Employee Privacy Notice
Employee Privacy Notice
Effective from: 06-04-26
Last updated: 06-04-26
At a glance
This section gives a short summary of the main points. The rest of the Data Privacy Notice explains the detail in plain English. If you want to read more, click the hyperlink to be taken to the expanded section. To print a full copy of the Data Privacy Notice, click the print icon.
|
This Notice applies to prospective, current and former employees, apprentices, agency workers, contractors, consultants and temporary workers. It doesn’t apply to customers, suppliers, vendors or other third parties, who should be given a separate Privacy Notice. |
|
|
Chelton Limited is the data controller for the personal data covered by this Notice. Chelton’s Data Privacy Office oversees compliance, provides advice and is a point of contact for privacy questions, rights requests and complaints. |
|
|
3-What legal basis do we rely on to process your personal data? |
Chelton doesn’t rely on one single legal basis for processing all worker personal data. Depending on the purpose, Chelton will usually rely on contract, legal obligation or legitimate interests. In limited cases, Chelton may rely on vital interests. Where Chelton processes special category personal data or criminal records data, it will do so only where the law allows and where appropriate safeguards apply. Chelton will not normally rely on consent for core employment processing. |
|
Chelton collects personal data at different stages of the worker relationship. This includes during recruitment, onboarding, day-to-day employment or engagement, use of Chelton systems and premises, business travel, security and access management, investigations, and after the working relationship ends where records still need to be kept. |
|
|
The personal data Chelton uses will depend on your role and circumstances. It may include identity and contact details, recruitment and right to work information, employment or engagement records, pay, pension and benefits information, attendance and leave records, training, performance and conduct records, system and building access records, CCTV images where used on Chelton sites, and limited information about emergency contacts, dependants or beneficiaries where relevant. Chelton may also use more sensitive information, such as health information, equality monitoring data, trade union information and, where lawful and necessary, criminal records data. |
|
|
Chelton uses personal data to recruit workers, manage the working relationship, pay people, provide benefits, support training and development, protect health and safety, manage security and access, investigate concerns, protect Chelton’s people, systems and premises, and meet legal, regulatory, audit and customer assurance requirements. |
|
|
7-Where do we process and store your personal data and protect it? |
Chelton stores personal data in electronic systems and, where necessary, in paper records. Chelton doesn’t routinely share worker personal data with TransDigm, the parent company based in the USA. If limited sharing or an international data transfer is necessary, Chelton will make sure there’s a lawful basis, an appropriate transfer mechanism and suitable safeguards in place. Chelton uses appropriate technical, organisational and physical security measures to protect personal data. |
|
Chelton shares personal data only where there’s a proper reason to do so. Depending on the circumstances, this may include HR, payroll, finance, IT, security, legal and management teams within Chelton on a need-to-know basis; service providers acting on Chelton’s instructions; pension, insurance, benefits and occupational health providers; recruitment, screening and training providers; auditors, advisers, regulators, courts, law enforcement or government bodies where required or permitted by law; and customers, prime contractors or public sector clients where necessary, lawful and proportionate. |
|
|
Chelton keeps personal data only for as long as it is needed for the purpose it was collected, and then for any legal, regulatory, tax, audit, security or claims period that applies. Different records are kept for different lengths of time. This Policy aligns with Chelton’s Records Retention and Deletion Policy & Schedule. |
|
|
Under data protection law, you have rights including the right to be informed, to ask for access to your personal data, to ask for inaccurate data to be corrected, to object in some cases, and to ask for erasure or restriction in some circumstances. These rights aren’t absolute. If you have concerns, Chelton would appreciate the opportunity to put things right first, but you also have the right to complain to the Information Commissioner’s Office (ICO). |
|
|
Chelton may update this Notice from time to time to reflect changes in the law, guidance, systems or working practices. The latest version will be available on the Chelton intranet. |
|
|
For day-to-day questions, please contact HR. For privacy questions, rights requests, complaints or escalation, please contact the Data Protection Office. HR Contact: Data Privacy Office: |
1. Who this Notice applies to
This Data Privacy Notice applies to people who work for Chelton in different ways. That includes prospective employees, current employees, former employees, apprentices, agency workers, contractors, consultants and temporary workers.
It covers personal data used before someone joins Chelton, during the working relationship, and after it ends where Chelton still needs to keep or use information for lawful business, legal or regulatory reasons.
In some cases, this Notice also covers limited information about other people connected to you, such as emergency contacts, next of kin, dependants or beneficiaries, where that is relevant to your working relationship, benefits, health and safety, or an emergency.
This Notice doesn’t apply to customers, suppliers, vendors or other third parties. A separate Data Privacy Notice should be used for those groups.
2. Who is responsible for your personal data
Chelton Limited is the data controller for the personal data covered by this Notice. That means Chelton decides why your personal data is used and how it’s handled.
Chelton Limited
The Chelton Centre
Fourth Avenue
Marlow
Buckinghamshire
SL7 1TF
United Kingdom
Chelton’s Data Privacy Office helps oversee compliance with data protection law, provides guidance and advice and is a point of contact for privacy questions, rights requests, complaints and escalation.
