McCalls Catering & Events Company
Employee Privacy Policy
This Privacy Policy explains how we collect, use, retain, and disclose personal information about California residents. This Privacy Policy also explains certain rights that California residents have under the California Consumer Privacy Act (the “CCPA”), as amended by the California Privacy Rights Act (the “CPRA”).
The CCPA only applies to information about residents of California. If you are not a resident of California, you may submit a request and we may process it, as described in this Privacy Policy even though the CCPA does not require us to do so. In accepting, processing, and responding to requests by individuals who are not California residents, we will apply all the same limitations and exceptions under the CCPA to those requests as apply to requests made by California residents. We reserve the right to change or stop the practice of accepting requests from U.S. individuals who are not California residents.
Under the CCPA, “personal information” is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. This information is referred in this Privacy Policy as “Personal Data.”
- Categories of Personal Data that We Collect
Introduction
McCalls Catering & Events Company and its subsidiaries and affiliates (the “Company” or “We” or “Our” or “McCalls”) take the protection of Personal Data very seriously. This Privacy Policy describes the types of Personal Data the Company collects from or about prospective, current and former employees, workers, and contractors (“staff” or “you”), and sets out how we collect, use, disclose and otherwise process such Personal Data. This policy does not form part of any contract of employment or other contract to provide services. We may update this policy at any time.
It is important that you read this Privacy Policy, together with any privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Generally, the entity that employs or engages you is the “data controller” in relation to your Personal Data and is the entity primarily responsible for how your Personal Data is processed. In addition, the Company may be the data controller with respect to certain centralized HR processes.
What Personal Data Do We Collect?
Before, during and after your employment or engagement with the Company, we may collect and process the following types of Personal Data about you (unless prohibited by law from doing so):
- Your biographical information, including your name, gender, date of birth, marital status, details of family members, previous job history, references, education details, social media profiles and activity, and beneficiaries;
- Your contact information, including home address, telephone number(s), personal email address, personal fax number, social media handles;
- Immigration status and other information that would allow us to verify your employment eligibility;
- Your identification information, including your National Insurance Number, Social Security Number or other social insurance number, birth certificate, government-issued identification numbers (g., passport number, alien registration number, national ID, Driver’s License number);
- Information about related persons, such as your spouse, domestic/civil partner, dependents, other family members, beneficiaries and emergency contacts;
- Recruitment information, including your CV, cover letter, prior work and educational history, titles, compensation, personal and professional references, right to work documentation and other information you may choose to provide on your resume or application;
- Employment records including start date, location of employment, working hours, annual leave, training records, salary, compensation history and professional memberships, information necessary to complete background checks, drug and/or alcohol tests, and other screens permitted by law, and other information reasonably necessary to administer the employment relationship with you;
- Your performance information, including management metrics, appraisals, feedback;
- Disciplinary and grievance information;
- CCTV footage and other information about you obtained through electronic means such as swipecard records;
- Photographs of you;
- Communications and internet information, your correspondence and details of internet use held on or made through the Company systems;
- Payroll information, including your salary details, details of your benefits package, bonuses (in the event the Company decides to pay a bonus and, if so, in the event that the employee is eligible to receive the bonus), bank account information and tax status information;
- Expenses and travel information, including details of travel that you undertake in connection with your employment or engagement, details of expenses you incur (including on any corporate credit card);
- Emergency contact information, including next of kin, home and business address, home and business telephone number(s), personal and business email address;
- Sensitive Personal Data about you, including race or ethnicity, religious beliefs, sexual orientation and political opinions, health information and medical and sickness records, and criminal convictions and offences data;
- Biometric information, such as your fingerprint, retinal or facial scans when you use our biometric timekeeping or security systems;
- Information needed to evaluate accommodation requests regarding potential disabilities or other health conditions; and
- Other information you provide to us, such as your feedback and survey responses where you choose to identify yourself.
We collect Personal Data in a variety of contexts, for a variety of reasons. For example, we collect Personal Data for our human resource, payroll, employee benefit, state and federal reporting, compliance obligations, training purposes, the tracking of Company vehicles, and vendor management purposes.
The Personal Data that we collect about a specific California resident will depend on, for example, our relationship or interaction with that individual. For example, the information that we collect on an employee may differ from information we collect on a contractor or consultant.
During the past 12 months, we have collected the following categories of Personal Data:
- Personal Identifiers — Personal unique identifiers, such as full name and federal or state issued identification numbers including Social Security number, driver’s license number, and passport number.
- Personal Information— Personal information, including contact details (g., telephone number and address), financial information (e.g., account number and balance), payment card details (e.g., credit and debit card numbers), and medical and health insurance information.
