Data Protection Policy

This is the Data Protection Policy of EZ Living Furniture (hereinafter known as the “Company”) relating to
employees. The purpose of this document is to outline the personal data we gather about employees,
why we gather this information, what we will do with it, how we process it and who we may share it with.
This policy is in accordance with the applicable Data Protection Legislation, including the General Data
Protection Regulation (GDPR), which is effective from May 25th, 2018.

In everything we do, we aim to treat employees in a fair and transparent manner. We are committed to
continuing to process all employee data in line with all relevant legislation. This policy incorporates the
Company Privacy Statement and our Privacy Notice and is given to all employees to ensure they
understand how their personal data and the personal data of applicants to the Company, is collected,
managed and used.

It applies when the Company processes the personal data of any individual (employees, applicants for
employment, self-employed contractors, agency workers and others who work for it, who are referred to
in the legislation as ‘Data Subjects’). The Company processes personal data of employees, former
employees and applicants for employment.

Our Data Protection Coordinator is contactable by email at hr@ezliving.ie.

This Data Protection Policy may be changed over time to ensure it remains up to date with legislation and
in line with best practice. In addition, this policy may be updated to incorporate changes within the
Company, particularly if we change how we use your personal data or change our technology, to ensure
we remain compliant with the GDPR. Any updates to this policy will be communicated to all employees in
writing.
A. Privacy Statement
The Data Protection Legislation sets out 7 core principles of GDPR. In the processing of any data the
Company will have regard to the core principles, which are as follows:

1. Lawfulness, fairness and transparency

2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

B. Privacy Notice

1. Examples of personal data processed

Personal data is any information related to an identified or identifiable natural person (‘Data Subject’)
held either electronically or physically. The personal data processed by the Company is collected and
processed to maintain compliance with the Company’s legal obligations. In addition, some data is
processed to ensure the performance of a contract (contract of employment) or due to a legitimate
interest of the Data Controller (eg: the Company). This data is collected at the start and throughout your
employment with us.

The following is an overview of the type of personal data processed by EZ Living Furniture:

Name; legal name; preferred name; gender; birth place; date of birth; nationality; marital status;
emergency contacts; all contact information (personal & work) including address, email and phone
numbers; any correspondence (hard & soft copy, email, text, calls or web messaging services where
appropriate) PPSN; CV, Contracts and Handbook, Benefits, compensation, position data, reference details,
performance documentation, reviews and ratings, training documentation, development plans, goals,
experience and succession data and payroll data including bank account details, CCTV footage,
interactions via online services/technology used by the Company (Company intranet, till records, annual
leave planner, absence management software, phone records/bill, stock management etc.)

2. Purposes for collecting & holding data

The purpose for which the Company holds any information about data subjects is for appropriate
purposes, including but not limited to: compliance with employment legislation and all legal obligations,
contractual necessity, recruitment, induction, appraisals, employee communications and interactions,
performance evaluations, leave & other absences, promotion, training, career & talent development, pay
and remuneration, compensation & benefits including pension and insurances and other benefits, payroll,
tax, P.R.S.I, other deductions from pay, health and safety, security, disciplinary and grievances
investigations and other legitimate interests of the Data Controller.

3. Sensitive Personal Data

Special category personal data (otherwise known as sensitive personal data) means personal data
collected which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade
union membership, and the processing of genetic data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual
orientation. The processing of sensitive personal data shall be prohibited, unless the data subject has
given explicit consent to the processing of their sensitive personal data for one or more specified purposes
or the employer satisfies at least one of the additional conditions in order to process the data (eg: the
processing is necessary in connection with rights and obligations under employment (ie: social security),
the data has been manifestly made public by the employee).

Please note we may collect, hold and process data, including sensitive personal data, if it is necessary to
do so for compliance with any statutory duty or regulatory obligation with which we are required to
comply.

4. Data Retention- (Length of time data is held)

This policy operates on the principle that we keep personal data for no longer than is necessary for the
purpose for which we collected it. Data will also be retained in accordance with any legal requirements
that are imposed on us. This means that the retention period for your personal data will vary depending
on the type of personal data.

When establishing the criteria that we apply to determine retention periods, we consider the Company’s
statutory and regulatory obligations, contract necessity, legitimate interest for processing the data, as
well as managing legal claims (Certain data may be required in order to defend any legal claims which may
be made. If such data is required, we may keep it until the statute of limitations runs out in relation to the
type of claim that can be made (which varies from 2 to 12 years).