For day-to-day questions about employment records or HR administration, please contact HR first. For privacy questions, rights requests, complaints or escalation, please contact the Data Privacy Office.
HR Business Partner
[email protected]
Data Privacy Office
Chelton Limited
The Chelton Centre
Fourth Avenue
Marlow
Buckinghamshire
SL7 1TF
United Kingdom
[email protected]
Telephone: 44 (0)1628 472072
3. The legal basis Chelton relies on
Chelton doesn’t rely on one single legal basis for processing all personal data. The legal basis depends on what Chelton is doing and why.
Chelton will usually rely on one or more of the following:
Contract
This applies where Chelton needs to use personal data to enter, perform or manage a contract or engagement with you.
Legal obligation
This applies where Chelton must use personal data to comply with the law, for example in relation to employment, tax, pensions, equality, right to work, health and safety, reporting or security and defence obligations mandated by government.
Legitimate interests
This applies where Chelton has a genuine business or organisational reason to process your personal data and if this doesn’t override your rights and freedoms that are protected in law. This may include business administration, workforce planning, information security, access control, investigations, audit, governance and protecting Chelton’s people, systems and premises.
Vital interests
In limited situations, Chelton may use personal data to protect someone’s life or physical safety without requiring their consent.
Consent
Chelton will not normally rely on consent as a legal basis for core employment processing. Where consent is used, it will usually be for something optional and outside of the contract of employment, and Chelton will make that clear.
Sensitive personal data and criminal records data
Some personal data needs extra care because it’s more sensitive. Chelton may process special category personal data, such as health information, occupational health information, equality monitoring data or trade union information, where this is necessary and permitted by law.
For example, this may be needed to:
- manage sickness absence, occupational health referrals or workplace adjustments;
- meet employment, social security or social protection obligations;
- support health and safety duties;
- carry out equality monitoring where appropriate; and
- establish, exercise or defend legal claims.
Chelton may process criminal records data only where this is lawful, necessary and proportionate. This may apply to certain security-sensitive, customer-sensitive or regulated roles. Chelton will not use this type of information casually or on a just-in-case basis.
4. How Chelton gets your personal data
A lot of the personal data Chelton uses comes directly from you.
For example, you may provide it when you apply for a role, complete starter forms, update your details, claim expenses, request leave, report sickness, raise a concern or take part in training.
Chelton may also receive personal data from other sources where that’s relevant and proportionate. This may include recruitment agencies, referees, previous employers, right to work or screening providers, pension and benefits providers, occupational health providers, training providers, managers, colleagues, security and access systems, and public sources where this is lawful and appropriate.
Some personal data is also created during the working relationship itself. For example, Chelton may create records about recruitment decisions, induction, performance, attendance, training, investigations, access management, security incidents or exit processes.
5. The types of personal data Chelton collects and processes
The personal data Chelton uses will depend on your role, your relationship with Chelton and the circumstances. It may include:
- your name, address, contact details, date of birth and employee number;
- information from your application, CV, interview, references, qualifications and right to work documents;
- your contract or engagement details, role, department, reporting line, work location and training records;
- salary, bank details, tax, National Insurance, pension, expenses and benefits information;
- attendance, working time, annual leave, sickness absence and family leave records;
- appraisal, development, performance, conduct, grievance, disciplinary and investigation records;
- swipe card records, access to restricted or high-security areas, and building access records;
- CCTV images where used on Chelton sites;
- emergency contact, next of kin, dependant or beneficiary details (where relevant).
Chelton may also need to use more sensitive information where the law allows this and where additional safeguards apply. This may include health information, occupational health information, equality monitoring data, trade union information and, where lawful and necessary, criminal records data.
6. Why Chelton uses your personal data
Chelton uses personal data to manage the whole worker relationship and to run the business properly, safely and lawfully.
This includes using personal data to:
- recruit, vet and onboard workers;
- issue contracts and provide access to Chelton IT systems;
- pay workers and manage tax, pension, expenses and benefits;
- manage day-to-day employment or engagement matters, including attendance, training, development, performance and conduct;
- support health, safety, wellbeing and reasonable workplace adjustments;
- manage emergency contacts, business travel, insurance and business continuity (where relevant);
- protect Chelton’s people, premises, systems, information and assets;
- prevent fraud, misconduct, misuse and unauthorised access;
- meet legal, regulatory, audit, customer assurance and governance requirements;
- handle grievances, complaints, whistleblowing matters, investigations, legal claims and personal data rights requests; and
- keep records for accountability, retention, audit and governance purposes.
Chelton will only use personal data where there’s a proper reason to do so and where the use is relevant to a clear and lawful purpose.
Monitoring, access records and CCTV use
Chelton may also process your personal data to help protect its people, premises, systems, information and operations.
This may include:
- network and device security monitoring;
- system log-in and access records;
- swipe card, strictly confidential and high security internal facilities, and building access records;
- visitor records;
- CCTV at certain Chelton sites; and
- targeted monitoring needed to investigate suspected misconduct, misuse, privacy concerns and/or security incidents.
Chelton will not monitor workers just because the technology exists to do so. Monitoring must have a proper and lawful basis, be proportionate to the risk, and be consistent with Chelton’s policies, governance framework and legal obligations.
7. Where we process your personal data and how we protect it
Your personal data is processed on secure servers within a highly secure premises in the UK. In addition, some Chelton systems or service providers may store or access personal data outside the United Kingdom.
If Chelton transfers personal data internationally, it will do so only where there’s a lawful transfer mechanism and appropriate safeguards in place. This may include a UK adequacy decision, the UK International Data Transfer Agreement, approved contractual clauses or another safeguard permitted by law.
Chelton uses appropriate technical, organisational and physical security measures to protect personal data.
This includes measures such as access controls, role-based permissions, secure systems, information security monitoring, records management controls, training and incident response processes.
Chelton also expects workers to play their part and be data smart. Workers must follow Chelton’s confidentiality, data protection, privacy, information security and acceptable use requirements, and report privacy or security concerns promptly.
If you’d like more information about how we protect your personal data or want to know more about the safeguards used for relevant international data transfers, please contact the Data Protection Office.
8. Who Chelton shares personal data with
Chelton shares personal data only where there’s a proper and legal reason to do so.
Depending on the circumstances, this may include:
- HR, payroll, finance, IT, security, legal and management teams within Chelton, on a need-to-know basis;
- pension, insurance, benefits and occupational health providers;
- payroll, HR systems, IT support, cloud hosting and other service providers acting on Chelton’s instructions;
- recruitment agencies, screening providers and training providers;
- auditors, professional advisers and certification bodies;
- regulators, courts, law enforcement bodies or government departments where required or permitted by law;
- customers, including governments and government agencies, prime contractors or public sector clients where this is necessary, lawful and proportionate; and
- buyers, sellers or advisers where Chelton is involved in a business sale, merger, reorganisation or transfer.
Chelton doesn’t routinely share worker personal data with TransDigm, the parent company, based in the USA. If limited disclosure to TransDigm is genuinely needed for defined corporate, legal, audit or governance purposes, Chelton will make sure there’s a lawful basis for doing so and that appropriate safeguards are in place.
Where Chelton uses a third party to process personal data on its behalf, Chelton expects that party to keep the data secure, act only on written instructions and meet applicable legal and contractual requirements.
9. How long Chelton keeps personal data
Chelton keeps personal data only for as long as it’s needed for the purpose it was collected, and then for any legal, regulatory, tax, audit, security or claims period that applies.
Different records are kept for different lengths of time. For example:
- some recruitment records are kept for a shorter period;
- payroll, pension and tax records are usually kept longer;
- some security, health and safety, investigation or legal records may need to be kept longer depending on the circumstances.
Chelton’s Retention and Deletion Policy & Schedule set out the details. If you want to know the retention period for a particular type of record, please contact the Data Protection Office.
10. Your data protection rights
Under UK data protection law, you have rights over your personal data. These include the right to:
- be told how your personal data is used;
- ask for access to your personal data;
- ask for inaccurate data to be corrected;
- ask for erasure in some circumstances;
- ask for restriction in some circumstances;
- object to certain processing, including some processing based on legitimate interests;
- ask for portability of certain data where that right applies; and
- withdraw consent, where Chelton is relying on consent.
These rights are not absolute, in other words, there may be circumstances when the request can be denied or partially complied with, such as compliance with a court order, dealing with legal claims, carrying out investigations, meeting regulatory requirements or protecting the privacy rights of others.
If you have a question about this Notice, think Chelton has got something wrong, or want to exercise your rights, please contact the Data Protection Office in the first instance.
Chelton would appreciate the opportunity to put things right first, but you also have the right to complain to the Information Commissioner’s Office (ICO) if you feel that your complaint hasn’t been satisfactorily dealt with.
The Information Commissioner’s Office (ICO) can be contacted at:
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom
Website: ico.org.uk
Telephone: 0303 123 1113
11. Changes to this Notice
Chelton may update this Notice from time to time to reflect changes in the law, guidance, systems or working practices. The latest version will be available on the Chelton intranet. Where changes are important, Chelton will take reasonable steps to draw them to your attention.
This Notice is provided separately as required under UK law. It forms part of the employment or engagement framework that applies at Chelton, alongside applicable policies, procedures and workplace requirements.
12. Further information
Chelton welcomes feedback on this Data Privacy Notice and any questions or concerns you may have in how this affects you. For day-to-day queries, please contact the HR team.
For more detailed information on how to exercise your privacy rights, or if you have concerns about the way your privacy is protected, you can contact:
Data Privacy Office
The Chelton Centre,
Fourth Avenue,
Marlow, Buckinghamshire,
SL7 1TF, UK
E: [email protected]
Telephone: 44 (0)1628 472072
All enquiries remain strictly confidential in accordance with Chelton’s policies and UK law.