- Characteristics of Protected Classes— Characteristics of protected classes or groups under state or federal law, such as sex, disability, citizenship, primary language, immigration status and marital status.
- Internet or Online Information— Internet or online information (g., browsing history) and information regarding interaction with our websites, applications, or advertisements.
- Geolocation Data — Geolocation data, such as device location.
- Audio and Visual Information— Audio, electronic, visual, thermal, olfactory, or similar information, such as call and video recording.
- Employment Information— Professional or employment-related information, such as work history and prior employer, information from background checks, resumes, and personnel files.
- Education Information— Education information subject to the federal Family Educational Rights and Privacy Act, such as student records and confirmation of graduation.
- Sensitive Personal Information:
Social Security number, driver’s license, state identification card, or passport number.
2. Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
3. Precise geolocation.
4. Racial or ethnic origin, religious or philosophical beliefs, citizenship, or immigration status.
5. The contents of mail, email, and text messages unless we are the intended recipient of the communication.
6. Biometric information processed to uniquely identify an individual.
7. Sexual orientation, gender identity. - Health information.
- Sources of Personal Data
The sources from which we collect Personal Data depend on, among other things, our relationship or interaction with a specific California resident. The information below lists the categories of sources from which we collect Personal Data in different contexts.
- You and your family members (in person, online, by telephone, or in written correspondence and forms).
- Third-party websites where you can apply for jobs at the Company or take advantage of services made available to staff.
- Employment references or your previous employers.
- Our business partners.
- Background check vendors.
- Other vendors.
- Public registers.
- Your public social media profiles or other publicly-available sources.
- In the course of work-related activities throughout the period of you working for us.
- Healthcare data that you authorize to be provided to us.
- Company communications and IT systems/applications that automatically collect information about, and transmitted by, users.
- Other Company personnel.
- Public records or widely available sources, including information from the media, and other records and information that are made available by federal, state, and local government entities.
- Outside companies or organizations from whom we collect Personal Data to support human resource and workforce management activities. Examples may include operating systems and platforms, and social networks.
- Outside companies or organizations from whom we collect Personal Data as part of providing products and services, completing transactions, supporting our everyday operations, or business management and development.
- Categories of Third Parties and Our Disclosure of Personal Data
The categories of third parties to whom we disclose Personal Data about a specific individual depend on, among other things, our relationship or interaction with a specific California resident. Such third parties include:
- Outside companies or organizations, including service providers subject to appropriate confidentiality and use restrictions, to whom we disclose Personal Data as part of providing products and services, completing transactions, supporting our everyday operations, or business management and development. Examples may include internet service providers, social networks, operating systems and platforms; companies or organizations to whom we provide products or services; other parties, partners, and financial institutions; and parties involved with mergers, acquisitions, and other transactions involving transfers of all or part of a business, or a set of assets.
- Companies or individuals that represent California residents such as an accountant, financial advisor, or person holding power of attorney on behalf of a California resident.
- Government agencies including to support regulatory and legal requirements.
- Outside companies or organizations, including service providers subject to appropriate confidentiality and use restrictions, to whom we provide Personal Data to support human resource activities and workforce management. Examples may include operating systems and platforms and data analytics providers.
- Outside companies or organizations, in connection with routine or required reporting, including consumer reporting agencies and other parties.
The table below shows, for each Personal Data category we have collected, the categories of third parties to whom we disclosed for our business purposes information from that Personal Data category during the preceding 12 months.
Please note that in addition to the disclosures we have identified in the table below, we may disclose Personal Data for the purposes set out in this Privacy Policy to third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so, including disclosures to service providers, contractors, agents and other Company offices that perform activities on behalf of the entity that employs or engages you.
All of our third-party service providers and other entities in the Company group are required to take appropriate security measures to protect your Personal Data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Purpose of Processing | Potential Recipients |
To manage staff relations ► to ensure compliance with policies and laws (including right to work), to monitor performance, for promotions and appraisals, for the performance of training and to provide information and references to future employers | · hosting service providers
· future employers and their vendors
|
To store staff emails and other communications and staff created documents ► including as required in order to operate the Company’s business. These communications and documents may contain Personal Data both related to work and private matters | · hosting service providers
|
To manage staff benefits ► including administering remuneration, insurance, payroll, pensions and other benefits and tax, and recognizing staff who experience significant personal events | · accountants
· occupational health providers · insurers · retirement account administrators · hosting service providers · legal advisers · third parties who assist us in these activities, such as payroll providers |
To manage travel and corporate expenses ► including for arranging and keeping a record of travel, assessing and reimbursing expenses incurred. Please note that we will be able to see details of any personal transactions that you make using your corporate credit card as well as any transactions made for business purposes. We may share your Personal Data in connection with these purposes with third parties who assist us in these activities | · third parties who assist us in these activities, such as travel agencies
· hosting service providers · accountants |
To manage recruitment ► including eligibility for work, vetting, hires, onboarding, promotion and succession planning | · third parties who assist us in these activities, such as consultants
· hosting service providers
|
To address data incidents, claims and disciplinary actions ► including in relation to claims, disciplinary actions or legal processes or requirements and conducting investigations and incident response | · claims handlers
· legal advisers · loss adjustors · experts · third parties involved in handling or otherwise addressing the claim · regulators · law enforcement |
For security purposes ► for providing IT support, security, and user authentication | · claims handlers
· legal advisers · loss adjustors · experts · third parties involved in performing security services or audits |
To comply with our legal obligations and to change our business structure ► including the disclosure of your Personal Data to third parties in connection with proceedings or investigations anywhere in the world, in response to lawful requests by public authorities, regulators and third-party litigants, including to meet national security or law enforcement requirements. We may also provide your Personal Data to any potential acquirer of, or investor in, any part of the Company’s business for the purpose of that acquisition or investment | · public authorities
· regulators · law enforcement · third party litigants · potential acquirers of or investors in any part of the Company’s business
|
To manage leaves of absences and health and safety in the workplace ► including sickness absence, fitness for work, notifying family members in case of emergencies and other family related leaves
|
· family members |
To conduct certain checks on you, such as background, credit checks and anti-fraud checks (as permitted by law) ► we and other organizations may access and use your Personal Data (including from other countries) to conduct background checks, credit checks and checks to prevent fraud and money laundering | · background and credit check vendors
· if fraud is identified or suspected, we may pass details to the relevant authorities including credit reference agencies, law enforcement agencies and fraud prevention agencies |
To monitor equal opportunities ► including monitoring race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity processes | · hosting service providers |
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Personal Data without your knowledge or consent, in compliance with applicable law.
- Safeguards
We have in place physical, electronic, and procedural safeguards appropriate to the sensitivity of the information we maintain. These safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data, and include measures designed to keep Personal Data protected from unauthorized access. The safeguards may include the encryption of communications via SSL, encryption of information during storage, firewalls, access controls, separation of duties, and similar security protocols. We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate, relevant business purposes. Due to the nature of the Internet and related technology, we cannot guarantee the security of Personal Data, and the Company expressly disclaims any such guarantee.
- Limiting Collection and Retention of Personal Data
We collect, use, disclose and otherwise process Personal Data that is necessary for the purposes identified in this Privacy Policy or as permitted by law. If we require Personal Data for a purpose inconsistent with the purposes we identified in this Privacy Policy we will notify you of the new purpose and, where required, seek your consent to process Personal Data for the new purpose.
Our retention periods for Personal Data are based on business needs and legal requirements. We retain Personal Data for as long as is necessary for the processing purpose(s) for which the information was collected – as set out in the Privacy Policy – and any other permissible, related purposes. For example, we may retain certain information to comply with regulatory requirements regarding the retention of such data, or in the event a litigation hold is imposed. When Personal Data is no longer needed, we either irreversibly anonymize the data (and we may further retain and use the anonymized information) or securely destroy the data.
Where we maintain or use deidentified information, we will continue to maintain and use the deidentified information only in a deidentified fashion and will not attempt to re-identify the information.
- Cross-Border Transfer of Personal Data
Subject to legal requirements, the Company may transfer Personal Data from the country in which you are located to another country, including for the purposes of administering your contract or in relation to investigations or reports. The country to which your Personal Data may be transferred may not offer the same level of protection for Personal Data as the privacy laws applicable in the country where you are located. Regardless of local laws, we will safeguard Personal Data as set out in this Privacy Policy.
- Data Retention
We will keep Personal Data no longer than necessary to fulfill the purposes described in this policy. Under our record retention policy, we are required to destroy Personal Data after we no longer need it according to specific retention periods. However, we may need to hold Personal Data beyond these retention periods due to regulatory requirements or in response to a regulatory audit, investigation, or other legal matter. These requirements also apply to our third-party service providers.
Records related to applications for employment, the hiring process, employment, and termination of employment must be retained for specified periods based on federal and state law. These retention periods apply to time records, pay records, personnel files, and other records related to hiring, employment, and termination of employment.
