Privacy Policy

VIDRALA PRIVACY POLICY

Introduction

The purpose of this Privacy Policy is to inform you about how we collect and process your personal data before, during and after your working relationship with us, so that you can freely decide if you wish to provide the data for the purposes laid out in this document.

We inform you that the entity responsible for the personal data we request from you is: Vidrala, S.A. - address: Barrio Munegazo 22 · 01400 Laudio, Araba, España/Spain (hereinafter, VIDRALA).

When you provide your personal information through our recruitment platform, you must be aware that Vidrala is a business group with an international presence, in which resources are shared to achieve our business objectives. Therefore, your personal data may be shared with Vidrala Group companies when necessary to fulfil your request, provide the requested service, or when Vidrala has a legitimate interest in processing this information.

We also inform you that your personal data will only be transferred to countries within the EU and Brazil, in the terms indicated above, and specifically to:

Aiala Vidrio	Barrio Munegazo 22 01400 LLODIO ESPAÑA-SPAIN
Crisnova Vidrio	Calle Carlos Delclaux, s/n Poligono Los Villares 02660 CAUDETE ESPAÑA-SPAIN
Castellar Vidrio	C/ Berguedé, 67 Pol. Ind. Pla de la Bruguera 08211 CASTELLAR DEL VALLÉS ESPAÑA-SPAIN
Gallo Vidro	R. Vieira de Leiria 1 2430-300 MARINHA GRANDE PORTUGAL
SB Vidros	R. Santos Barosa 5 2430-415 M.NHA GRANDE PORTUGAL
Encirc (Ireland)	11 Gortahurk Road BT92 9DD DERRYLIN FERMANAGH IRLANDA-IRELAND
Encirc (UK)	Ash Road ELTON CHESHIRE CH2 4LF REINO UNIDO-UNITED KINGDOM
Encirc The Park (Uk)	Kings Weston Ln BS11 9FG AVONMOUTH BRISTOL REINO UNIDO-UNITED KINGDOM
Vidroporto Sudeste	Rod. Anhanguera, Km 226,8 13660-000 PORTO FERREIRA BRASIL-BRAZIL
Vidroporto Nordeste (Indústria Vidreira do Nordeste)	Rod. BR 101, Km 142 49200-000 ESTÂNCIA BRASIL-BRAZIL

We are committed to protecting your personal data, whether you are an employee, contractor, agency worker, or applicant who is interested in joining us.

If you wish to contact us, you can do so at the following email address: DPD@vidrala.com.

Responsibilities

This policy covers all individuals working for the Company, irrespective of their status, level or grade. This includes but is not limited to, employees, officers, consultants, contractors, casual workers and agency workers (Staff). All Staff are responsible for maintaining the reputation of the Company in public, including on social media.

This policy also applies to internal and external candidates who apply for roles advertised by the Company (Candidates).

Some aspects of this policy apply specifically to Candidates and some aspects of this policy apply specifically to Staff. References to ‘you’ should be interpreted accordingly.

Managers have a specific responsibility for operating within the boundaries of this policy and ensuring that the Staff under their control understand the standards of behaviour expected of them. Managers should lead by example in relation to this policy, ensure that Staff comply with their responsibilities under this policy and address any breaches of this policy in a timely manner.

All Staff are responsible for their personal compliance with this policy and should ensure that they take the time to read and understand it.

What personal information do we collect?

We collect and process a range of information about you. This includes:

Identity information, such as name, title, gender, date of birth, nationality, job title, and National Insurance number. This also includes details and photocopies of government-issued documents such as passports and driving licences.

Contact information, including your home and postal address, telephone number, and email address. This also includes details of family members or people who wish us to contact in the event of an emergency.

Financial information, including salary details, entitlement to benefits, tax information and bank account details.

Employment data, including your employment status, start date, information and documentation supporting your right to work in the UK, Ireland, Spain, Portugal, France or Brazil, recruitment information such as references, work history, and CVs, qualifications and education history, details of your work schedule (days of work and working hours), your attendance records, and details of any periods of leave taken. It can also include details of any disciplinary and grievance information, occupational health information, leaving date and reason for leaving, as well as performance related records, such as assessments of your performance, appraisals, reviews and ratings, training records and details of any performance improvement plans.

Technical & system data, which is related to the use of our information and communications systems, such swipe card records, usage of mobile and office phones, computers, your internet usage, records of who emails are sent to and received from, usage of photocopiers, and CCTV footage.

Special categories of more sensitive personal data, which include:

Details about your race or ethnicity, marital status, religious or philosophical beliefs, and sexual orientation. This information is voluntary and it helps us monitor our policies and practices in accordance with the regulations in the countries where Vidrala Group operates. You are free to decide whether or not to provide this data and there are no consequences if it is not disclosed. Such data will only be requested in countries where local legislation permits or requires its collection, such as the United Kingdom.