The type of information, which we will hold and the time for which we will normally hold it, will be as
outlined in the table below (ref 4.1).

4.1

Type of Information Period Held *

Recruitment (unsuccessful candidates) 1 year
Recruitment (successful candidates) 1 year from end of employment
Application Form / Application Materials 1 year from end of employment
References Received 1 year
Payroll & Payment data 3 years/ 1 year from end of employment
Tax Information 6 years
Working Hours - Time and Attendance 3 years/ 1 year from end of employment
Sickness records 3 years/ 1 year from end of employment
Annual Leave records 3 years/ 1 year from end of employment
 Unpaid leave/ special leave records (Except 3 years/ 1 year from end of employment
Parental Leave which is 8 Years)
Annual appraisals/assessment records 1 year from end of employment
HR Records & correspondence eg: employee file 1 year from end of employment
Training documentation 1 year from end of employment
Biographical data e.g. name, position held, dates of 1 year from end of employment
employment etc.
Records relating to accident or injury at work 10 years
Collective Redundancy Information 3 years
Employment Permit Records 5 years or period equal to duration of
employment whichever is longer
Employment Records of Young Persons 3 years
Terms of Employment (Information) Act 1994 1 year from end of employment
CCTV 4 weeks
Breach of Contract 7 years from date of breach

* While many of these retention periods are based on statutory retention periods and are generic in
nature, the Data Controller may need to review specific retention period, to comply with legal or
regulatory obligations and may retain data beyond these periods, but only if the Data Controller can justify
a legitimate internet or contractual necessity in doing so. Any changes will be communicated to the
relevant data subjects.

After the above deadlines pass the Company will destroy both hard and electronic copies of personal data
in an appropriate manner in line with GDPR obligations.

5. Storage of, and access to your data

We may store both hard copy and soft copy data relating to our employees. Hard copy information will
be handled correctly and stored appropriately at all times. Soft copy information will be stored using
approved IT systems with passwords. All IT Systems used are in compliance with the GDPR regulations. All
employees, particularly members of management, must ensure confidentiality and be mindful when
handling any document, which contains personal data relating to another individual(s). All relevant
employees will receive appropriate instruction and training on the handling of data.

Appropriate Company personnel may, through the course of your employment, have access to relevant
employee data. At all times the Company will ensure that any access to an employee’s data is for
legitimate and lawful purposes.

6. Protection of the data we hold on you

The Company has taken all the necessary steps to ensure that your data is not accessed or processed
inappropriately or accidentally or unlawfully destroyed, lost, damaged, altered or disclosed in an unlawful
way.

Please note your data will not be transferred outside the EU.
Any transfer/ access of data outside the EU is safeguarded by strict contractual obligations with the data
processor processing the data to ensure all data is protected. If you require further information about the
measures we have taken in relation to the transfer of personal data, please contact our Data Protection
Coordinator.

Please note, any breach of data security once detected will be reported and investigated in line with the
legislation. The Company is committed to treating any breach of data security seriously and will react
quickly to notify the relevant authority and the individual within the required timeframe, where
necessary.

7. List of Third Parties who may during the course of your employment have access to your data
(e.g.: consultants who work with us and legal bodies required by Law)

We rely on trusted third parties to help us run the business and to provide us with specialized services.
These can include external payroll and IT services. In addition, these can include legal advisors,
accountants and consultants. The following is a list of third parties who we may share your personal details
with, or seek information from:

1. IT Provider/Systems we use
2. Revenue Commissioners
3. Payroll
4. Company Doctor
5. HR Consultants & legal practitioners
6. Professional advisor eg. : Financial advisor, accountants etc.
7. Department of Social Protection
8. Department of Immigration

Any other external body as required.If you require further information, please contact the Data Protection
Coordinator.

C. Employee Obligations
As an employee of the Company, you have specific obligations in line with Data Protection legislation and
confidentiality. In the course of your work, you will be exposed to personal data and sensitive information
regarding other individuals including colleagues, customer interactions, contractors etc. When handling
all forms of personal data you must always ensure you abide with Data Protection Legislation
incorporating the General Data Protection Regulations and all Company documentation you receive on
same. Any breach of data protection legislation may result in disciplinary action, up to and including
dismissal.