- No Sale of Personal Data
The CCPA defines a “sale” as the disclosure of Personal Data for monetary or other valuable consideration. The Company does not sell and has not, within at least the last 12 months, sold Personal Data, including Sensitive Personal Data that is subject to the CCPA’s sale limitation. As of January 1, 2023, we do not share Personal Data for cross-context behavioral advertising within the scope of CCPA. We have no actual knowledge that we sell or share Personal Data of California residents 16 years of age and younger.
- Requests Under the CCPA (for California residents)
If you are a California resident, you have the right to request that we:
- Disclose to you the following information covering the 12-month period prior to your request (“Request to Know”). A “Request to Know:” includes a request for any or all of the following:
- Specific pieces of Personal Data that a business has collected about you.
- Categories of Personal Data a business has collected about you.
- Categories of sources from which the Personal Data is collected.
- Categories of Personal Data that the business sold or disclosed for a business purpose about the consumer.
- Categories of third parties to whom the Personal Data was sold or disclosed for a business purpose.
- The business or commercial purpose for collecting or selling personal information.
- Delete Personal Data we collected from you (“Request to Delete”).
- Correct inaccurate personal information that we maintain about you (“Request to Correct”).
In addition, you have the right to be free from discrimination by a business for exercising your CCPA privacy rights, including the right as an employee, applicant, or independent contractor not to be retaliated against for exercising your CCPA privacy rights.
- How to Make Requests
If you are a California resident, you can make a Request to Know, Delete, or Correct by:
- Contacting us at privacy@mccallssf.com
We will ask you to provide the following information to identify yourself:
- Name, contact information, social security or individual taxpayer identification number, date of birth; and
- A copy of government issued photo ID. We accept your Driver’s license or State ID.
When you make a Request to Know, Delete, or Correct, we will attempt to verify that you are who you say you are. For example, we will attempt to match information that you provide in making your Request with other sources of similar information to reasonably verify your identity.
- Responding to Requests
Privacy and data protection laws, other than the CCPA, apply to much of the Personal Data that we collect, use, and disclose. When these other laws apply, Personal Data may be exempt from, or outside the scope of, a request to Know, Delete, or Correct. For example, information subject to certain federal privacy laws, such as the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act, is exempt from CCPA Requests. As a result, we may decline all, or part of your Request related to exempt Personal Data. This means that we may not provide some, or all, of this Personal Data when you make a Request to Know. Also, we may not delete or correct some, or all, of this Personal Data when you make a Request to Delete or Correct.
We may not include Personal Data when we respond to or process Requests to Know, Delete, or Correct when the CCPA recognizes another exception. For example, we will not provide the Personal Data about another individual when doing so would adversely affect the data privacy rights of that individual. As another example, we will not delete Personal Data when it is necessary to maintain that Personal Data to comply with a legal obligation.
We will verify and respond to your request consistent with applicable law, taking into account the type and sensitivity of the Personal Data subject to the request.
- Authorized Agents
If you are a California resident, you may authorize an agent to make a request on your behalf. A California resident’s authorized agent may make a request on behalf of the California resident by using the submission methods listed above under “How To Make Requests.” As part of our verification process, we may request that you provide, as applicable:
- For an individual (“requestor”) making a request on behalf of a California resident:
- The requestor’s name; contact information; social security or individual taxpayer identification number; date of birth; and Driver’s License or State ID.
- The name; contact information; social security or individual taxpayer identification number; date of birth; and Driver’s License or State ID of the California resident on whose behalf the request is being made.
- A document to confirm that the requestor is authorized to make the request. We may accept, as applicable, a signed permission by the California resident on whose behalf the request is made, copy of a power of attorney, legal guardianship or conservatorship order, or a birth certificate of a minor if the requestor is the custodial parent.
- For a company or organization (“legal entity requestor”) making a request on behalf of a California resident:
- The legal entity requestor’s active registration with the California Secretary of State.
- Proof that the California resident has authorized the legal entity requestor to make the request. We accept as applicable, a signed permission by the California resident on whose behalf the request is made, copy of power of attorney, or legal guardianship or conservatorship order.
- The name; contact information; Social Security or individual taxpayer identification number; data of birth; and driver’s license or state ID of the California resident on whose behalf the request is being made. From the individual who is acting on behalf of the legal entity requestor, proof that the individual is authorized by the legal entity requestor to make the request. We accept a letter on the legal entity requestor’s letterhead, signed by an officer of the organization.
- Changes to this Privacy Policy
We may change or update this Privacy Policy periodically. When we do, we will post the revised policy on this webpage indicating when the Privacy Policy was “Last Updated.”
- Contact Us
If you have any questions or concerns about the Company’s privacy policies and practices, please contact us at privacy@mccallssf.com.