GDPR Privacy Notice

1    Introduction

Picasso HR Ltd is an East Anglian Human Resources outsourcing company. Under GDPR we are a Data Controller. This means we decide how your personal data is processed and for what purposes.

At PicassoHR we know that information relating to employment can at times be highly sensitive.  We look after our clients’ data the same way we look after our own. We don’t sell personal data or make it available to any other organisation. Our Privacy Policy sets out the way in which we protect and manage your data.

We know that the data is not ours – we are merely custodians of your valuable information.

2    What do we hold data for?

We do not hold any data on Children.

2.1   As a Data Controller:

To manage our employees

For marketing and information promulgation

For managing business relationships in the provision of services (e.g. agreeing service provision, and accounting)

We hold some information classed as special category information under GDPR Article 9. This is health and welfare related and is held to help us discharge our duty of care for employees’ wellbeing whilst employed by us.

2.2   As a Data Processor:

To provide HR services on behalf of our clients

3    How do we Process Data?

We comply with our obligations under the GDPR by:

  • Ensuring personal data is accurate and correcting inaccuracies discovered or notified to us
  • Not collecting excessive amounts of information
  • Only retaining information for as long as is necessary, and in accordance with our retention policy
  • Providing appropriate protection of data confidentiality against unauthorised access and disclosure through appropriate technical, physical, and procedural measures

4    What is the Legal Basis for Processing Data?

Marketing and information promulgation is to business customers only.  We send information by email on the basis of Legitimate Interest. We do not need consent for this, but we ensure people have an easy way to opt out of any communications.

Our employee data is managed on the basis of Legitimate Interest and Contract of Employment. Processing data is required for carrying out responsibilities under Employment Law. We process data on behalf of our clients under that same basis.

5    Transfer Overseas

We do not knowingly transfer personal data overseas. Our major IT providers, Microsoft, OrangeHRM, Painting Pixels, Quickfile, MailChimp, and ICUK all have operations within the European Union and claim to be fully GDPR compliant.

6    Data Retention

We have a Data Retention Policy which can be found with our GDPR Policy. Retention periods are typically based around statutory and legal requirements.  A small number are based on industry best practice.

7    Sharing your Personal Data

Your personal data is treated confidentially and is not sold. We do not share marketing data.

It may occasionally be necessary for us to share certain information with other providers, to ensure we fulfil our duty of care to staff. This could include, for example, occupational health. In this case, the staff member will be asked for permission to do this and the data shared will be the minimum necessary. We will seek assurance that the third-party provider is GDPR compliant.

8    Website

Our website has two features that impact privacy:

  • Signing up to our newsletter
  • Cookies

Signing up for our newsletter involves data being processed via our website and is transmitted to our mailing list provider. Personal data is not retained on our web site. Communications between your browser and the website are encrypted, as are communications from the web site to MailChimp.

Cookies are used for the following purposes and are categorised according to the International Chamber of Commerce. More information can be found on our website.

CategoryUsed on our Web Site (picassohr.com)
Category 1: strictly necessary cookiesNone
Category 2: performance cookiesNone
Category 3: functionality cookies_ga , _gat, _gat_product. The cookies relate to Google Analytics and help us understand the usage of our site.
Category 4: targeting cookies or advertising cookiesNone

9    Your Rights and Your Personal Data

To make a Subject Access Request, please write to us detailing the information that you seek. Please try to be as specific as possible, because as a small company searches can be expensive. We will charge a reasonable fee based on the administrative cost for searches that we deem to be excessive or unfounded. We will charge a fee for repeat searches, even if the original search was free. Requestors should not assume we have received the request until they have received an acknowledgement.

To make a request for deletion or rectification, please write to us or speak to us, detailing the information that you believe needs correcting, and evidence of why the data we hold is incorrect. We will confirm receipt of the request in writing.