where a payment is required, and the Health and Safety and Insurance teams (and their respective advisors) if their advice is required.

We may pass your information to third party service providers such as agents, subcontractors, ticket providers and other associated organisations for the purposes of facilitating your application, entry or enquiry or nomination for the programme you are interested in taking part in. However, when we use third party service providers, we disclose only those elements of your information that are necessary to deliver the required service.

Please be reassured that we will not otherwise share your information further, unless:

  • we are required to do so by law, for example by a court order or for the purposes of prevention of fraud or other crime; or
  • we are asked to by competent regulatory, prosecuting and other governmental agencies, or litigation counterparties, in any country or territory; or
  • for the purposes of prevention of fraud or other crime.

How long do we keep your information?

We do not retain your information for longer than necessary for the purpose it was collected.

  • We keep your personal data for as long as it is required by us for our legitimate business purposes, to perform our contractual obligations, or where longer, such longer period as is required by law or regulatory obligations which apply to us.
  • In general, we keep your information only for the period we have legal rights to exploit the programme that your information relates to, but we have included some exceptions to that rule above.

We will usually delete your personal information at the end of that period.

Do you need my consent to include me in a programme?

There are circumstances in which we can make programmes about an individual without their consent provided we comply with the relevant laws and regulatory codes, such as the Ofcom Broadcasting Code.

We do not generally rely on obtaining your consent to process your personal data to make a programme in which you appear. This is something which we do as part of our legitimate business interests, for contract purposes and/or, in some instances for the special purposes, as explained above.

Where you have entered into a contract with us to participate in our programmes, we may be entitled to show the programme whether or not you later change your mind about participation.

What are my data subject rights and how can I use them?

In law you are the ‘Data Subject’ and you have several rights that you can exercise over your data such as the right to access, correct and request to delete your personal information. From May 2018 you have some additional rights e.g. data portability, restrict the processing or object to it which we outline below.

You also have the right to lodge a complaint with a supervisory authority (e.g. the Information Commissioner’s Office in the UK), about our processing of your personal information.

Access to my data

You can request access to the information we hold on you and we will also tell you:

  • why we are processing it;
  • who are we sharing it with and if any information is transferred to a country not deemed to have adequate protections in place for personal data;
  • how long will we be keeping your data;
  • the source of the information, if it was not collected directly from you;
  • if we are using your data for automated decision making or profiling.

If you are making a request for a copy of your personal data that we are processing, please be as specific as possible as this will both help us to identify the information more quickly and provide you with a copy without any undue delay.

Rectifying inaccuracies

If you feel the information we hold on you is inaccurate or incomplete, you can ask us to correct or update it.

Right to be forgotten

You can also request that we erase your information in certain circumstances, although that might not always be possible if doing so means we cannot perform our contract with you, or we have a legal obligation or legitimate interest to keep the data. We will explain the consequences of erasing your data.

Restrict the processing

If you feel we are processing your information unlawfully or with inaccurate data, you can ask us to restrict any further processing. Where personal information is subjected to restriction in this way we will only process it with your consent or for the establishment, exercise or defence of legal claims. Please note that even if the processing is restricted, we will continue to store the data.

Object to the processing

If you disagree with any legitimate interest or public interest we have relied upon to process your data, you can object to the processing. We will then stop processing the data unless we can demonstrate a compelling legitimate ground that overrides your rights (e.g. exercising or defend a legal claim) or an exemption that applies (e.g. the special purposes exemption).

Data Portability

You can request to receive personal data that you have provided to us in a commonly used format and request that we transmit it to another data controller where feasible, or to you directly.

Make a complaint

We are committed to safeguarding your data and upholding your rights, but if you feel we have not done that, please contact us at privacy@bonesoup.co.uk or write to Bone Soup Productions, 32 Whiteladies Road, Bristol BS8 2LG. Additionally you have the right to complain to the relevant supervisory authority, which in the UK is the Information Commissioner’s Office (ICO).

