1. Purpose

Morphpackers is committed to being transparent about how we collect and use your personal data and to meeting our data protection obligations. This policy sets out our commitment to data protection and individual rights and obligations in relation to personal data.

This policy applies to the personal data of job applicants, employees, workers, contractors, interns, and former employees, referred to as HR related personal data.

This policy does not apply to the personal data of clients or other personal data processed for business purposes.

We have appointed the FC as the person with responsibility for data protection compliance within the organisation. Questions about this policy or requests for further information should be directed to them.

During our activities we will process personal data (which may be held on paper, electronically, or otherwise) about job applicants, employees workers, contractors, interns, and former employees and we recognise the need to treat it in an appropriate and lawful manner, in accordance with the General Data Protection Regulation ((EU) 2016/679) (GDPR). The purpose of this policy is to make you aware of how we will handle your personal data.

2. Data protection principles

We will comply with data protection law. This states that the personal information we hold about you must be:

• Used lawfully, fairly and in a transparent way.

• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

• Adequate and relevant to the purposes we have told you about and limited only to those purposes.

• Accurate and kept up to date.

• Kept only as long as necessary for the purposes we have told you about.

• Kept securely.

"Personal data" means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

“Sensitive Personal data” means any special categories of personal data which specifically include generic data, and biometric data. This category of data requires a higher level of protection.

“Criminal Records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

"Processing" means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.

3. Fair and lawful processing

We will only process your personal data where you have given your consent or where the processing is necessary to comply with our legal obligations. In other cases, processing may be necessary for the protection of your vital interests, for our legitimate interests or the legitimate interests of others. The full list of conditions is set out in the GDPR.

“Special categories” of particularly sensitive personal information require higher levels of protection. We are required to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

• To carry out our legal obligations and in line with our data protection compliance

• To assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

Less commonly, we may process this type of information in relation to legal claims or to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

4. How are we likely to use your personal data

We will process data about staff for legal, personnel, administrative and management purposes and to enable the Company to meet our legal obligations as an employer, for example to pay you, monitor your performance and to confer benefits in connection with your employment.

We may process sensitive personal data relating to staff including, as appropriate:

• information about an employee's physical or mental health or condition in order to monitor sick leave and take decisions as to the employee's fitness for work.

• the employee's racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation.

• in order to comply with legal requirements and obligations to third parties.

5. Processing for limited purposes

We will only process your personal data for the specific purpose or purposes notified to you or for any other purposes specifically permitted by the GDPR.

6. Adequate, relevant and non-excessive processing

Your personal data will only be processed to the extent that it is necessary for the specific purposes notified to you.

7. Accurate Data

We will keep the personal data we store about you accurate and up to date. Data that is inaccurate or out of date will be destroyed. You are responsible for helping us to keep your personal data up to date and should let us know if data you have previously provided changes, for example, if you move house, change bank details or change your emergency contact information.

8. Data Retention

We will not keep your personal data for longer than is necessary for the purpose. This means that data will be destroyed or erased from our systems when it is no longer required as specified in our Data Retention and Deletion Policy.

9. Processing in line with your rights

You have the right to:

• Request access to any personal data we hold about you (see our Subject Access Request Policy).

• Prevent the processing of your data for direct-marketing purposes.

• Ask to have inaccurate data held about you amended.

• Ask us to stop processing or delete data if you believe your interests override our legitimate grounds for processing data.

• Object to any decision that significantly affects you being taken solely by a computer or other automated process.

• Ask us to stop processing or delete data that is no longer necessary for the purposes of processing.

10.Data Security

We will ensure that appropriate measures are in place to prevent unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We have in place procedures, controls and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if they agree to comply with those procedures and policies, or if they put in place adequate measures (see our Privacy Notices).

Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.

11.Individual responsibilities

You may have access to the personal data of other individuals and of our customers and clients in the course of their employment, contract, or internship. Where this is the case, we rely on you to help meet our data protection obligations to staff and to customers and clients.

If you have access to personal data you are required:

• to access only data, you have authority to access and only for authorised purposes

• not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation.

• to keep data secure (for example by complying with rules on access to premises, computer access, including password protection and secure file storage and destruction).

• not to remove personal data, or devices containing or that can be used to access personal data, from the organisation’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device

• not to store personal data on local drives or on personal devices that are used for work purposes; and

• to report data breaches which you become aware of immediately to the FC.

Failure to observe these requirements may amount to a disciplinary offence, which will be dealt with under the organisation’s disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.


We will provide awareness training to all individuals though Bob’s Business Training, about their data protection responsibilities as part of the induction process and at regular intervals thereafter.

If your role requires regular access to personal data, or you are responsible for implementing this policy or responding to any subject access requests, you will receive further training to help you understand your duties and how to comply with them.

13.Providing information to third parties

We will not disclose your personal data to a third party without your consent unless we are satisfied that they are legally entitled to the data. Where we do disclose your personal data to a third party, we will have regard to the eight data protection principles.

14.Subject access requests

Individuals have the right to make a data subject access request (DSAR) and obtain:

• confirmation that their data is being processed.

• access to their personal data; and

• other supplementary information

Specific details of how to make a subject access request can be found in our Subject Access Request Policy.

15.Breaches of this policy

A personal data breach is defined as a security incident that has affected the confidentiality, integrity or availability of personal data. There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or inappropriately disclosed; if someone accesses the data or passes it on without proper authorisation or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

If you consider that this policy has not been followed in respect of personal data about yourself or others you should raise the matter with your manager immediately and ensure FC is made aware of the details in writing and without delay.

It will be necessary for the Company to report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it.