All employees must be aware of GDPR at all times during their working day. All employees, particularly
members of management, must be aware of the personal data they gather on a day to day basis both in
hard copy and soft copy.

Please note, this policy must be read in conjunction with the Employee handbook.
By signing this Data Protection Policy, the employee confirms that they understand the importance of
GDPR and will at all times process data in line with the legislation and the contents of this policy document.
In particular, the employee commits to:

 not using any data, personal or otherwise, which they may be able to access for any purpose other
their legitimate employee duties and only for purposes for which it was obtained;
 only revealing/releasing data to the duly authorised persons, ensuring they have the capacity/
authority to receive it, whether they are private, public, physical or moral persons (If in doubt,
just ask);
 not making any copy of this data except when it is necessary to carry out their duties and
responsibilities;
 taking all measures necessary when performing their duties in order to prevent the devious or
fraudulent use of this data;
 taking all necessary precautions to preserve the physical security of this data;
 making sure, within the limits of the employees duties, that only secure means of communication
will be used to transfer this data;
 in the event of termination of an employees function, the employee will return all Company data.

This confidentiality commitment, in force throughout the duration of each employee’s employment, will
remain effective, without any time limit after the termination of employment, whatever its cause, as this
commitment relates to the use and communication of personal data.

If you are ever in doubt whether to process a piece of data or not, seek advice first.

If you ever have any concerns, however minor, in relation to the processing of, or storage of any form of
personal data in the Company, you must report it immediately to the Data Protection Coordinator.

Please note, any breach of data security once detected will be reported and investigated in line with the
legislation. The Company is committed to treating any breach of data security seriously and will react
quickly to notify the relevant authority and the individual within the required timeframe.

As data subjects, every employee has a reasonable obligation to ensure the personal data we hold is
accurate. In order for us to keep your information up to date, please notify your manager if any of your
personal/ contact details change.

D. Employee Rights
1. Right of Access

If an employee, or customer, wants to request a copy of the data held about them he/she may make a
Subject Data Access Request (SDAR). The individual must contact HR in writing. Once your identity is
verified, we will respond to your SDAR within 30 days where possible. We may need to request further
details from you.
 2. Right to rectification

An employee, or customer, has the right to request that any inaccurate data that is held about them is
corrected, or if the Company has incomplete information you may request that we update the information
so that it is complete. Please note, any such request must be submitted in writing outlining the inaccurate
data and the basis for the correction. The Company will then review this request in line with the legislation.

3. Right to erasure

You have the right to request us to delete personal data that we hold about you. This is sometimes
referred to as the right to be forgotten. Please note, any such request must be submitted in writing
outlining the personal data you would like deleted and the basis for the deletion. The Company will then
review this request in line with the legislation and will determine whether the data remains necessary for
the legitimate purpose it was initially gathered/ processed for.

4. Right to restriction of processing or to object to processing

You have the right to request that we no longer process your personal data for particular purposes, or to
object to our processing of your personal data for particular purposes. Please note, any such request must
be submitted in writing outlining the personal data you object to being processed and the reason you
object to this data being processed. The Company will then review this request in line with the legislation
and will determine whether the data remains necessary for the legitimate purpose it was initially
gathered/ processed for.

5. Right to data portability

You have the right to request us to provide you, or a third party, with a copy of your personal data. Please
note, any such request must be submitted in writing clearly outlining the personal data you require and
details of the third party, if required.

6. Complaints procedure

The Company has a grievance procedure in place. If you have any concern in relation to the handling of
their data please refer to this policy in your Employee handbook. If you have a complaint about the use
of your personal data, please advise your manager immediately.

If you do wish to make a complaint you may do so in writing. Please provide as much information as
possible to help us resolve your complaint quickly and allow the Company the opportunity to put things
right as quickly as possible. Please be assured that all complaints received will be fully investigated.

Following the exhaustion of our internal procedures, if you are not satisfied with our response to your
complaint, you can also contact the Data Protection Commission (www.dataprotection.ie).

The Company will at all times meet the mandatory disclosure obligations of GDPR in the event that we
discover any data breach and will act without delay once we become aware of the breach.
I declare that I have read and understand this document and that the Company will process my personal
information for the purposes listed and outlined in this Data Protection Policy.

I understand that if I have any questions about this policy, or require further information at any time, it is
my responsibility to contact the Data Protection Coordinator or my Manager.

I further declare that I understand my obligations, as outlined above in section C.

Signature: Print name:

Date: