Privacy Notice for website
KBS Maritime is a joint venture between BAE Systems and KBR with a registered office address at Victory Building (pp72), Rm 233 The Parade, HM Naval Base, Portsmouth, England, PO1 3LS
KBS Maritime is the data controller in respect of personal information that we process in connection with our business. This includes the products and services that we provide, and the operation of our website. In this notice, references to “we”, “us” or “our” are references to KBS Maritime.
We take your data protection rights and our legal obligations seriously. Your personal information will be treated in a secure and confidential manner and only as detailed in this Notice. “Personal information” means information about a living individual who can be identified from that information (either by itself or when it is combined with other information). We may update or amend our Privacy Notice from time to time to keep it up to date with current legal requirements and the way in which we operate our business. Any such changes will be published in the updated Privacy Notice on our website. To stay informed of such changes and your rights, we would encourage you to visit our website regularly. However, please note that in some cases, if you do not agree to such changes it may affect any contractual relationship we have with you.
1.1 BASIS FOR PROCESSING PERSONAL INFORMATION
We will only process personal information where we have a lawful reason to do so. This notice provides an overview of the reasons we have for processing personal information.
If necessary, we will collect consent from you and advise you of the impact of not providing any such consent. We may process your personal information without your knowledge or consent, whilst remaining compliant with the information set out in this Notice, where this is required or permitted by applicable law.
The reasons that we have for processing your personal information directly relate to the legal grounds for processing set out in the GDPR and local laws. We have also identified these legal grounds within this Notice where they apply.
Please contact us if you have any questions or would like more detail regarding our reasons for processing your personal information.
The primary point of contact for all issues arising from this Notice, including requests to exercise data subject rights, or to contact a relevant data controller (as set out below) is:
You can also write to us at:
Victory Building (pp72),
HM Naval Base Portsmouth,
1.2 GENERAL LEGAL GROUNDS FOR PROCESSING PERSONAL INFORMATION
The general legal grounds for processing all types of your personal information and what they mean are described further below:
The processing is needed for a contract with you.
We can process your personal information where the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract. This means that we can carry out the actions needed to conclude or execute our contract with you.
The processing is needed so that we can comply with our legal obligations.
We can process your personal information where this processing is necessary for compliance with a legal or regulatory obligation to which we are subject. Therefore, we can carry out any actions we need to take in order to comply with applicable laws.
The processing is needed for our legitimate interests.
We can process your personal information where the processing is necessary for our legitimate interests, provided that those interests are not overridden by your interests or rights.
Where we are relying on this ground as the basis for our processing, we will tell you what our legitimate interests are and you will see these in this Notice.
We can carry out any actions we consider are needed for these interests, as long as we consider that the processing in question does not negatively infringe on your rights and interests.
You have given your consent to the processing.
We can process your personal information where you have given clear consent for us to process such personal information for a specific purpose.
The processing is needed for vital interests.
We can process your personal information where the processing is necessary to protect someone’s life.
The processing is needed for a public task.
We can process your personal information where the processing is necessary for us to perform a task in the public interest or an official function, and the task or function has a clear basis in law.
1.3 ADDITIONAL LEGAL GROUNDS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL INFORMATION
Special categories of personal information may include:
- a) information about racial or ethnic origin,
- b) religious or philosophical beliefs;
- c) trade union membership;
- d) physical or psychological health details or medical conditions; and
- e) biometric information, relating to the physical, physiological or behavioural characteristics of a person, including, for example, using voice recognition or similar technologies to help us prevent fraud.
We will only process your special categories of personal information when there is a necessity to do so and where we are lawfully permitted under GDPR and local laws.
The additional legal grounds for processing special categories of personal information include:
The processing is needed for carrying out our employment law obligations.
We can process special categories of personal information where the processing is necessary for us to carry out any actions we need to undertake in order to comply with our obligations under employment, tax and health and safety law.
The processing is needed for occupational medicine.
Our external and internal occupational health advisers can process special categories of personal information where the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, or to provide a medical diagnosis.
The processing is necessary for substantial public interests.
We can process special categories of personal information where the processing is necessary for reasons of substantial public interest, as set out in the applicable local law. These are explained in this Notice, where relevant.
The processing is needed to protect your life or the life of another.
We can process special categories of personal information where the processing is necessary to protect your vital interests or that of another person where you are physically or legally incapable of giving consent. This means that we can process your special categories of personal information in exceptional emergency situations, such as a medical emergency, for example.
The processing is needed for legal claims.
We can process your special categories of personal information if the processing is necessary for the establishment, exercise or defence of legal claims.
1.4 IMPACT IF INFORMATION IS NOT PROVIDED
In some cases, you will be free to withhold personal information from us; however, if you do withhold specific information we may not be able to continue our relationship with you, if we believe we require the relevant information to support the effective and efficient administration and management of that relationship.
For example, for employees, we require your identity information, contact and payroll information in order to pay you. If this is not provided, we may be unable to manage our contractual relationship.
In addition, for representatives of suppliers or customers, if we do not have your identity and contact information, we will not be able to communicate with you regarding the relevant commercial transaction between the Company and that supplier or customer.
1.5 KEEPING YOUR INFORMATION SECURE
We are committed to protecting the security of the personal information you share with us or we otherwise process about you. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk.
2. HOW WE OBTAIN INFORMATION
In most cases, we receive the personal information directly from you. You either provide this to us at the outset of our relationship or do so at another time during your interactions with us. This will include personal information that you input into a form or through any self-service function, as well as information that you give to the HR team, your Company contact and to any member of our workforce.
We may create personal information about you during your relationship with us – see internal sources in the table below.
In some cases, we get personal information about you from third party sources – see external sources in the table below.
In addition to the personal information that you provide to us, we may generate some further personal information internally. This will usually be generated by HR, line management or another KBS Maritime contact, as appropriate.
In some circumstances, data may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings and email and Internet access logs), if and to the extent permitted by applicable laws. In these circumstances, the data may be collected by us or a third party provider of the relevant service on our behalf.
We may also obtain some information from third parties.
If you are a representative of a supplier or a customer, we may receive your personal information directly from that company or from your colleagues. We may also use third parties to carry out anti-money laundering, anti-bribery and corruption and other client-related checks.
If you are an employee, we may obtain references from a previous employer, medical reports from external professionals, information from tax authorities, benefit providers or from a third party that we engage to carry out a background check (where permitted by applicable law).
3. HOW WE SHARE INFORMATION
Within the Company, your personal information can be accessed by or may be disclosed internally on a need-to-know basis – see internal recipients in the table below.
Your personal information may also be accessed by third parties, including suppliers, advisers, national authorities and government bodies – see external recipients in the table below.
In addition, there are circumstances where we may need to disclose your personal information to third parties, to help manage our business and deliver our services. We may disclose your personal information to third parties if:
- We sell or buy any business, in which case we may disclose your personal information to the prospective seller or buyer of such business;
- KBS Maritime or substantially all of its assets are acquired by a third party, in which case personal information held by it about you will be transferred to that third party;
- We are under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation, or in order to enforce or apply our legal rights, in which case we may share your personal information with our regulators and law enforcement agencies in the EEA and around the world, or to our legal advisers;
- It is necessary to protect the rights, property, or safety of KBS Maritime, our customers, suppliers or others, in which case we may disclose your personal information to our legal advisers and other professional services firms; and
- They provide services to us connected with your relationship with us.
Where these third parties (or any others) act as a data processor (for example, a benefits provider), they carry out their tasks on our behalf and upon our instructions for the reasons that we have set out in this Notice. In this case, your personal information will only be disclosed to these parties to the extent necessary to provide the required services.
Internal recipients of your personal information may include:
· Local, and global departments, including line management and team members;
· Local and executive management responsible for managing or making decisions in connection with your relationship with the Company or when involved in a process concerning your relationship with the Company (including, without limitation, staff from Compliance, Legal, Audit and Security);
· System administrators; and
· Where necessary for the performance of specific tasks or system maintenance by staff in teams such as the Finance and IT departments.
Personal information may also be shared between certain interconnecting IT systems.
In addition, where relevant, certain basic personal information (which may include your name, location, job title, contact information and any published skills and experience) may also be accessible to the Company’s employees for the purposes set out in this Notice.
External recipients of your personal information may include:
· Service providers
· Tax authorities and other regulatory authorities
· Our insurers
· IT administrators
· Lawyers and auditors
· Consultants and other professional advisors
· Payroll providers and administrators of our benefits programs
Personal information contained in our IT systems may be accessible by providers of those systems, their associated companies and sub-contractors (such as those involved with hosting, supporting and maintaining our HR information systems).
We expect these third parties to process any data disclosed to them in accordance with the contractual relationship we have with them and applicable law, including with respect to data confidentiality and security.
In addition, we may share personal information with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.
4. OVERSEAS TRANSFER OF INFORMATION
We may share your personal information with other parties within our parent organisations, BAE Systems and KBR. Your personal information may be accessed outside of the country you are in and this could be outside of the EEA. In such cases, any transfers will be covered by an intra-group agreement which gives specific contractual protections to ensure that your personal information receives an adequate and consistent level of protection wherever it is transferred within the group.
