Privacy and Security
At Matrix SCM Limited and Group Affiliates we are committed to safeguarding and preserving your privacy when you visit our websites and applications (including, www.matrix-scm.com, www.matrix-mm.com, www.matrix-cr.net etc. – collectively the “Applications”) and provide us or one of our clients or authorised suppliers with information or when you communicate electronically with us.
Our privacy notice also explains how we manage subject access requests and the right to erasure. This privacy notice details how we comply with our legal obligations under the General Data Protection Act 2018. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.
For applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”), the company responsible for your personal data is Matrix SCM Limited and Group Affiliates.
Please note that from time to time we may update this Policy. Any amendments will be highlighted in this section so please do return and review this Policy regularly.
For the purpose of the GDPR all queries should be referred to our Head of Legal & Contracts, at firstname.lastname@example.org or by post to Matrix SCM Limited, Partis House, Davy Avenue, Knowlhill, Milton Keynes, MK5 8DS.
What type of personal data we process or collect and how do we use it?
What we collect and why:
We provide every user of our Application (whether client/internal or supplier agency) with a unique login to access the Application as part of our contractual agreements. In order to do this, we ask for name, company workplace and email address. We then use this data to ensure there is an audit trail of activity on the site (for example which users are changing what information). This ensures we have visibility of who is using the system from a data security perspective.
In addition, and in order to fulfil our contractual obligations, we may need to email the users of our system from time-to-time using their email address, either to make them aware of an update to the system or changes to pay rates on the system due to legislation such as pensions auto enrolment or national minimum wage uplifts for example, or to make them aware of training or best practice. For example: obligations under GDPR.
What we process and why:
Our client hiring organisations, as data controllers, decide what information is required from any candidate being proposed for each type of vacancy posted.
Any person wishing to apply for a role advertised through our Application are required to apply through one of the many agencies that are enrolled onto our supply chain. They cannot apply directly themselves. The information we collect on the individuals looking to apply for roles is essential to ensure the worker is eligible to work, and that they can be paid for that work. The information that we collect on each candidate varies depending on the role being applied for, such as:
- Contact details
- Education details
- Employment history
- Emergency contacts
- Immigration status
- Financial information (where we need to carry out financial background checks).
- Where appropriate and in accordance with applicable laws, we may also collect information related to your health, diversity information or details of any criminal convictions. Our clients may also ask us to record a
- candidate’s disability status, ethnical and religious background.
- In terms of documentation, the candidate must prove that they are eligible to work in the United Kingdom, can provide their working history along with references and qualifications. Depending on the role, they may also be asked to provide DBS checks, criminal convictions or driving license.
- All documents are uploaded and held in the Matrix-CR.Net system for the term of the contract with each of our clients. Documents with an expiry date are automatically deleted securely after a grace period, but new copies must be uploaded in order to continue working.
Working Candidate Data
What we process and why:
Once a candidate is working at a client hiring organisation, we process the following:
- hours they work,
- their rate of pay,
- appropriate tax and NI contributions,
- the length of the assignment, the type of assignment, and
- where that assignment is based, any incidents on that assignment and objective feedback from that assignment.
What we collect and why:
As a client of Matrix SCM Ltd and/or Group Affiliates, we need to collect certain data to allow us to perform our role as your Managed Service Provider. The information we collect is basic / non-sensitive, organizational details such as Name and address and contact details. We also hold the names and contact details of the individuals within the organization whom will access our Application.
Due to the nature of our business and the applications we provide, we also require the details of the many roles that you are looking to fill. The information we collect to support the procurement of these roles includes the job detail, location, pay rate and the hiring manager.
What we collect and why:
As a member of our supply chain we will collect basic / non-sensitive organisational details and information of the individuals whom will access our Matrix-CR.Net system. We need contact details of relevant individuals at your organisation so that we can communicate with you.
As part of the enrollment process, we will also need to obtain certain data to ensure all members of our supply chain meet our strict rules, guidelines and implement quality processes. These details include copies of documents such as Public liability insurance and Professional indemnity insurance. Documents with an expiry date are automatically deleted after a grace period, but new copies must be uploaded in order to be part of our supply chain.
Please note: Across all categories of data and depending on the type of personal data in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue with our relationship.
What we collect and why:
As a user logging into our application we will also record certain information about your visit. This includes how you are accessing the site (the device, browser and IP address), the dates and times of the pages you visit.
Whilst we collect corporate data on which companies visit our site and what pages they visit, which we use to understand whether organisations may be interested in our service, we do not collect data on individuals visiting the site unless an individual leaves their details in order to ask for more information about our service.
Suppliers who are interested in joining our supply chain
What we collect and why:
We may, on occasions, collect contact details from agencies who do not currently work with Matrix so we can contact an employee at that recruitment agency over email or on the phone regarding an opportunity to supply to one of our client hiring organisations.
When we do this, we do this as a legitimate interest gateway under GDPR -e.g. that it is an opportunity for the agency that would outweigh any concern over our contact regarding the opportunity.
There are 2 main ways in which we collect the data on the workers. The first is through the information entered directly into the application by the agency submitting the worker to a role. The other is when a new client comes on board they provide us with a list of their existing workers to transfer across into our Matrix-CR.Net system.
What we do with the information we collect
The information is primarily used to enable us to provide or support the provision of services to you or to allow you to provide services. In addition, we may use the information for the following purposes:
- To meet our contractual commitments to you.
- To report to our Clients and Suppliers on their/our performance of contractual duties to each other, to us or to you.
- To notify you about any other information which relates to the services you receive or provide.
- To provide you with information requested from us, relating to our services.
- To notify you about any changes to the Applications such as improvements or service changes or to issue contractual notices.
The information we collect on candidates looking for roles is essential to verify who the person is, that they are eligible to work for our clients and to allow us to provide HMRC with the correct details for tax purposes. For all candidates, we hold their information for the next time they are submitted to a role as it is usual for agency workers to be hired many times across many of our clients. The information is never shared with any third party, nor is the data transferred outside of the UK.
The information we collect on our clients is purely to manage the contract you have in place with Matrix SCM and/or Group Affiliates and to allow the appropriate people to login and use the system successfully.
The information we collect on our suppliers is used as part of the contractual agreements they have with Matrix SCM and/or Group Affiliates. It is vital this information is kept up to date as we regularly audit our suppliers to ensure they maintain their status on the supply chain.
The information we collect about any website user is used purely for internal purposes only to help us improve your experience of using the application. We also use this for management reporting to show usage, trends, errors and system administration. This information is not shared with any other party.
Who do we share our personal data with?
The information we hold about Candidates interested in applying for a role is only viewable by the relevant Client user who posted the role or will be the line manager for the worker. As the Managed service provider, Matrix users can also view the Candidate information in order to carry out our Pre-Employment checks and auditing procedures.
Matrix are required by law to regularly provide details of the candidates carrying out roles under the PAYE tax scheme to the HMRC. This information is extracted to a file and uploaded to the HMRC website.
The limited information we hold about our clients is either public domain or is available to members of the supplier chain whom are looking to fill roles the clients are looking to fill.
The information we hold on our supply chain members is only available to Matrix SCM and Group Affiliates except the name of the person whom is the main contact for a worker.
Where applicable, we may disclose your personal information to any affiliated company in order to run our business. This includes, where applicable, our clients and authorised suppliers.
We may also disclose your personal information to third parties where we are legally required to disclose your information or to assist fraud protection and minimise credit risk.
Cookies are small text files that are stored on your web browser in order to enable your complete usage of the Applications. They temporarily create a unique user number to track your usage for each session and to make sure that the Applications work for you at your appropriate administration levels. The Applications will store the minimal number of cookies required per session and only those that are essential for your operation of the Applications. The cookies do not store any ‘personal data’ as defined by the Data Protection Act 1998. Your usage of the Applications constitutes your acceptance of the use of these cookies.
