Employee & Job Applicant Privacy Policy

1. COLLECTING, CONTROLLING, AND PROCESSING YOUR PERSONAL DATA.

FAIR PROCESSING

In order to manage our business and carry out customary HR management activities, Stobart Air (we/us/our) collect a certain amount of employee and applicant Personal Data. “Personal Data” means any data relating to a natural living person who can be identified either directly from the data itself or indirectly in conjunction with other information.

Personal Data also includes information that you provide to us about other people such as for instance your dependants, next-of-kin, and/or family members. By providing Personal Data about any other person to us you are confirming you have made them aware of the use of their Personal Data in the manner and for the purposes set out in this privacy notice. We will treat Personal Data with appropriate standards of security and confidentiality, in accordance with applicable data protection law.

This data privacy notice sets out the basis on which we collect, control, process, and disclose any Personal Data we collect about you, or that you provide to us. It applies to you, whether you are a past, current or prospective employee, applicant, interview candidate, intern, agency worker, secondee, consultant, individual contractor or director. It also applies to other people whose information you provide to us in connection with our relationship with you (for example, in respect of emergency contact information).

You have various rights in relation to how we handle your data including the right to object where we are using your data on the basis that it is necessary for the purpose of our legitimate interests. (see:- Chapter 3
YOUR RIGHTS REGARDING THE PERSONAL DATA THAT WE CONTROL.)

This data privacy notice does not form part of any contract of employment and does not confer any contractual right on you, or place any contractual obligation on us.

1.2 CHANGES TO THIS PRIVACY NOTICE.

This privacy notice may change from time to time. Any changes that affect you will be communicated to you by way of an e-mail or a notice on our employee website as appropriate.

1.3 WHO CONTROLS YOUR PERSONAL DATA AND HOW CAN YOU CONTACT THEM?

1.3.1 Controller.

Stobart Air UC is the “data controller” of all Personal Data that we collect and process.

“Stobart Air” (we/us/our) primarily refers to Stobart Air UC, the main operating company of the Stobart Air group, and, where appropriate, to other companies in the Stobart Air group or other entities over which Stobart Air exercises management control. Stobart Air is registered in Ireland with registration number 28858.

1.3.2 Contact Details.

Any questions or concerns you have can be addressed to:- The Data Protection Manager, Stobart Air, 1, Northwood Avenue, Santry, Dublin 9, D09 V2F7, Ireland.

Tel. +353-1-8447753 (In the interest of customer service and to ensure the accuracy of our records, calls may be recorded and monitored). E-Mail:- dpm@stobartair.com

1.4 CATEGORIES OF PERSONAL DATA WE MAY COLLECT.

We may collect and process some or all of the following categories of Personal Data in relation to you:-

CategoriesDetails
Individual detailsName, address (including proof of address), other contact details (e.g. email and telephone numbers), nationality, identifying details of dependants, (e.g. date of birth, children’s birth certificate, marriage certificate). bank account details, tax certificates.
Identification detailsIdentification numbers issued by government bodies or agencies, including your PPS/ NI number, passport number, tax identification number, driver’s licence, work permit details.
Application detailsCurriculum vitae and/or application form, previous employment background, references from previous employers, educational details, professional and/or academic transcripts; Interview records.
Employment and Performance informationJob description, employment history and details of current position; contract of employment, signed confidentiality agreements, dates of employment; salary and benefit details including bank
details; sick leave and annual leave data; performance assessments, data relating to training and development; records relating to any grievance and/or disciplinary processes, or incident reports, hours worked, car insurance details, staff number, health insurance details, insurance subscription details.
General recordsGeneral correspondence, telephone records; records of email and internet usage, CCTV images (for security & safety purposes), data relating to criminal convictions if any.
Special Categories of Personal DataCertain categories of Personal Data which have additional protection under data protection law. The categories are health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, bio-metric, or data concerning sex life or sexual orientation.
Requested ServicesRequested services (such as a meal) which is not ’sensitive data’ but may imply or suggest your religion, health or other information.

We may collect your Personal Data from various sources including:

• You,
• Your previous employers,
• Publicly available information (e.g. social media websites and online content that you have made publicly available),
• TV, radio and other media content; and EU and UN Sanctions lists,
• Our Insurers,
• Records which departments other than HR may compile during the course of and in connection with your employment.