PRIVACY NOTICE FOR FREELANCERS

Introduction

Your information is important to us and we look after it carefully in line with privacy and data protection laws, including the General Data Protection Regulation and any applicable UK Legislation.  We’ve set out below in more detail what information we collect about you, how we use that information and your rights as a data subject.

This privacy notice relates to Freelance PAYE and Freelance Self Employed contracts and describes the categories of personal information we may process, how your personal information may be processed and how your privacy is safeguarded by us.  It is intended to comply with our obligations to provide you with information about the Company’s processing of your personal information under privacy laws. 

Bone Soup is committed to protecting the security of the personal information you share with us. We are the “data controller” and the freelancer is the “data subject”. You can contact us at privacy@bonesoup.co.uk to find out how we process your data and how you can exercise your rights as a data subject. 

How does the Company collect data?

The Company collects your data from a number of sources but mainly from you.  It is provided when applying for jobs and during our contracting, onboarding and payment processes. You may also supply information via emails and CVs during the course of your engagement and in unsolicited or updated CVs for future employment.

We may obtain some information from third parties such as tax authorities, benefit providers or where we employ a third party to carry out a background check (where permitted by applicable law) or if obtaining references as part of the process of offering jobs.

When the information required is mandatory it is often so the company can complete processes like payroll.  We will inform you of this at the time of collection.  Failure to give this information may result in the cancellation of your employment.

Apart from personal information, you may also provide the Company with personal information of third parties eg next of kin details.  Prior to this you must inform and gain the consent of the third party.

What information are we processing and why?

  • Personal Information

Freelancer related details such as title, names, gender, nationality, civil/marital status, date of birth, age, home contact details, NI number, social security or eligibility to work data, next of kin details.

  • Data related to engagement with Company

Work contact details, start and end dates, role title and description, ID numbers

  • Recruitment data

Qualifications, references, interview data, vetting and verification information

  • Payment data

Pay details, allowances, pension schemes, bank account details, tax information, expenses

  • Leave information

Absence dates, holiday dates

  • Data relating to Company, Production or Project processes

Health and safety audits, risk assessments, incident reports, data relating to training, call sheets, contact lists, organising travel and hotel bookings, insurance cover

  • Freelancer claims, complaints and disclosures data

Incident reports, investigation of complaints by or regarding freelancers

  • Technology

Personal contact details, browsing history, data stored on laptops

  • Equality and diverse data

Where permitted by law and provided voluntarily data regarding ethnicity, gender, age, race, nationality, religious beliefs, community background and sexual orientation

Special categories of Personal Information

Subject to applicable laws the Company may also collect a limited amount of personal information falling into special categories “sensitive personal data”

This includes information relating to such matters as racial or ethnic origin, religious beliefs, physical or mental health, certain maternity/adoption information, sexual orientation, criminal records and information regarding criminal offences or proceedings

Purposes for Processing Personal Data

The processing of your personal information is necessary to perform the contract of engagement between you and the Company and for compliance with legal obligations which the Company is subject to. The processing is also necessary for the purpose of the legitimate interests pursued by the Company, except where such interests are overridden by your interests or fundamental rights and freedoms.

The processing also enables the Company to provide you with various benefits (holiday, pension and if applicable statutory sick pay, to manage and administer your engagement and consider you for future employment within the Company).

Some of our processing will involve special categories of sensitive information (as described above). This information will only be processed where data protection law allows this using the following lawful justifications:

  1. Where explicit consent has been given
  2. Where the processing is necessary;
  3. for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law (including such laws which also apply to workers), social security and social protection law, to the extent permissible under applicable laws;
  4. for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, to the extent permitted by applicable laws;
  5. to protect your vital interests or of another person where you are physically or legally incapable of giving consent (for example in exceptional emergency situations, such as a medical emergency); or
  6. for the establishment, exercise or defence of legal claims; or
  7. for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained.

