Skip to content

Privacy Policy

SILVER CLOUD HR LIMITED
PRIVACY NOTICE

Effective Date: 25/11/2024

Version number: 2

1. Introduction 

Silver Cloud HR Limited (“Silver Cloud HR”, referred to as “We, “Our” or “Us”) is a registered company In England and Wales under number 07042483, and is committed to protecting the privacy and security of your personal data. 

We have developed this policy to inform you of the data we collect, what we do with your data, what we do to keep it secure as well as the Rights you have over your personal data. 

Throughout this notice we refer to data protection legislation which includes the UK GDPR and other applicable laws including (but not limited to) the EU GDPR 2016 and the Privacy Electronic Communication Regulation (“PECR”) 2011. This also includes any replacement legislation which may come into effect from time to time. 

Silver Cloud HR is both a data controller and a data processor and this notice sets out how we act as both roles. 

As we are based and headquartered in the United Kingdom (UK), we are registered with the Information Commissioners Office (the ICO) with registration number ZA442066. 

You contact our head office using the following details: 

Post:
Stourwood House
Wrabness Road
Essex
CO12 5ND
United Kingdom 

Email: info@silvercloudhr.co.uk 

Phone: +44 (0) 203 818 5807 

We have also appointed an external data protection officer (DPO) and their details are as follows: 

Kerrell Blyth, National Compliance Solutions Limited 

Email: dpo@silvercloudhr.co.uk
Phone: +44 (0)333 050 0111 

Definitions: 

Personal data means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Process” or “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Sensitive personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data, biometric data (where use to identify a data subject), data concerning health, data concerning a natural person’s sex life or sexual orientation; and personal data relating to criminal convictions and offices. 

 

2. Responsibilities 

Key data protection responsibilities within Silver Cloud are as follows: 

  • The CEO is accountable for ensuring we meet our data protection obligations;  
  • The Silver Cloud Management Team is responsible for implementing and enforcing this policy; 
  • Line Managers are responsible for ensuring that people under their management are made aware of adhere and to this policy; 
  • All employees working with personal data over which they have decision making authority are responsible for ensuring it is kept securely, is accessible only to those who need to use it and is not disclosed to any third party without the authorisation of a member of the management team; and  
  • All employees are required to read, understand and adhere to this policy when processing personal data on our behalf. 

EU/EEA GDPR Representatives 

We have appointed a company called DataRep (https://www.datarep.com/) to act as our EU/EEA GDPR Representatives. 

In the EU, if you want to raise a question to Silver Cloud HR, or otherwise exercise your rights in respect of your personal data, you may do so by sending an email to DataRep at datarequest@datarep.com quoting “Silver Cloud HR Ltd” in the subject line. 

You can also contact Data Rep by contacting them on their online webform at www.datarep.com/data-request or mailing your inquiry to Data Rep at the most convenient of the addresses in the subsequent pages. 

Please note when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘Silver Cloud HR Ltd’, or your inquiry may not reach them. Please refer clearly to Silver Cloud HR Ltd in your correspondence. On receiving your correspondence, Silver Cloud HR is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you. 

3. Data Processing Obligations 

Silver Cloud as a Processor 

Where Silver Cloud is a data processor, we may only process personal data in accordance with the controller’s documented instructions as set out in a data processing agreement or contract. We may only transfer personal data out of the EEA and appoint sub-processors as permitted by the data processing agreement or contract. 

Personal data must be kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Access to personal data must be limited only to employees who are subject to an obligation of confidentiality and who need access to carry out their assigned duties. 

We must assist the controller to meet their compliance obligations under applicable laws including for the purposes of: 

  • Ensuring the security of processing, including by implementing appropriate technical and organisational measures; 
  • Supporting the facilitation of subject rights of data subjects whose personal data we hold; 
  • Enabling the controller to notify data protection authorities following a breach of personal data presenting a risk to affected data subjects; 
  • Enabling the controller to notify affected data subjects following a breach of personal data presenting a high risk to their rights and freedoms; and 
  • Supporting data protection impact assessments carried out by the controller as appropriate. 
  • Upon termination of the data processing agreement we will delete or return personal data. 