Matrix user logins: This data may be shared internally within Matrix to understand who is doing what on the CR.NET portal, for reasons of data security and data transparency. Where we need to send a system user an email, your data is processed through our secured email service.
Agencies who are interested in joining our panel:
Where we send information regarding this opportunity via email, your data is processed through our secured email service. SUPPLIER DATA: Unless you specify otherwise, we may share your information within our company and associated third parties such as our service providers and organisations to whom we provide services.
WEBSITE USERS: Unless you specify otherwise, we may share your information with providers of web analytics services.
WORKING CANDIDATE DATA: In order to fulfil our legal obligations, we may need to share your details with third parties like HMRC to ensure your taxation is correct and to ensure adherence with regulations requirements like Oil Reporting.
How we store your personal data
Data that is provided to us is stored on our secure servers. Details relating to any transactions entered into on our site will be encrypted to ensure its safety.
We will at all times comply with the GDPR, as well as guidelines set by the Disclosure and Barring Service, and any other regulatory body governing the contracts and/or type of service Matrix SCM Limited and Group Affiliates manage.
We may keep electronic data of performance, use of services, and issues for as long as legally required in order to verify and produce internal management information and client reports or to comply with our contractual obligations.
The transmission of information via the internet is not completely secure and therefore we cannot guarantee the security of data sent to us electronically and transmission of such data is therefore entirely at your own risk. Where we have given you (or where you have chosen) a password so that you can access certain parts of our Applications, you are responsible for keeping this password confidential. You should not at any time share your username or password with third parties to allow them to access Applications. If you become aware of any unauthorised use of the Applications, you should contact us immediately in order that we may take the appropriate steps. You should only use your own password and login details to access the Applications and should not share those login details and passwords with any third parties or allow any third parties to access your own device when logged in.
How do we safeguard your personal data:
We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and business measures in place. These include measures to deal with any suspected data breach.
The Matrix SCM and Group Affiliates application is hosted in a secure data centre with regular encrypted backups stored in a secondary secure location.
Information transferred between user devices and the application is carried encrypted over a secure communication (HTTPS).
We care about protecting your information. That's why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data.
How long do we keep your personal data for?
As a data processor, we abide by our data controller’s requirements on all data retention policies and facilitate these requirements unless we believe in good faith that the law or other regulation requires us to preserve it (for example, because of our obligations to tax authorities or in connection with any anticipated litigation).
How can you access, amend or take back the personal data that you have given to us?
Even if we already hold your personal data, you still have various rights in relation to it and you can contact email@example.com in order to raise these rights. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise. We may also need to refer you to a data controller to help assess your rights (for example if you are a candidate that works through a recruitment agency panel for a client hiring organisation, as depending on the circumstances it is your recruitment agency panel or the client hiring organisation that will be the data controller who is best placed to assess your rights).
Subject Access Request: If you are interested to find out what data we hold on you and/or wish to request that we modify, update or delete this information, please contact us at firstname.lastname@example.org at any point and we will be happy to advise.
Please note that in order to comply with your request, we may ask you to verify your identity, or ask for more information about your request and we may decline your request, where we are legally permitted to do so, but we will explain why if we do so.
Right to object:
If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.
Right to withdraw consent:
Where we have obtained your consent to process your personal data for certain activities (for example, for having a Matrix login in) you may withdraw your consent at any time.
Right to erasure:
In certain situations, you have the right to request us to "erase" your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases and we may, should a worker contact us directly, need to refer this request to the appropriate data controller to assess – for example the client hiring organisation or the recruitment agency panel) and will only disagree with you if certain limited conditions apply (these will typically be around competing legislation for example health and safety or HMRC requirements). If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
Right of data portability:
If you wish, you have the right to transfer your data from us to another data controller. We will help with this – either by directly transferring your data for you, or by providing you with a copy in a commonly used machine-readable format.
Right to lodge a complaint with a supervisory authority:
You also have the right to lodge a complaint with your local supervisory authority. This is:
Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Telephone: 0303 123 1113 or 01625 545745