Information relating to health or medical conditions, which is processed for health and safety purposes and for us to fulfil our employment law obligations.
Information about trade union membership, which is processed to allow us to operate check-off for union subscriptions.
We may also collect information about criminal convictions and offences relating to you in accordance with the law that applies to your role.

How is your personal data collected?

We collect this information in a variety of ways, but most will be collected directly from you during your initial application to us and during the course of your employment.

We may use third parties to assist in obtaining relevant personal data, such as information from recruitment agencies, references supplied by former employers, background checks and information from criminal records checks permitted by law.

Your personal data is also collected through your use of our company systems, such as IT and your corporate e-mail account.

Personal data is stored in a range of different places, including in your personnel eFile, in our HR management systems, and in other IT systems (including email system).

Why do we process personal data?

We only process your personal data where we have a lawful basis to do so under data protection law.

We need to process personal data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your personal data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefit, pension and insurance entitlements.

In some cases, we need to process personal data to ensure that compliance with legal obligations. For example, to check an employee's entitlement to work in the UK, Ireland, Spain, Portugal, France or Brazil, to deduct tax, to comply with health and safety laws, to enable employees to take periods of leave to which they are entitled, and to consult with employee representatives if redundancies are proposed or a business transfer is to take place.

For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the role in question.

In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment relationship. Our legitimate interest may also overlap with another lawful condition for processing your personal data, such as performance of a contract between the organisation and you or a legal obligation.

We only process special categories of more sensitive personal data, or data about criminal convictions and offences, where necessary and authorised by data protection law, for example for the purposes of employment, occupational health, equality monitoring, prevention and detection of crime, safeguarding, occupational pensions, regulatory requirements and legal claims.

Processing Candidate and Staff personal data allows us to:

manage the recruitment of Staff, including keeping Candidates informed of existing and new opportunities that are suitable and likely to be of interest, communicating with Candidates regarding the recruitment process, assessing Candidates’ skills, qualifications and suitability for the role, undertaking interviews and other assessment processes, assessing legal eligibility to work in the UK, Ireland, Spain, Portugal, France or Brazil, undertaking background screening, and running promotion processes;
maintain accurate and up-to-date recruitment records;
maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
operate and keep a record of employee performance and related processes, training, to plan for career development, and for succession planning and workforce management purposes;
operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the we comply
with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
manage and administer your benefits, including remuneration, payroll, pensions, tax, insurance, and other related benefits. This includes disclosure to our parent company, payroll providers, accountants, occupational health providers, insurers, pensions administrators, and legal advisers;
ensure effective general HR and business administration, including conducting employee engagement surveys, providing references on request for current or former employees, and responding to internal and external audits and risk management processes;
fairly determine allegations raised through our grievance or disciplinary processes;
respond to and defend against legal claims;
facilitate business travel, conference attendance, and other related bookings;
manage collective agreements for administering collective employee arrangements where these are in place;
maintain and promote equality in the workplace, by monitoring equal employment opportunities in categories such as age, gender, ethnicity, nationality, religion, disability, marital status and sexual orientation. Such monitoring would be conducted in full compliance with data protection law governing the use of such categories of personal data.
Undertake statistical analysis and research in the context of employment, including predictive modelling and people planning.

Who has access to personal data?

Your information may be shared internally, including with members of HR and Payroll, your line manager, managers in the business area in which you work and IT staff if access to the personal data is necessary for performance of their roles and through the day-to-day operation of the organisation.

Your personal data may also be shared with employee representatives in the context of collective consultation on a redundancy or business sale. This would be limited to the information needed for the purposes of consultation, such as your name, role and length of service.

We share your personal data with third parties in order to obtain information from recruitment agencies, pre-employment references from other employers, obtain employment background checks from third-party providers, and obtain necessary criminal records checks from the Disclosure and Barring Service.

We also share your personal data with third parties that process personal data on our behalf, in connection with payroll, employee training and development, the provision of benefits, and the provision of occupational health services and IT services.

We may also share your personal data with third parties in the context of a sale of some or all of our business. In those circumstances the personal data will be subject to confidentiality arrangements.

We may transfer your personal data to countries outside the European Union where necessary for the purposes set out in this Privacy policy, such as where our IT service providers process data outside of the the European Union. We will only do this, or allow our suppliers to do so, where we are satisfied that your data is protected by equivalent laws and/or appropriate safeguards. To obtain further information, please contact us using the details below.

How do we protect your personal data?

We take the security of your personal data seriously and have internal policies and controls in place to try to ensure that your personal data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by individuals in the performance of their duties. Systems are restricted to those requiring access to the information contained therein.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of personal data.

Vidrala is firmly committed to protecting personal data and applies the principles of privacy by design and by default, in accordance with Article 25 of the General Data Protection Regulation (EU) 2016/679 (GDPR). The company ensures that data protection is embedded into all processing activities, systems, and services from the outset and throughout their entire lifecycle.

