Applicant and Employee Privacy Notice

Due Network”, “we”, “us” and “our” means either:

  • Due Payments Ltd, which is registered in Bulgaria with our registered address is at Mladost 1, 51A, fl. 4, ap. 24, Sofia, Bulgaria 1784 and our company registration number is 207457701; or
  • Due Ltd, which is registered in the United Kingdom (“UK”) with our registered address is at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ and our company registration number is 14369984,

being the entity employing or proposing to employ you on the date that you receive this document, and we are committed to respecting your privacy. This Privacy Notice applies if you are an employee or a prospective employee of Due Network as well as if you are a consultant, contractor or temporary worker working at Due Network. 

This notice applies to applicants, employees, consultants, contractors and temporary workers. If you apply via a third-party recruiter/platform, they may process your personal data as an independent controller under their own privacy notice.

Where we use the term your “Application” in this notice, we are referring to your application to work at Due Network.

About this Privacy Notice

For the purposes of data protection law, we are a controller in respect of your personal data. We are responsible for ensuring that we use your personal data in compliance with data protection laws, including but not limited to: 

  • the EU’s General Data Protection Regulation 2016/679 (“EU GDPR”); and/or
  • the UK’s General Data Protection Regulation 2016/679 (“EU UK GDPR”) 

This Privacy Notice sets out the basis on which any personal data about you that you provide to us, that we create, or that we obtain about you from other sources, will be processed by us. 

Please take the time to read and understand this Privacy Notice. 

Personal data that we collect about you

We will collect and process the following personal data about you:

  • Information that you provide to us or one of our affiliates. This includes information about you that you give to us by filling in forms or by communicating with us, whether face-to-face, by phone, e-mail or otherwise during your Application and/or employment with us. This information may include:
    • your full name, date of birth, nationality, education and qualification details, marital status, home address, mobile telephone number, emergency contact details, CV or resume, bank account details for the transfer of your salary and other benefits and tax details; and 
    • any other details you provide in support of your Application, including (but not limited to) information contained in your CV and/or other documents outlining your reasons for applying to us.
  • Information we collect or generate about you. This includes:
  • personal data that we collect through your communication and correspondence with us (including but not limited to the content, date and time of your email or internal messaging correspondence); 
  • information obtained through any interviews and assessments with you;
  • work-related details such as your job position, contact details, performance at work, absences, pay and benefits information, service history, a copy of your employment agreement, passport details, photograph, health information, pregnancy and/or disability status;

Passport details are typically processed for right-to-work verification and travel/identity checks; we minimise these data and restrict access.

  • personal data that we collect through your use of our email system and/or internal messaging tools (including but not limited to your full name, email address and the content, date and time of your message correspondence); and
  • information obtained through an exit interview with you (upon your departure from our organisation), including your reasons for leaving. 
  • Information we obtain from other sources. This includes:
  • personal data that we collect from screening, background and/or reference checks we may perform on you as part of the Application or recruitment process, which may include your address history, your credit history, your qualifications (both academic and professional), your previously held directorships (if any); and
  • personal data (including health data) which we receive from third party providers who carry out occupational health assessments.

We may also receive (where relevant and lawful): references from prior employers; professional credential/qualification verification results; and (where permitted and proportionate) criminal records and/or sanctions screening for regulated or risk-sensitive roles.

Uses of your personal data

Your personal data may be stored and processed by us in the following ways and for the following purposes:

  • to consider your Application (including, in some cases, verifying your qualifications and references with those third parties you name);
  • to maintain contact with you in the future and notify you of relevant job vacancies with a member of our group that you might be interested in. Please note that if you do not want us to retain your information, or want us to update it at any stage, please contact us in accordance with the “Contacting us” section;
  • to meet our legal obligations as an employer and perform our obligations and exercise our rights under your contract of employment with us. For example, we use your personal data to pay you, to evaluate your individual performance, and provide benefits in connection with your employment;
  • to comply with any legal or regulatory obligations to which we are subject (including compliance with any request from regulatory authorities or other relevant public authorities);
  • we will use the private contact details relating to you and your next of kin (and that you have provided to us for emergency purposes) only in connection with an emergency;
  • we will process personal data related to your use of our email and internal messaging systems in order to enable the effective operation of the systems and ensure that they are used in accordance with our policies and procedures; and
  • the prevention and detection of crime or fraud.

Additional purposes (where relevant): recruitment & selection; HR administration (payroll, benefits, expenses, time/attendance, performance, promotions, training); security & access (provisioning and auditing access, incident response, business continuity); compliance (employment, tax, social security, equality, H&S, right-to-work); investigations & legal claims; and corporate transactions (M&A/restructuring) with safeguards.

We are entitled to use your personal data in these ways because that use is necessary:

Lawful bases (Article 6): 

  1. contract / steps prior to entering into a contract; 
  2. legal obligation; 
  3. legitimate interests (balanced against your rights); and 
  4. consent where required by local law for specific checks or longer retention.
  • in order to take steps in preparation for entering into a contract with you, in particular to consider you for a position with us; 
  • for us to perform our obligations and exercise our rights in connection with your employment contract with us;
  • to perform our contractual obligations with our third-party providers such as consultants, law firms, accountants, infrastructure service providers;
  • for the purposes of occupational health and for us to take decisions regarding your fitness for work;
  • for us to comply with our legal and regulatory obligations; 
  • for us to establish, exercise or defend our legal rights or for the purpose of legal proceedings; or
  • for our legitimate business interests (or the legitimate interests of one or more of our affiliates), such as to:
    • allowing us to effectively assess your skills, qualifications and/or the strength and merits of your Application and your suitability for the role applied for;
    • allowing us to effectively verify your information;
    • allowing us to effectively and efficiently administer and manage the operation of our business;
    • ensuring a consistent approach to the recruitment of our personnel worldwide; 
    • being able to contact you in relation to your Application and the recruitment process;
    • allow us to effectively and efficiently administer and manage the operation of our business;
    • ensure a consistent approach to the management of our employees and the employees of our affiliate companies worldwide;
    • maintain compliance with internal policies and procedures; or
    • be able to contact you or your family in the event of an emergency.

Special Categories of Personal Data that we collect about you

Biometric data: we do not use biometric verification for applicants/employees unless explicitly required for a specific system or site access. If we do, we will provide a separate notice explaining purpose, lawful basis, retention and safeguards before collecting it.

Important improvement: we will identify the relevant Article 9 condition for special category processing and apply safeguards (access restriction, minimisation, retention limits). Criminal offence data (Article 10) will be processed only where permitted by law and with appropriate safeguards.

Certain forms of “special categories of personal data” are subject to specific protection or restriction by law in certain territories, including the EU and UK. For these purposes, special categories of personal data are data relating to: racial or ethnic origin; political opinions; religious or  philosophical beliefs; trade union membership; genetic data; biometric data;  data concerning health; or data concerning sex life or sexual orientation. Criminal offence data does not fall under these special categories but is still afforded special protection under data protection laws. We will only process your special categories of personal data or criminal offence data if permitted by law and only if one of the following conditions is met: 

  • you have given explicit consent in writing to the processing of the data; 
  • the processing is necessary for carrying out our obligations and specific rights in the field of employment law, social security or social protection law (including obligations in relation to health and safety and disability discrimination, occupational health, sickness absence, maternity leave, family emergency leave, paternity leave, parental leave, the legality of personnel working in a particular jurisdiction, which will involve processing data in relation to nationality, work permits and visas, monitoring equality of treatment of staff, in connection with benefits including life assurance benefit, permanent health insurance, private medical insurance or pension, disciplinary action and vetting (where necessary)); 
  • the processing is necessary to protect your health or safety in an emergency (or that of another person) where you are physically or legally incapable of giving consent; 
  • the data in question has been made public by you; 
  • the processing is necessary for the purpose of, or in connection with, any actual or prospective legal proceedings, for the purpose of obtaining legal advice or otherwise for the purposes of establishing, exercising or defending legal rights subject to applicable local legislation or where courts are acting in their judicial capacity; 
  • the processing is necessary for reasons of substantial public interest on the basis of local law which is proportionate to the aim pursued and which contains appropriate safeguarding measures; 
  • the processing is necessary for preventative or occupational medicine;
  • the processing is necessary for the prevention or detection of crime or acts of dishonesty, malpractice or other improper conduct;
  • the processing is necessary for archiving purposes in the public interest or scientific and historical research purposes or statistical purposes; or
  • the processing is otherwise permitted by law.

In each case we will meet any additional local legal requirements and enforce any applicable duties of confidentiality vigorously, for example in relation to access to health records.

Disclosure of your information to third parties

We may disclose your personal data to our affiliates for the purposes of:

  • the management and administration of our business and our affiliates’ business;
  • complying with the functions that each of them may perform relating to regional or global HR decisions;
  • assessing compliance with applicable laws, rules and regulations, and internal policies and procedures across our business and our affiliates’ businesses; 
  • where your personal data are held as part of an internal directory, enabling adequate communication with you for the performance of employment duties or for emergency reasons; 
  • performing contractual obligations with third-parties; and
  • the administration and maintenance of the databases storing personal data relating to our employees or to employees of our affiliates.

We will take steps to ensure that the personal data is accessed only by employees of our affiliates that have a need to do so for the purposes described in this Privacy Notice and that they are subject to appropriate confidentiality and only use the data for purposes described in this Privacy Notice.

We may also share your personal data with third parties outside of our corporate group for the following purposes:

  • if we sell any of our business or assets, in which case we may disclose your personal data to the prospective buyer for due diligence purposes;
  • if we are acquired by a third party, in which case personal data held by us about you will be disclosed to the third party buyer;
  • to third party agents and contractors for the purposes of providing services to us, including payroll services, IT and communications providers, law firms, accountants and auditors. These third parties will be subject to confidentiality requirements and they will only use your personal data as described in this Privacy Notice; and

Additional recipient categories (where relevant): payroll and benefits providers; recruitment vendors (ATS/background screening/assessments); IT and security vendors (identity/access management, device management, security monitoring tools); and professional advisers (lawyers, auditors, accountants). Some recipients may act as independent controllers (e.g., authorities) for their own legal purposes.

  • to the extent required by law, for example if we are under a duty to disclose your personal data in order to comply with any legal obligation, establish, exercise or defend our legal rights.

Transfers of personal data outside the European Economic Area (“EEA”) and UK

Transfer safeguards (EEA/UK): where adequacy is not available, we use EU SCCs and, for the UK, the IDTA and/or the UK Addendum to the EU SCCs, plus supplementary measures where required.

  1. Your personal data may be transferred to our international affiliates and the various entities that make up our international network and accessed by personnel authorised by us, and in limited circumstances to our third-party contacts, outside the EEA/UK as well as within it, for the purposes identified above. Where we transfer your personal data outside the EEA/UK, it will be protected in a manner that is consistent with how your personal data will be protected by us in the EU/UK. This can be done in a number of different ways, for instance:
  • the country to which we send the data is approved by the European Commission / UK Government (as applicable); 
  • the recipient may have adhered to binding corporate rules (only for intragroup transfers); or
  • the recipient has signed a contract based on “model contractual clauses” approved by the UK Government / European Commission (as applicable), obliging them to protect your personal data.

The personal data that we collect from you may also be otherwise transferred to, and stored at, destinations outside the EEA/UK. It may also be processed by individuals operating outside of the EEA/UK who work for our affiliates or for one of our suppliers. 

In all cases, however, we will ensure that any transfer of your personal data is compliant with the applicable data protection law. 

You can obtain more details about the protection given to your personal data when it is transferred outside the EEA/UK (including a copy of the standard data protection clauses which we have entered into with recipients of your personal data) by contacting us in accordance with the “Contacting us” section below.

Retention of personal data

How long we hold your personal data for will vary. The retention period will be determined by the following criteria:

  • the purpose for which we are using your personal data – we will need to keep the data for as long as is necessary for that purpose; and
  • legal obligations – laws or regulation may set a minimum period for which we have to keep your personal data.

Your rights

You have a number of legal rights in relation to the personal data that we hold about you. These rights include:

  • the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you;
  • the right to withdraw your consent to our processing of your personal data at any time. Please note, however, that we may still be entitled to process your personal data if we have another legitimate reason (other than consent) for doing so; 
  • in some circumstances, the right to receive some personal data in a structured, commonly used and machine-readable format and/or request that we transmit those data to a third party where this is technically feasible. Please note that this right only applies to personal data which you have provided to us;
  • the right to request that we rectify your personal data if it is inaccurate or incomplete;
  • the right to request that we erase your personal data in certain circumstances. However, please note that there may be circumstances where you ask us to erase your personal data but we are legally entitled to retain it;
  • the right to object to, and the right to request that we restrict, our processing of your personal data in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal data but we are legally entitled to continue processing your personal data and / or to refuse that request; and
  • the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by us.

You can exercise your rights by contacting us using the details set out in the “Contacting us” section below.

Further information about your rights may be obtained by contacting the supervisory data protection authority located in your jurisdiction: 

  • In the UK, the supervisory data protection authority is the Information Commissioner’s Office (“ICO”) - https://ico.org.uk/
  • A list of National Data Protection Authorities in the EU can be found here. 

Contacting us

If you would like further information on the collection, use, disclosure, transfer or processing of your personal data or the exercise of any of the rights listed above, please address questions, comments and requests to dpo@due.network (or your designated privacy/DPO contact) for data protection queries and rights requests.

Changes to this Privacy Notice

We reserve the right to update this Privacy Notice at any time, whereby we will make sure that the most recent version will be available on opendue.com/https://www.opendue.com/es/legal/privacy-policy-applicants  or may be requested by contacting us as set out in this Privacy Notice.