1.5 CONSEQUENCES OF FAILURE TO PROVIDE PERSONAL DATA.

If we cannot collect necessary information from you, it may make it difficult, impossible, or unlawful for us to enter into or continue an employment or other contract with you.

If we ask for information and you do not wish to give it to us, or if you wish to withdraw consent to the use of your information we will explain the consequences based on the specific information concerned including whether it is a statutory or contractual requirement that we use such data.

If you have any queries in respect of the consequences of not providing information or withdrawing your consent, you may contact our Data Protection Manager (See:-1.3.2 Contact Details.)

1.6 LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA.

We will only use your Personal Data for lawful reasons (legal bases). These are:-

1You have consented to us using your information in such a way.
2The use is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering a contract.
3The use is necessary to comply with our legal obligations.
4Vital Interest of the Data Subject.
5The use is necessary for the performance of a task carried out in the public interest, such as assisting a regulatory authorities investigation of a criminal offence.
6The use is necessary for the purpose of our legitimate interests in in operating, managing and improving our business as an airline and travel provider, and carrying out customary human resources management activities in connection with same.
7The Personal Data being processed is health data for the purposes of insurance policies or pension schemes and such health data is used only to the extent that it is necessary and proportionate for the purposes of fulfilling such insurance policies or pension schemes. (pursuant to Section 50 Irish Data Protection Act).

1.7 THE PURPOSE OF PROCESSING YOUR PERSONAL DATA.

The Legal Basis/es on which we process your Personal Data (from the list set out above in Section 1.6 Legal Bases for Processing your Personal Data.) is/are in brackets beside each.

1. To engage in recruitment (6), (including processing your job application, and seeking references from referees whose name/s you have provided to us), employment & remuneration (2, 3, 1), and termination/cessation of employment.1 (2, 3, 6).

2. Providing an employment reference about you to another company.2 (1).

3. To engage in disciplinary/grievance procedures. (2, 3, 6).

4. To carry out fitness and competency assessments. (3, 6).

5. To provide face-to face and computer training & development programmes both on our premises and elsewhere.(6, 3).

6. To safeguard access to and monitor our I.T. and Telephony Systems (including monitoring location Data from issued mobile phones where the device has been lost or stolen). (6, 3).

7. To pay, record, and monitor salary, benefit, and reimbursement of business expense payments. (2,3, 6).

8. To engage in payroll deductions. (2, 3).

9. To facilitate any employee incentive schemes that the Company may at its discretion introduce from time to time. (6).

10. To engage in corporate social responsibility campaigns. (6).

11. To ensure anti-money laundering, sanctions, and airport security compliance. (3, 5).

12. To use the “in case of emergency” contacts you have provided to us. (4).

13. To carry out business continuity planning. (6).

14. To record and monitor health, security, and safety standards at work and report incidents. (3, 5).

15. To facilitate and co-operate with regulatory investigations carried out by airline regulatory bodies such as Civil Aviation Authority, Irish Aviation Authority, Workplace Relations Commission etc.) (3, 5).

16. To conduct advertising and publicity campaigns with selected employees (print, digital, and video).(1).

17. To run wellness activities. (1).

8. To organise company social events (6)

19. (Where appropriate) provide tokens/gifts to employees recognising significant life events or performance.(6).

20. To manage our fleet of company vehicles. (6, 3).21. To record hours worked. (2, 3, 6).

22. To facilitate employee car parking at head office and at other locations where we conduct business. (6).

23. To roster employees for flying, crewing,and training. (6).

24. To provide accommodation for employees where operationally necessary. (6).

25. To provide and administer business & concessionary travel for staff, and where applicable concessionary travel for family/friends.(2).

26. To record, monitor and manage work performance. (6, 2).

27. To manage absence due to ill health. (6, 2).

28. To facilitate the employee health insurance scheme. (2, 7).

29. To facilitate the employee pension scheme. (2, 7).

30. To facilitate insurance coverage for loss of pilot licence.(2, 6, 7).

31. To assess employees, visitors, & contractors for, and provide them with the Security Passes they require in order to carry out the duties of their employment, and/or facilitate the issuance of such passes where they are necessary and are provided by other entities. (2, 3)

32. To safeguard access to and monitor the security of our buildings, and crew rooms. (6).

33. To comply with legal & regulatory requirements (for example disclosing tax data to the office of the revenue commissioners)

34. To exercise our right to defend, respond or conduct legal proceedings. (6).

35. Internal management and management reporting & analysis. (6).

36. To carry out ergonomic, safety, and health assessments. (3, 6).

37. To provide employee uniforms and work-wear. (2,6).

38. To carry out satisfaction/ engagement surveys. (6).

1Where we receive such a reference it is accepted on the express understanding that it is an “opinion given in confidence” pursuant to 60(3)b of the Data Protection Act 2018 and will be excluded from any “Data Access Request” you may make.

2Where you request a reference and we agree to provide it, it will be provided on the express understanding that it is an “opinion given in confidence” pursuant to 60(3)b of the Data Protection Act 2018 and will be excluded from any “Data Access Request” you may make. Where we rely on your consent as the legal basis on which we processes your Personal Data, we will notify you that this is the basis, and ensure that such consent is freely given, specific, informed, and recorded.

Where we process data on the basis of your consent, you are free to withdraw that consent at any time without detriment to you.

1.8 PROCESSING OF PERSONAL DATA RELATING TO CRIMINAL CONVICTIONS.

We may process Personal Data relating to criminal convictions for one, or more of the following legal bases: 1, 2, 3, 4, where It is necessary for the purposes of legal advice, or in connection with legal proceedings or in connection with the exercise, defence or establishment of legal claims.

1.9 PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA.

We may process Special Categories* of Personal Data concerning you, for one or more of the legal bases outlined in Section 1.6 Legal Bases for Processing your Personal Data., and/or:

• Where it is necessary for the purposes of carrying out our our obligations in the field of employment and social protection law and/or
• Where the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity and/or
• Processing relates to personal data which are manifestly made public by you.

*Special Categories of Personal Data:- Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, bio-metric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. (Provisions for the processing of such Personal Data are set out in Article 9 of the GDPR)

2 SHARING AND STORING YOUR PERSONAL DATA.

2.1 WHO WE SHARE YOUR PERSONAL DATA WITH.
Where necessary in order to achieve the purpose of processing your Personal Data (See:- Section 1.8) we may share your Information with the following external parties:-

1. Pension trustees, pension administration companies & the beneficiaries of pension & other financial products you have.

2. Your bank, credit union, or other financial institution/s.

3. Your health insurers

4. Our insurers.

5. Family, relatives & guardians.

6. Medical doctors and specialists.

7. Employers – past, and prospective.

8. Employment agencies and operators of job websites.

9. The companies legal financial medical, & other professional advisers.

10. An Garda Síochána, and Airport Police.

11. The Companies Registration Office.

12. The Standards in Public Office Commission.

13. The Workplace Relations Commission.

14. Companies we may outsource our printing and posting to.

15. Security Companies registered with the Private Security Authority.

16. Companies operating confidential shredding services.

17. Academic/professional organisations applicable to our business and/or you/your employment.

18. IT subcontractors providing network and bespoke HR management systems (who from time to time may access Personal Data for the purpose of customary activities in providing & maintaining the service).

19. Telephony maintenance & programming companies & personnel.

20. Ground handling companies.

21. Property letting agents.

22. Suppliers & couriers.

23. Our parent company.

24. National taxation authorities.

25. CSR nominated charities.

26. Other companies for salary bench-marking purposes.

27. Car leasing companies for the administration and maintenance of the company car fleet.

28. Companies who provide us with payroll administration systems & services, and IT professionals involved in the maintenance and or upkeep of such systems.

29. Airline industry regulators.

30. Media companies.

31. Airport Authorities.

32. Uniform Suppliers

33. Companies providing workforce analytics platforms for the purpose of carrying out anonymised surveys.

2.2 TRANSFER OF PERSONAL DATA OUTSIDE THE EEA.

We do not currently transfer or store employee Personal Data outside of the European Economic Area (EEA). If it becomes necessary to transfer your data outside the EEA, we will take all reasonable steps, as required by law, to ensure the safety, privacy and integrity of such Personal Data and, where appropriate, enter into contracts with the relevant third parties to protect the privacy and integrity of such Personal Data.

On occasion our executive payroll administrators (Ernst & Young) may transfer Personal Data for processing to Non -EU countries who have not been the subject of a EU Data Protection “Adequacy” decision (this means they have not been certified as having the same level of protection of Personal Data as the EU). Any such transfers are however effected under “Binding Corporate Rules” (BCR) so as to comply with the provisions of GDPR in protecting Personal Data. Details of the BCR can be found here. In addition Ernst & Young have certified to the EU – U.S. and Swiss – U.S. Privacy Shield Frameworks governing transfers of personal data from the EU and Switzerland to the United States.

2.3 SECURITY OF YOUR PERSONAL DATA.

We follow appropriate technical and security procedures surrounding the processing of of your personal data, and protect it against accidental loss, destruction or damage. All entities to whom we disclose your Personal Data are required to have appropriate technical and operational security measures in place to protect your Personal Data.

2.4 HOW LONG DO WE KEEP YOUR PERSONAL DATA?

It may be necessary to retain your Personal Data for an extended period of time. We keep your Personal Data for as long as required for the purpose that you gave it to us for. As a general rule for legal and best practice reasons we keep your Personal Data for 7 years after the date on which your contract with us ended and/or until 7 years after any deferred pension entitlements you may have cease. Full details can be obtained free of charge by contacting our Data Protection Manager (See:-1.3.2 Contact Details.)

3 YOUR RIGHTS REGARDING THE PERSONAL DATA THAT WE CONTROL.

3.1 YOUR RIGHTS TO ACCESS, TRANSPORT, CORRECT, AND DELETE YOUR
PERSONAL DATA.
3.1.1 Accessing and Transporting your Information: You have the right to be provided with a a copy of your Personal Data , and/or have it provided by us to another data controller. If you would like a copy of your Personal Data, please contact our Data Protection Manager / or HR Department. Your request will be dealt with as quickly as possible and in any event you will not have to wait for more than a month for us to respond. If at that stage we are unable to provide the data you require (due to the complexity or number of requests) we may extend the period to provide the data by a further two months but shall explain the reason why.

You will not have to pay a fee to access your Personal Data (or to exercise any of your other data protection rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive,or we may refuse to comply with the request in such circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access the Personal Data or exercise any of your other data protection rights). This is an appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.

3.1.2 Correcting your Personal Data: If your Personal Data is found to be incorrect you have the right to have it corrected free of charge by contacting our Data Protection Manager (See:-1.3.2 Contact Details.) or HR Department.

3.1.3 Deleting your Personal Data:
Subject to any overriding legal obligation requiring us to retain it, you have the right to have your Personal Data deleted free of charge, however erasing your information may make it difficult or impossible for us to enter into or continue an employment contract with you. If you want your information deleted please contact our Data Protection Manager.(See:-1.3.2 Contact Details.)

3.1.4 Restricting our use of your Personal Data: You have the right to restrict our use of your Personal Data in certain circumstances. If you wish to exercise this right, please contact our Data Protection Manager (See:-1.3.2 Contact Details.)

3.2 AUTOMATED DECISION MAKING.

An Automated Decision is a decision that has a legal or similarly significant effect on you, where that decision is made by processing your Personal Data solely by automatic means, where no humans are involved in the decision-making process. You have a general right not to be subjected to such an Automated Decision, including any automated profiling. Currently we do not use your information to carry out Automated Decision Making or Profiling.

3.3 YOUR RIGHT TO OBJECT AND WITHDRAW YOUR CONSENT TO DATA PROCESSING.

Where our legal basis (1.6) for processing your Personal Data is based on our legitimate interests, you have the right to object. You also have the right to withdraw your consent to any processing at any time. However, if we cannot process your data it may make it difficult, impossible or unlawful for us to enter into or continue an employment or other contract with you.

Objecting to processing and/or withdrawing your consent will not affect the legitimacy of processing that took place prior to you exercising this right. If you want to object or withdraw your consent please contact our Data Protection Manager (See:-1.3.2 Contact Details.)

3.4 YOUR RIGHT TO MAKE A COMPLAINT.

3.4.1 Complaining to our Data Protection Manager.

If you are unhappy about the way we handle your Personal Data please contact our Data Protection Manager (See:-1.3.2 Contact Details.) and we will do our best to address your concerns swiftly and resolve any issues you have.

3.4.2 Complaining to the Supervisory Authority. You have the right to complain to the supervisory authority. The supervisory authority is the Data Protection Commission, and their contact details are as follows:- The Data Protection Commission, Canal House, Station Road Portarlington Co. Laois R32 AP23.Ireland. www.dataprotection.ie Tel.: +353 (0)761 104 800 : 09:15 – 17:30hrs (17.15 Friday) Fax: +353 57 868 4757. E-Mail: info@dataprotection.ie Dublin Office:- 21, Fitzwilliam Square,Dublin 2. D02 RD28 Ireland.