In line with Article 32 of the GDPR, Vidrala adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where applicable, the pseudonymisation and anonymisation of personal data. These measures are designed to prevent unauthorized access, disclosure, alteration, or destruction of data and to uphold the principles of integrity and confidentiality.

By default, only the personal data necessary for each specific purpose is processed, and access is limited strictly to authorized personnel in accordance with the principle of data minimisation.

For how long do we keep your personal data?

Candidates

We will retain your personal data within our application tracking system for as long as you have maintain an active account. You can manage your account using your login, including managing your communication preferences and personal data. If your account is inactive for a period of 6 months we may delete your account and personal data sooner.

For legal reasons, we may retain your personal data for an additional period of up to 6 months after we have communicated to you our decision about whether to appoint you.

Staff

We will hold your personal data for the duration of your employment. The periods for which your personal data is held after the end of employment are in line with official guidance and the principles of data minimisation. Specific details are as follows:

Type of employment record	Retention period
Personnel and training records	6 years after termination of employment
Working time records	3 years
Annual leave records	6 years
Payroll and wage records	6 years from the end of the financial year in which payments were made
PAYE records	6 years from the end of the financial year in which payments were made
Maternity records	3 years after the end of the tax year in which the maternity period ends
Current bank details	Until the final salary payment is made
Records of advances and loans made to employees	6 years after repayment
Death benefit nomination/revocation forms	6 years after payment of benefit or termination of employment
Reportable accident, death or injury in connection with work	3 years and 6 months
Disclosure and Barring Service (DBS) checks and criminal record data	Deleted after recruitment unless relevant to ongoing employment; then deleted once the conviction is spent unless exempt
Right to work checks	2 years after termination of employment

Although the retention periods outlined are based on the principles and guidance of the European General Data Protection Regulation (GDPR), the applicable retention period will ultimately depend on the local legislation of the country where the employing entity is established.

What if you do not provide personal data?

If you are a Candidate and fail to provide personal data when requested, which is necessary for us to consider your application (such as personal details and evidence of qualifications or work history), we will not be able to process your application successfully.

If you are an employee, you have some obligations under your employment contract to provide us with personal data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith.

You may also have to provide us with personal data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the personal data may mean that you are unable to exercise your statutory rights.

Automated decision-making

Employment decisions are not based solely on automated decision-making.

Your rights

You have a number of legal rights with regard to your personal data:

Request access – in certain circumstances, and subject to exemptions, you can request a copy of your personal data that we hold about you (known as a ‘subject access request’).

Request correction – you can ask us to amend and update inaccurate or incomplete personal data.

Request erasure – in certain circumstances, you can as us to delete or stop processing your personal data, for example where the personal data is no longer necessary for the purposes of processing.

Object to processing – you have the right to object to the processing of your personal data where we are relying on our legitimate interests as the legal ground for processing.

Request restriction – ask us to stop processing personal data for a period if data is inaccurate or there is a dispute about whether or not your interests override the Company’s legitimate grounds for processing personal data.

Request transfer – you can ask us to transfer a copy of your personal data to you, or a third party you chose, in a structured, commonly used, and machine-readable format.

Right to be informed – this policy and associated data privacy information provides you with the information about the processing of your personal data, but should you have any more questions you are entitled to ask us.

We aim to respond to all legitimate requests within one month but occasionally it may take us longer if the request is particularly complex or you make numerous requests. Requests can be made verbally or in writing. Please note that in some circumstances we may be entitled to refuse your request in accordance with data protection law.

You can also withdraw your consent to the processing of your personal data (where we rely upon this to process your personal data) and prevent further processing if there is no other legitimate or lawful reason for us to do so. You can withdraw your consent at any time, but it may affect our ability to provide certain services to you. For the avoidance of doubt, the vast majority of the personal data we process about you through the recruitment process, during and after employment does not rely upon your consent as a lawful basis to process.

If you would like to exercise any of these rights, please contact careers.group@vidrala.com.

Candidates can directly manage their communication preferences and personal data (including requesting deletion of personal data or opting-out of certain communications sent via our application tracking system) using their login.

Anonymous data

We or third parties may create anonymous data from the personal data of Candidates and Staff, for example statistics and reports. Such anonymous data is not subject to data protection law and may be used by us or third parties for the purposes set out in this policy or for other purposes but only where individuals cannot be identified from that data.

Where you request deletion of your personal data, or we no longer need to retain your personal data, rather than delete your personal data we may anonymise it instead, so long as you can no longer be identified from that data.

Raising a query or concern

If you have any queries or concerns about the personal data, we process about you we will endeavour to address them with you. Please contact careers.group@vidrala.com.

Personal Data Breaches

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If Vidrala considers that there may have been a personal data breach, an investigation will be carried out to consider whether this poses a risk to people. The investigation will consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach.

Once the investigation is complete, if it’s likely there will be a risk then we will notify the data protection authority responsible for data protection regulations within 72 hours, and if this is a high risk, we must inform you of the breach; if it’s unlikely then we don’t have to inform you of the breach.