We must also support the controller to demonstrate accountability and compliance with applicable laws by providing them with all information necessary to demonstrate compliance by Silver Cloud and allow for and participate in audits by the controller or their representative.  

Silver Cloud as a Controller 

Where Silver Cloud is the data controller, data subjects must be provided with information notifying them of the purposes for which Silver Cloud will process their personal data (a “privacy notice”). When personal data is obtained directly, the privacy notice shall be provided to the data subject at the time of collection. When personal data is obtained indirectly, the privacy notice shall be provided to the data subject as soon as possible (and not more than one calendar month) after it is obtained from a third party.  

Use of the personal data by Silver Cloud must match the description given in the privacy notice and be limited to what is necessary for the specific purposes stated. Where our lawful basis for processing is based on our legitimate interests, we may only process the personal data if our legitimate interests are not outweighed by the interests, rights and freedoms of the data subjects in question. A legitimate interests assessment must be performed to confirm this. 

We must not collect or process any more personal data than is strictly necessary for the purposes of the processing (“data minimisation”) as set out in our privacy notice and must ensure that data minimisation continues to be applied throughout the lifetime of the processing activities. 

Personal data must be kept accurate and up to date.  The accuracy of personal data must be checked when it is collected and at regular intervals thereafter.  Where any inaccurate or out-of-date data is found, all reasonable steps are to be taken without delay to amend or erase that data, as appropriate. Personal data must not be kept for any longer than is necessary for the purpose for which that data was originally collected and processed.  When the data is no longer required, all reasonable steps must be taken to securely erase or dispose of it without delay, as set out at Section 12 of this policy. 

4. Lawful Basis for Data Processing 

Data protection legislation requires Silver Cloud HR to identify an appropriate lawful bases to process personal data. The lawful basis we rely on as a data controller are detailed below with brief examples for when they may apply: 

Lawful Basis  Description 
Consent  For opting into marketing communications, newsletters, competitions etc 
Contractual Obligation  To take steps into entering and concluding contracts of employment 
Legal Obligation  Where needed for tax reasons such as UK HMRC purposes 
Vital Interests  To ensure we know about medical conditions of our employees or onsite visitors should they require medical attention 
Legitimate Interests  To help answer any questions or concerns that may be sent to us from individuals who we may have no prior existing relationship with 

 

There may be instances of where we may need to process certain categories of data referred to as Special Category Personal Data. These may include personal data related to health, race and ethnicity as examples, but where identified and needed, we will ensure the relevant special conditions are applied and documented where needed. 

As a data processor we process personal data in line with the lawful basis determined by the data controller. For the purposes of our consultancy services, this would be a contractual obligation with a client to help them upload their employee data in their new cloud-based SaaS system. 

 5. Personal Data Collected 

Due to the nature of our business and data processing activities we would collect and process various categories of personal data from various data subjects. Examples of data subjects whose data we process as a data controller can include job applicants, employees, visitors/guests to our premises and those who send us enquiries through our website. 

As a data controller we would normally collect the following categories of personal data: 

  • Identity and Contact Data: personal and identity data, including your name, date of birth, copies of ID, post address, email address, telephone numbers and information relating to a candidate’s immigration status and right to work; 
  • Recruitment Data: references and other information included in a CV, covering letter; 
  • Financial Data: bank account details, information regarding remuneration packages offered to candidates by our clients including information regarding salary, fee rates, bonus, expenses and benefits in kind; 
  • Technical Data: information we collect automatically when you visit our website or interact with us by email, including your IP address, browser details, and device details; 
  • Transaction Data: details of services we provide to you; 
  • Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences. 

As a data processor we may process and store the following categories of personal data: 

  • Identity and Contact Data: personal and identity data, including your name, date of birth, copies of ID, post address, email address, NI number, telephone numbers and information relating to a candidate’s immigration status and right to work; 
  • Job related Data: job titles and job history including start dates and job change dates, absence and performance data, training and qualification data 
  • Financial Data: Salary and salary history data and bank details, tax codes and other payroll related items 
  • Equal opportunities Data: ethnic origin and religion, sexual orientation and other sensitive personal data for the purpose of equal opportunities monitoring for an employer 

The above data sets pertain to the employees of our clients whose data we are processing. For more information you can contact us as detailed above. 