We may seek your consent to certain processing which is not otherwise justified under one of the above bases. If consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your engagement to agree to any request for consent from the Company. Where consent is given, it may be withdrawn by you at any time, but this will not impact on any other lawful basis for processing relied on by the Company;

Personal Information relating to criminal convictions and offences will only be processed where authorised by applicable laws, for example:

  • a criminal record check may be carried out on recruitment or transfer where authorised by applicable laws; or
  • an allegation of a criminal offence or conviction arising during your relationship with the Company may be processed where required or authorised. For example where we have a legal or regulatory requirement to report an offence, or applicable laws authorise the Company to process information about the offence for the purpose of making decisions regarding your relationship with the Company.

Who has access to my data?

Your personal information can be accessed by or may be disclosed within the Company on a need-to-know basis to:

  • Production and hiring managers relating to your current engagement or potential future engagements;
  • Those responsible for managing or making decisions in connection with your relationship with the Company or involved in a process concerning your relationship with the Company;
  • System administrators and system maintenance
  • By teams in the Company such as Finance
  • Insurance/health and safety/legal and business affairs/for scheduling purposes

Your personal information will only be shared where necessary with third parties, e.g. providers of payroll, auto-enrolment pension, onboarding/offboarding and training services and other third parties such as the Company’s insurers, bankers, IT administrators, lawyers, auditors, investors, consultants and other professional advisors. Where these third parties act as a “data processor”, they carry out their tasks on our behalf and upon our instructions for the above

mentioned purposes. In this case your personal information will only be disclosed to these parties to the extent necessary to provide the required services. Personal information may also be shared with certain interconnecting systems (such as payroll, pension and benefits systems). Data contained in such systems may be accessible by providers of those systems, their associated companies and sub-contractors. In addition, we may share personal information with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.

How long does the Company keep my data?

We retain your personal information only so long as it is required for purposes for which it was collected, whilst keeping it as up-to-date as possible and making sure that irrelevant or excessive data is deleted or made anonymous as soon as reasonably practicable.

Each updated CV which you send us will be retained by us for 5 years and can be accessed by our MD, Head of Production and Head of Talent, in considering you for future engagements within the Company. You have a right to ask your CV to be deleted from our records, and can do so by contacting privacy@bonesoup.co.uk. We will endeavour always to refer to the most up to date version of your CV when considering you for future engagements.

Our aim is to ensure that data is retained in accordance with the periods set out in the Retention Schedule and that data is deleted as soon as reasonably practicable thereafter. We will put into place suitable processes and procedures to achieve that aim. Please be aware that not all of the entries on the Retention Schedule will be applicable to those engaged on freelance contracts.

In order to perform our contractual obligations and to comply with the applicable laws, we generally retain your information for the duration of your engagement plus a further 6 years. Thereafter we will securely destroy your data, including that held by any third party, unless there is an obligation to retain it further.

We may keep some specific types of data, (for example tax records, pensions data) for different periods of time, as required by applicable law.

What rights do I have and how can I use them?

In law you are the ‘Data Subject’ and you have several rights that you can exercise over your data such as the right to access, correct and request to delete your personal information.

From 25th May 2018 you have some additional rights e.g. data portability, restricting the processing or objecting to it if was done under legitimate interests. You also have the right to lodge a complaint with a supervisory authority, in particular in your country of residence (e.g. the Information Commissioner’s Office in the UK), if you consider that the processing of your personal information infringes applicable law. Any queries relating to GDPR should be directed to privacy@bonesoup.co.uk

Purpose and lawful basis

Reference Purpose for processing Necessary for Performance of Contract Necessary to comply with a Legal Obligation Legitimate Interest What is the Company’s Legitimate Interest
a) Recruitment and selection Y Y Y The Company considers it has a legitimate interest in fully assessing applications for freelance assignments and talent pools to ensure only suitable and appropriate candidates are both assessed and selected, so that the Company identifies the right people for its business who will be able to contribute to its operations and culture.   The Company also considers it has a legitimate interest in retaining the details of freelancers in a talent pool and sharing the details with other production teams within the company so that these individuals can be considered for future engagements the Company is recruiting for.  The Company understands that this is the expectation of the freelance community and enables these individuals to be hire more frequently, which we believe is in their interest and to their benefit.
b) Appropriate vetting for recruitment and team allocation including, where appropriate credit checks, right to work verification, identity fraud checks, criminal record checks (if and to the extent permitted by the laws), relevant assignment history, relevant regulatory status and professional qualifications;   Y Y The Company considers it has a legitimate interest in managing its business operations in the most effective way and needs to make decisions relating to the future of its business in order to preserve its business operations or grow its business, including the interests of the workforce as a whole and the Company customer base.
c) Providing and administering pay, statutory benefits, assessment and deductions for auto-enrolement, reimbursement of expenses and making appropriate tax and social security and other deductions and contributions as required; Y Y Y The Company considers it has a legitimate interest in managing its workforce and operating its business, including ensuring that freelancers are paid and in undertaking normal business operations.
d) Allocating and managing duties and responsibilities and the business activities to which they relate, including business travel; Y   Y The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring each freelancer undertakes appropriate duties, undertakes their role correctly and in accordance with appropriate procedures and in undertaking normal business operations.
e) Identifying and communicating effectively with freelancers; Y   Y The Company considers it has a legitimate interest in managing its workforce and operating its business including undertaking normal business operations and maintaining a dialogue with freelancers.
f) Training; Y Y Y The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring that each freelancer undertakes appropriate duties, undertakes mandatory training and undertakes their roles correctly and in accordance with appropriate procedures.
g) Conducting statutory reporting and surveys for benchmarking, identifying improved ways of working, (these will often be anonymous but may include profiling data such as age and gender to support analysis of results);   Y Y The Company considers it has a legitimate interest in managing its workforce and operating its business.  This includes ensuring that each freelancer undertakes appropriate duties and mandatory training, undertakes their role correctly and in accordance with appropriate procedures.  Undertaking normal business operations, maintaining a dialogue with freelancers, ensuring they are paid and complying with applicable laws and regulations.
h) Processing information about absence or medical information regarding physical or mental health or condition in order to: assess eligibility for statutory benefits if applicable, make adjustments or accommodations to duties or the workplace, make management decisions regarding engagement or continued engagement; Y Y Y The Company considers it has a legitimate in managing its workforce and operating its business including ensuring each freelancer undertakes appropriate duties and undertakes their roles correctly and in accordance with appropriate procedures and managing absence and leave entitlements.   The Company considers that it has a legitimate interest in managing and supporting its workforce, managing health and safety risks and operating its business.  This includes taking steps to identify and mitigate risks to freelancers or other workers’ health, safety or welfare and ensuring that where required appropriate adjustments are made to working conditions.
i) Complying with reference requests where the Company is named by the individual as a referee;     Y The Company considers it is in the legitimate interests of a new engager to receive confirmation of engagement details from the Company for the purposes of confirming the former freelancer’s engagement history.
j) Operating email, IT, internet, social media and other policies and procedures.  To the extent permitted by applicable laws, the Company carries out monitoring of the Company’s IT systems and infrastructure; to ensure compliance with the Company’s IT policies and to locate information through searches where needed for a legitimate business purpose; Y Y Y The Company considers it has a legitimate interest in managing its workforce and operating its business.  The IT function is essential to ensuring that this can be carried out in the most effective way.  This includes maintaining the integrity and the security of data and facilitating records management.   This includes putting in place appropriate policies and procedures for measuring compliance, detecting breaches and taking action if they are not complied with.
k) Satisfying its regulatory obligations to supervise the persons engaged or appointed by it to conduct business on its behalf, including preventing, detecting and investigating a wide range of activities and behaviours, whether relating to specific business dealings or to the workplace generally and liaising with regulatory authorities;   Y Y The Company considers it has a legitimate interest in ensuring that its business, clients, employees, freelancers and systems are protected including detecting and preventing crimes or criminal activity; ensuring only appropriate freelancers are engaged in our business, ensuring compliance with export control and other legal requirements placed upon us (both by EU and non-EU laws)
l) Protecting the private, confidential and proprietary information of the Company, its employees, freelancers, clients and third parties;   Y Y The Company considers it has a legitimate interest in ensuring that its business, clients, employees, freelancers and systems are protected including protecting are assets and the integrity of our systems, detecting and preventing loss of our confidential information and proprietary information.