If you have any questions regarding overseas transfers, please contact us for further details
5. RETENTION OF PERSONAL INFORMATION
We will retain your personal information for as long as is reasonably necessary for the purposes explained in this Notice.
In some circumstances, we may retain your personal information for longer periods, for reasons such as the following: where we are required to do so in accordance with legal, regulatory, tax or accounting requirements; to ensure that we have an accurate record of your dealings with us in the event of any complaints or challenges; or if we reasonably believe there is a prospect of litigation relating to your relationship with us.
We maintain policies governing the creation, retention and disposal of records in our care. These policies set out our requirements for the management of records, including guidance on keeping personal information as current as possible, securely deleting records and irrelevant or excessive data, and storing information anonymously or in a manner which no longer identifies you.
If you would like more information about how long we keep your information, please contact us
6. MANAGEMENT OF INFORMATION ABOUT OTHER INDIVIDUALS
Apart from personal information relating to you, you may also provide us with personal information of third parties, for instance, your family or dependants, or your colleagues. Where this may be the case, we have set this out in this Notice.
Before you provide information about others to us, you must first inform these individuals that you intend to provide their details to us and of the processing to be carried out by us, as detailed in this Notice.
7. YOUR RIGHTS
If you wish to exercise any of the rights detailed in the table below, or if you have any queries about how we use your personal information that are not answered here, please contact us at: KBS.hr@KBSMaritime.co.uk
We may ask you for proof of identity when making a request to exercise any of these rights. We do this to ensure we only disclose information or change account details where we know we are dealing with the right individual.
We will not ask for a fee, unless we think your request is unfounded, repetitive or excessive. Where a fee is necessary, we will inform you before proceeding with your request.
We aim to respond to all valid requests within one month. It may however take us longer if the request is particularly complicated or you have made several requests. We will always let you know if we think a response will take longer than one month. To speed up our response, we may ask you to provide more detail about what you want to receive or are concerned about.
We may not always be able to fully address your request, for example, if it would impact the duty of confidentiality we owe to others, or if we are otherwise legally entitled to deal with the request in a different way.
Please note that in some cases, if you do not agree to the way we process your information, this may affect any contractual relationship we have with you, for example if you are an employee and you prefer us not to hold certain information about you, this may prevent us fulfilling legal obligations to you or other employees.
|Access and rectification – You have a right to access and correct your personal information.||
If you would like a copy of the personal information we hold about you, please contact us at:
Victory Building (pp72),
HM Naval Base Portsmouth,
You have the right to request access to any of your personal information that the Company may hold, and to request correction of any inaccurate data relating to you.
We aim to ensure that all personal information is correct. You also have a responsibility to ensure that you notify us of changes to your personal information as soon as possible so that we can ensure that your data is up-to-date. You can do this by the most appropriate means. This could be via line management or by email to KBS.hr@KBSMaritime.co.uk
|Erasure – You have a right to request that we delete your personal information.||
You may request that we delete your personal information if any of the following apply:
Please note that we are not required to comply with your request to erase personal information if the processing of your personal information is necessary for compliance with a legal obligation, or for the establishment, exercise or defence of legal claims.
|Restriction – You have a right to request us to restrict the processing of your personal information.||
You may request us to restrict the processing of your personal information if any of the following applies:
|Objection – you have a right to object to processing justified on legitimate interest grounds||Where the reason for processing your personal information is our legitimate interests, you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or where we need to process the data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as the legal ground for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.|
|Right to object to automated decision making||You have the right to object to any decision that significantly affects you being taken solely by a computer or other automated process. In such a case, you have the right to obtain human intervention, to express your point of view, and to contest the automated decision.|
|Right to object to direct marketing.||You have a right to object at any time to processing of your personal information for direct marketing purposes, including profiling you for the purposes of direct marketing.|
Portability – You have a right
to data portability.
Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the reason or legal ground for processing, and that personal information is processed by automatic means, you have the right to receive all such personal information which you have provided to the Company in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
If you would like to request the personal information you provided to us in a portable format, please contact us at
|Withdraw consent – You have a right to withdraw your consent.||Where consent is relied as a ground to process your personal information, you are entitled to withdraw your consent at any time, by contacting us at KBS.hr@KBSMaritime.co.uk We will communicate clearly where we need your permission to undertake specific processing activities.|
|Lodge complaints – You have a right to lodge a complaint with the regulator.||If you have any complaints or concerns regarding how we have handled your personal information, you can contact our Data Protection Officer at KBS.hr@KBSMaritime.co.uk who will assist you with the matter. Please note that you can also contact the Information Commissioner’s Office (ICO) for more information or visit ico.org.uk.|
- MARKETING INFORMATION
If you have opted in to receiving communications from us, we may send you relevant marketing information (such as products or service details provided by us), by mail, phone, email, text and other forms of electronic communication. If you no longer wish for us to contact you or receive this information, please contact us at KBS.hr@KBSMaritime.co.uk
GLOSSARY OF TERMS
DEFINITION OF TERMS
|Automated decision making||
A decision made by automated means without any human involvement
A natural or legal person (such as a company) which determines the means and purposes of processing of personal information. For example, if KBS Maritime contracts with you, KBS Maritime will be your data controller as it determines how it will collect personal information from you, the scope of data which will be collected, and the purposes for which it will be used
A natural or legal person (such as a company) that is responsible for processing personal information on behalf of a controller
European Economic Area, which includes all EU countries and also Iceland, Liechtenstein and Norway
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden
|GDPR and applicable local law||
General Data Protection Regulation (GDPR), which is the law governing data privacy in the European Union, and the applicable data protection law in each jurisdiction. These laws apply to our processing and management of your personal information within the EU countries
Information that relates to a living individual. It includes information that may identify a person by name and contact details, or refer to associated information such as account activity, or personal preferences that can directly or indirectly identify an individual
Any and all actions we take with respect to your personal information, including (without limitation) managing, viewing, holding, storing, deleting, changing, using and saving
|Special category personal information||
Any personal information relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership
CATEGORIES OF PERSONAL INFORMATION
Your business contact details (e.g. address, telephone number, e-mail), your job title, your employer and any other relevant information
Home address, email address and telephone number(s)
|Data related to your employment with the Company||
Work contact details (e.g. address, telephone number, e-mail), work location default hours, default language, time zone and currency for location, your worker ID and various system IDs, your performance review information, your work biography, your reporting line, your employee/contingent worker type, your hire/contract begin and end dates, your cost centre, your job title and job description, your working hours and patterns, whether you are full or part time; your termination/contract end date; the reason for termination; your last day of work; exit interviews, references, status (active/inactive/terminated); position title; the reason for any change in job and date of change; your benefit coverage start date
|Employment claims, complaints and disclosures data||
Termination arrangements and payments, subject matter of employment based litigation and complaints, employee involvement in incident reporting and disclosures
Bank account details, credit card information and other relevant information about your payment information
|HR processes data||
Allegations, investigations and proceeding records and outcomes, colleague and line management feedback, appraisals, talent programmes, formal and informal performance management processes, flexible working processes, restructure and redundancy plans, consultation records, selection and redeployment data, health and safety audits, risk assessments, incident reports, data relating to training and development needs or training received
Your title, forename and surname, preferred name, gender, photographic images and any additional names
Nationality, second nationality, civil/marital status, date of birth, age, national ID number, immigration data, languages spoken and next-of-kin/dependent contact information
|Monitoring data (to the extent permitted by applicable laws)||
Closed circuit television footage, system and building login and access records, keystroke, download and print records, call recordings, data caught by IT security programmes and filters
|Share information||Number of shares held, date joined the register, date left the share register, dividends paid/not cashed; bank mandate details; share transactions; nationality and AGM / Proxy voting|
|Staff related data||
Your title, forename, middle name(s) and surname, birth name, preferred name, any additional names, gender, nationality, second nationality, civil/marital status, date of birth, age, home contact details (e.g. address, telephone number, e-mail), national ID number, immigration and eligibility to work data, languages spoken, next-of-kin/dependent contact information, passport details, driving licence and car registration details
|Recruitment data||Qualifications, references, CV and application, interview and assessment data|
|Regulatory data||Records of your registration with any applicable regulatory authority, your regulated status and any regulatory references|
|Remuneration and benefits data||Your remuneration information (including salary/hourly plan/contract pay information as applicable, allowance, bonus and merit plans), bank account details, grade, social security number, tax information, third party benefit recipient information|
|Vetting data||Vetting and verification information, including results of any background or other checks|
|Website information||Data that you provide by filling in forms on the Website, including data provided at the time of registering to use the registration-only sections of the Website (such as our careers and brand sections); any personal information requested from you by the Company (such as when you report a problem with the website); if you contact us, in writing, by email or other electronic means through the Website, we may keep a record of that correspondence; and details of your visits to the website including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access|