We collect personal data through several means. Examples can include: 

  • When you complete an online form on our website 
  • Contact by phone, email or other communications (e.g. LinkedIn) 
  • Applying to any of recruitment vacancies 
  • When you use any of our services 
  • From third-party sources, professional contacts or third parties who send us your details as prospective clients, candidates, associates or business partners 

The above list is representative and non-exhaustive. 

6. How We Use Personal Data 

We may use personal data for various activities which can include the following activities: 

  • To register you as a new client, candidate, or supplier 
  • To provide services to you and carry out your instructions in connection with our services 
  • To manage queries relating to services we have provided to you historically 
  • To manage our relationship with you as a client, candidate, supplier or professional contact 
  • To send updates to candidates about vacancies that may be of interest to them 
  • To process job applications 
  • Action any data subject right requests 
  • Communicate with relevant data controllers any communications received from a data subject including (but not limited to) data subject right requests 
  • Process an order for a product or other service 
  • Seek your views or comments on the services we provide 
  • Notify you of changes to our services 
  • Handle an enquiry or complaint you have made 
  • Sending marketing communications and other company updates 

The above list is non-exhaustive and representative. For more information to how we use personal data for specific activities you can contact us as detailed above. 

7. Recruitment and Criminal Data Processing 

From time to time we may advertise job vacancies with third party recruitment agencies in the UK only or through websites such as Indeed or LinkedIn. When we receive candidate information from a third-party agency we may receive personal data such as your name, CV information and other information which may be used to help your application to stand out (e.g. may be immediately available). We will be sure to only retain candidate data for as long as reasonably necessary which is typically 6 months if a candidate is unsuccessful. 

The same applies with any direct applications received via Indeed or LinkedIn or similar. If we screen a profile and CV information and the candidate is unsuccessful we will only make sure we only have that data for as long as necessary which again would be up to 6 months. 

No positions within our company will require a criminal background check. If this was to change we will be sure to update our policies and notices where needed. 

8. Children’s Data 

One of our service provisions to our clients is to facilitate the implementation of HR, payroll and related people systems, during which we may be requested to format data files for upload to the new platform. This requirement is outlined in our Statement of Work, and we are appointed Data Processor by our Client, the Data Controller. From time to time we recognise our Client may employ young people, under the age of 18. Due care will be taken with this data and we will not disclose this data to anyone outside the instructions laid out to us in our Statement of Work. 

Our lawful basis for processing Children’s data is the Legitimate Interest of the child in question, in order for their Employer to fulfil their contractual obligations, and for us to fulfil our contractual requirements with their Employer. 

9. Data Sharing 

Due to the nature of our business, there may be times we are required to share data with other departments and members of our organisation. Examples of when we may need to share data can include for recruitment purposes, IT concerns (including any help and assistance with our cloud service offering), and any questions or concerns regarding data protection received from other departments. 

Please note there may also be instances where we may need to share data with any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation or (ii) to exercise, establish or defend our legal rights. 

We are also required to share data with data controllers where we are acting as their data processors. This may involve (as examples) instances of where we have directly received any questions or complaints or erasure requests that need to be forwarded onto an relevant data controllers. 

During the Implementation Process for some Client Contracts, we may be requested to support with their data upload to their chosen HR or Payroll Platform. In this instance the data a client shares with us will be processed in accordance with our Statement of Works and shared with the relevant vendor, as outlined in our Statement of Works. Technical controls are in place to ensure the security of this data at all times while it is being processed by Silver Cloud HR.  

10. International Data Transfers 

There may be instances where we may need to transfer your data outside the UK. We may need to share your data with companies who are in the European Economic Area (The EU member states, Norway, Iceland and Liechtenstein), or to a country (or an international organisation) that the UK government/European Commission has determined ensures an adequate level of protection (“Adequacy”). This includes the use of approved frameworks for the sharing of personal data, such as the UK Extension to the EU-US Data Privacy Framework. 

If we need to transfer your information outside the UK we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this notice. 

11. Sub-Processors 

We may at times use sub-processors to help us fulfil our contractual duties and obligations to our client controllers. We have put into place agreements with them and ensured the correct data protection language, obligations and responsibilities are incorporated in these agreements. A list of sub-processors is available upon request by contacting us using our details above. 

We have an office based in Mauritius who provide remote access support as and when needed. We utilise their services for the following activities: 

  1. Software implementation activities 
  2. Other business support functions 

Our Mauritian office is considered a sub-processor for when they are utilised to help us with any client specific activities. We have implemented a data transfer agreement with them, updated our agreements where needed, and conducted a Transfer Impact Assessment (TIA). For further information you can contact us as detailed above. 

12. Cookies & external links 

We use cookies on our websites. More information to how we use cookies can be found in our cookie notices where you can also change your consent. 

This website contains links to other websites, which are clearly marked as such. Please note that we have no control over external websites and are not responsible for the protection and privacy of any information which you may provide to them. Please refer to a website’s privacy policy when using it. 

13. Marketing Communications 

We would like to send you marketing news and updates regarding our company, products and services should you like to receive them. In order to send you these communications we would require your consent, and you can always change your preferences (i.e. opt out) by clicking on the relevant unsubscribe link at the bottom of the email. You also have the ability to opt out by contacting us over phone or email should you chose to do so. 

14. Data Retention 

We regularly review our data retention practices to ensure we only retain personal data for as long as necessary in line with our data processing activities. We have created data retention policies and accompanying data retention schedules to help document relevant retention periods. 

As a data controller we will retain personal data for as long as necessary in line with various requirements, such as for example, best practice recommendations (e.g. ICO recommendations), relevant guidelines (e.g. ACAS guidance) or for as long as mandated under specific legislation (e.g. HMRC requirements). We will also determine appropriate retention periods based on our legitimate interests where identified. 

As a data processor we will retain personal data for as long as required as set by our client data controllers. Where the data controller has determined the relevant retention period, we will be sure to document this and notify them in advance before the deletion is carried out, normally within 30 days. 

15. What Happens If Our Business Changes Hands? 

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will be permitted to use that data only for the purposes for which it was originally collected by us. 

16. Data Security 

We are Cyber Essentials and ISO 27001:2022 certified. Copies of our certificate are available upon request. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. 

If we become aware of any loss, misuse, alteration of personal data we will work closely with our IT team and other parties as necessary to investigate the incident at hand. We have put into place the relevant procedure and policies in place to investigate, mitigate and report (when needed to relevant parties) such instances. 

17. Data Protection Rights 

If you are based in the UK/EEA you have several Rights to how an organisation processes your personal data. The Rights are as follows: 

  • Right to be informed 
  • Right to access data 
  • Right to rectification 
  • Right to erasure 
  • Right to restrict processing 
  • Right to objection 
  • Right to portability 
  • Right not to subject to automated decision making and profiling 

If you would like to exercise any of the above Rights, you can do so by sending us a written request to our email address mentioned above or you can contact our EU/EEA GDPR Representatives. 

Please also note and as mentioned above, if we receive a Rights request as a data processor, we will forward the request to the client controller who may then contact you directly for additional information or to confirm if the Right is exercised or not. 

18. Concerns and Complaints 

We understand you may have concerns and complaints to this notice and any aspects to how we process personal data. If you would like to contact us directly to talk to us about a concern or to raise a complaint, you can do so by using our contact details above or via our EU/EEA GDPR Representatives. 

You can also submit a complaint directly to the Information Commissioners Office (the ICO), the UK supervisory authority for data protection in the UK, via this link https://ico.org.uk/make-a-complaint/. 

If you are based anywhere within the EEA a list of supervisory authorities can be found via this link https://edpb.europa.eu/about-edpb/board/members_en. 

19. Review and Updates 

We will review this notice and make changes to it from time to time. We recommend that you check this notice to see where changes have been made and to ensure you are able to review updated information at all times.