m) Complying with applicable laws and regulation (for example maternity or paternity leave legislation, working time and health and safety legislation, taxation rules, worker consultation requirements, other employment laws (to the extent they apply to workers) and regulation to which the Company is subject in the conduct of its business);   Y Y The Company considers that it has a legitimate interest in managing its workforce and operating its business.  This includes ensuring each freelancer undertakes appropriate duties, carries out mandatory training and undertakes their roles correctly and in accordance with appropriate procedures.  It is also necessary to undertake normal business operations and maintain a dialogue with freelancers and comply with applicable laws and regulations.
n) Monitoring programmes to ensure equality of opportunity and diversity with regard to personal characteristics protected under applicable anti-discrimination laws;   Y Y The Company considers it has a legitimate interest in ensuring that it takes action to prevent discrimination and promote an inclusive and diverse workplace.
o) For business operational and reporting documentation such as management and headcount reporting, the preparation of annual reports or tenders for work or client team records including the use of photographic images; Y   Y The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring each freelancer undertakes appropriate duties and undertaking normal business operations.
p) To operate the relationship with third party customers and suppliers including the disclosure of relevant vetting information in line with the appropriate requirements of customers to those customers, contact or professional CV details or photographic images for identification to clients or disclosure of information to data processors for the provision of services to the Company; Y   Y The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring each freelancer undertakes appropriate duties and undertaking normal business operations. This includes the sharing of appropriate information with existing and prospective customers and suppliers about who is or will be working with them in order to develop strong relationships and support the effective performance of commitments with customers and suppliers. In come cases this may also include supporting customers and suppliers to comply with their legal or regulatory obligations or security requirements by having sufficient information about those providing services to them. The Company also has a legitimate interest in ensuring that it can engage with customers and suppliers effectively and that they can access the information they need to provide the service for which they have been engaged.
q) Where relevant for publishing appropriate internal or external communications or publicity material (including photographic images) via the Company Intranet, social media and other publicity and communication channels in appropriate circumstances; Y   Y The Company considers it has a legitimate interest in managing and communicating with its workforce and operating its business including ensuring that each freelancer undertakes appropriate duties and undertaking normal business operations.   That includes giving information to the workforce or, where appropriate customers, our audience, other stakeholders or the wider market about relevant business activities, plans or projects. That can include making reference to those freelancers who are involved in the relevant matters being communicated above.   Effective communication with freelancers contributes to the attraction and retention of high calibre freelancers, development and retention of customer relationships, audience engagement and participation, strong business performance, business growth and maintaining and enhancing the Company’s reputation.  This supports the Company’s immediate and long-term business goals and outcomes.
r) To support administration and management and maintaining and processing general records necessary to manage the freelance relationship and operate the contract of engagement; Y Y Y The Company considers it has a legitimate interest in managing its workforce and operating its business including ensuring that each freelancer undertakes appropriate duties, undertakes mandatory training and their roles correctly and in accordance with appropriate procedures: managing leave entitlements; undertaking normal business operations; maintaining a dialogue with freelancers; and complying with applicable laws and regulations.
s) To change access permissions; Y Y Y The Company considers it has a legitimate interest in managing its workforce and operating its business.  The IT function is essential to ensuring this can be carried out in the most effective way including complying with the Company policies and access controls.
t) To provide technical support and maintenance for information systems; Y Y Y The Company considers it has a legitimate interest in managing its workforce and operating its business.  The IT function is essential to ensuring that this can be carried out in the most effective way including maintaining the integrity and security of data and facilitating records management.
u) To enforce our legal rights and obligations, and for any purposes in connection with any legal claims made by, against or otherwise involving you; Y Y Y The Company considers it has a legitimate interest in protecting its organisation from breaches of legal obligations owed to it and to defend itself from litigation.  This is needed to ensure that the company’s legal rights and interests are managed appropriately.
v) To comply with lawful requests by public authorities (including without limitation to meet national security or law enforcement requirements), discovery requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities (including without limitation data protection, tax and employment), whether within or outside your country Y Y Y The Company considers it has a legitimate interest in ensuring that it complies with all legal requirements placed on it, whether those are EU obligations or non-EU obligations.  The Company wishes to maintain its reputation as a good corporate citizen and to act appropriately in all the countries in which it does business.  This includes cooperating with authorities and government bodies.  Indeed, the Company is required to comply with laws and regulations in those countries in which it does business and to require otherwise would lead to conflicts of law issues.
w) Production and exploitation of audio-visual programming for commercial purposes, including retaining the programme and your personal data in it in our archive, for the purpose of repeating the programme or otherwise using it for commercial purposes     Y The Company has a legitimate interest in producing audio visual programming for commercial exploitation, as such “off screen” contributions from individuals are crucial to this production activity and require the processing of personal information about these individuals.
x) Other purposes permitted by applicable laws, including legitimate interests pursued by the Company where these are not overridden by interests or fundamental rights and freedoms of colleagues.        

 Special category data

a) Assess and review eligibility to work for the Company in the jurisdiction in which you work This process is necessary for the purposes of carrying out the obligations and exercising the rights of you and the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws. In particular the requirement to check that you are legally permitted to work in your jurisdiction.
b) The collection of statistical data subject to local laws, or where required to record such characteristics to comply with equality and diversity requirements of applicable local legislation or to keep the Company’s commitment to equal opportunity under review.   This processing is necessary for (i) for the purposes of carrying out the obligations and exercising rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws and (ii) the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained.
c) Compliance with employment, health and safety or social security laws.  For example, to provide statutory incapacity benefits if relevant, avoid breaching legal duties to you, to ensure fair and lawful management of your engagement, to administer statutory benefits and renumeration related to health, sickness and absence and long-term capacity, to make reasonable accommodations or adjustments and avoid unlawful discrimination or dealing with complaints arising in this regard. This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you and the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws.   To the extent that this data is managed by our occupational health advisers or third-party benefit providers, this processing is necessary for the purposes of preventative or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, to the extent permitted by applicable laws.
d) Management and investigation of any complaint under the relevant Company’s internal policies where such characteristics or information are relevant to the particular complaint, in order to comply with employment law obligations. This processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or the Company in the field of employment law, social security and social protection law, to the extent permissible under applicable laws. In particular employment laws relating to the effective management of complaints, anti-discrimination laws and our duty of care to freelancers.

Data Retention Schedule

Category Record type Retention Period
Recruitment information CVs, interview records Six months following communication of decision.
  Speculative CVs and subsequent updated versions Five years from being received.
  Background/DBS checks where this is legally permitted to protect the safety of staff and contributors, or for insurance purposes 1 year from the date of recruitment.
  Immigration checks (evidence of residency/work permit) 5 years after the termination of the employment or engagement.
     
Personal information Employee, freelancer or contractor title, forename, middle name(s) and surname, birth name, preferred name, any additional names, employee or other identification number, gender, date of birth, home contact details (address, telephone number, email), national id number Whilst employment or engagement continues and for to up to six years after employment or engagement ceases.  For the purpose of the credits, name and role may be retained for the duration of the exploitation of the programme.
  Nationality, civil/marital status, next of kin/dependent/emergency contact information Whilst employment or engagement continues and for up to six months after employment or engagement ceases.
Basic work details Work contact details (eg corporate address/telephone number, email) Whilst employment or engagement continues and for up to six months after employment or engagement ceases.
     
Terms & conditions of employment or engagement All employee contracts Whilst employment or engagement continues, and for up to six years after employment or engagement ceases.
     
HR records General HR records, employee performance reviews, disciplinary/grievance records, training records, records of termination, retirement or resignation.  Records of absence (not sickness and sickness related), Medical information including allergies, disabilities, dietary requirements, GP contact details, photographs of employees or freelancers Whilst employment or engagement continues, and for up to six years after employment or engagement ceases.
HR records Annual leave records Six years.
     
Payroll/Freelancer contractor payments PAYE records, NI numbers.  Employee/Freelancer/Contractor bank details Whilst employment or engagement continues, and for up to six years plus current year after employment or engagement ceases.
     
Finance and Accounting Bank Instruction and payment files/expenses Whilst employment or engagement continues, and for up to six years plus current year after employment or engagement ceases.
     
Family policy records Dates of maternity/paternity/adoption leave, maternity certificates showing expected due date.  Details of maternity, paternity/adoption payments, or of period without maternity leave. Whilst employment or engagement continues and for up to six months after employment or engagement ceases.
     
Monitoring IT system log data No longer than necessary.
     
Legal Details of any claims by employees/freelancers/contractors against the company/company insurance or details of any claims involving employees, freelancers or contractors Six years from termination of employment or engagement.
     
Special categories of data Racial or ethnic information (with consent) Sexual orientation (with consent) Religion (with consent) to allow for statutory time off for religious purposes Whilst employment or engagement continues and for up to six months after employment or engagement ceases.
Special categories of data Consents for processing of sensitive personal information For so long as the data is processed and for up to six years afterwards.
     
Benefits Record of benefit entitlement, start date and participation Whilst employment or engagement continues and for up to six years after final payment.
     
Health and Safety Details of any reportable accident, death or injury in connection with work At least three years from the date the report was made.

Data Subject Rights

What are my data subject rights and how can I use them?

As a data subject you have lots of control over the information we hold on you, these rights and how to use them are explained below.  If you have any questions, need more information or guidance please contact privacy@bonesoup.co.uk

Access to my data

You can request the information we hold on you with some limited exceptions and we will also tell you:

  • Why we are processing it;
  • Who we are sharing it with;
  • How long we will be keeping your data;
  • The source of the information, if it was not collected directly from you;

Rectifying inaccuracies

If you feel the information we hold on you is in accurate, you can ask us to correct or update it.

Right to be forgotten

You can also request that we erase your information, although that might not always be possible if doing so means we cannot perform our contract with you, or we have a legal obligation or legitimate interest to keep the data.  We will explain the consequences of erasing the data.

Restrict the processing

If you feel we are processing your information unlawfully or with inaccurate data, you can ask us to restrict processing.  Where personal information is subjected to restriction in this way we will only process it with your consent or for the establishment, exercise or defence of legal claims unless we have your consent.  If the processing is restricted we will continue to store data.

Object to the processing

If you disagree with any legitimate interest or public interest we have relied upon to process your data, you can object to the processing.  We will then stop processing the data unless we can demonstrate a compelling legitimate ground that overrides your rights, or the processing is required to establish, exercise or defend a legal claim.

Data Portability

Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal data is processed by automatic means, you have the right to receive all such personal data which you have provided to the Company in a structured, commonly used and machine-readable format.  We have produced a standard format of commonly used employee data for this purpose.

Make a complaint

We are committed to safeguarding your data and upholding your rights, but if you feel we have not done that, please contact us at privacy@bonesoup.co.uk  Additionally you have the right to complain to the relevant supervisory authority, which in the UK is the Information Commissioner’s Office (ICO).