1.1 Cybin Irl Limited (“Cybin”) holds personal data about employees, applicants, contractors and other individuals for a variety of business purposes.
1.2 This policy sets out how Cybin (“we”, “us”, “our”) seeks to protect the personal data of our employees, consultants and contractors (“you”, “your”). We are the “data controller” of your personal data in relation to your employment/engagement with us.
1.3 If you have any questions about the content of this policy or other comments including concerns that the policy is not being followed you should contact firstname.lastname@example.org.
2.1 This policy applies to the following:
Relationship to Cybin
3.1 We will use your personal data in accordance with the applicable data protection laws and rights of individuals as set out below.
3.2 We will observe the principles set out in law in respect of maintaining / processing your personal data and will adhere to the following principles:
3.2.1 to process personal data lawfully, fairly and transparently;
3.2.2 to obtain personal data for specific, explicit and legitimate purposes;
3.2.3 to be adequate, relevant and not excessive in relation to the purposes for which it is used;
3.2.4 to keep personal data accurate and up to date (and where inaccurate such data to be erased or rectified without delay);
3.2.5 not to keep personal data for longer than is necessary for the purposes for which it is used; and
3.2.6 to keep personal data secure to prevent unauthorised processing and accidental loss, damage or destruction, using appropriate technical or organisational measures.
4. INFORMATION WE MAY COLLECT ABOUT YOU
4.1 We may hold certain personal details about you, including:
4.1.1 name and contact details;
4.1.2 date of birth;
4.1.3 PPS number;
4.1.4 copy of government issued identification;
4.1.5 applications for vacancies and CVs;
4.1.6 bank account details, payroll records and tax status information;
4.1.7 interview records;
4.1.9 next of kin and emergency contact details;
4.1.10 offers of employment;
4.1.11 statutory statements of terms and conditions;
4.1.12 disciplinary and grievance records;
4.1.13 performance appraisals and similar reviews;
4.1.14 promotions or career development, internal and external courses and education records;
4.1.15 notes of informal meetings and interviews;
4.1.16 relocation details;
4.1.17 allowances and expenses;
4.1.18 training and development details;
4.1.19 all core and voluntary benefits;
4.1.20 salary, remuneration payments including tax and social insurance;
4.1.21 pension payments or administration;
4.1.22 additional payments and bonuses;
4.1.23 work permits and right to work information;
4.1.24 attendance records;
4.1.25 health and safety records (including proof of vaccination and covid testing results, as applicable)
4.1.26 surveys, questionnaires and personality profiles;
4.1.27 business development information; and
4.1.28 information within and/or attached to internal emails and documentation.
4.2 Where you use a username/ email address and password to log on to Cybin’s systems (whether or not these are provided by third parties (e.g. Microsoft and Google) this information will be stored solely for the purpose of allowing you to log on to such systems.
5. WHERE DO WE GET THE PERSONAL DATA FROM?
5.1 Cybin obtains personal information about you from a number of sources including:
5.1.1 from you, when you provide us with your personal data, for example when you fill out forms, apply for roles, provide us with your contact details and the contact details of your next of kin/family, provide us with payment details, request reimbursement of expenses, provide us with information in connection with pensions, provide us with details of your right to work, or provide us with any further information in connection with your employment / engagement;
5.1.2 through creating and maintaining Cybin’s own internal records, including interview records, statutory statements, terms and conditions, disciplinary and grievance records, performance appraisals and reviews, promotions and career development review records, meeting and interview notes and records, training records, relocation records, records of payments, expense and relating to pensions, attendance records, and business development information, and through the creation and maintenance of other records relating to your employment / engagement; and
5.1.3 from third parties, for example where you, provide us with references, provide us with your job application, or provide us with other information relating to your employment / engagement.
5.2 We also collect information about your next of kin and/or family for the purposes of contacting them in an emergency and in connection with your pension (or other benefits where they are a beneficiary), where appropriate.
5.3 A failure to provide the relevant personal data for the purposes set out below (“Reasons we use your personal data“), may significantly hinder our ability to provide you with your employment rights and benefits.
6. SPECIAL CATEGORIES OF PERSONAL DATA
6.1 Cybin may collect certain special categories of personal data about you for the purposes of:
6.1.1 where appropriate, in connection with seeking medical records;
6.1.2 assessing working capacity; or
6.1.3 otherwise because we have to by law.
6.2 Special categories of personal data will be handled with the utmost confidentiality in accordance with this policy.
7. REASONS WE USE YOUR PERSONAL DATA
7.1 We process your personal data to fulfil our contract with you, in order to discharge our legal obligations as an employer and as a business, and for our legitimate business and operational interests.
7.2 In some cases we may use your personal information to pursue our legitimate interests, provided your interests and fundamental rights do not override those interests. Cybin has a legitimate interest in processing your personal data in connection with your employment as:
7.2.1 both you and we benefit from the effective operation of Cybin as a business and through the effective discharge of our obligations;
7.2.2 we only process your personal data so far as is necessary in connection with your employment / engagement at Cybin; and
7.2.3 Cybin has implemented appropriate safeguards and principles for processing your personal data, as set out in this policy, which ensure that our processing of your personal data does not unreasonably intrude on your privacy.
7.3 The situations in which we will use your personal data are listed below:
7.3.1 Making a decision about your recruitment or appointment.
7.3.2 Determining the terms on which you work for us.
7.3.3 Checking you are legally entitled to work in the EU.
7.3.4 Paying you and deducting tax and contributions.
7.3.5 Providing benefits to you.
7.3.6 Enrolling you in a pension arrangement, as applicable.
7.3.7 Administering the contract we have entered into with you.
7.3.8 Business management and planning, including accounting and auditing.
7.3.9 Conducting performance reviews, managing performance and determining performance.
7.3.10 Making decisions about salary reviews and compensation.
7.3.11 Assessing qualifications for a particular job or task, including decisions about promotions.
7.3.12 Gathering evidence for possible grievance or disciplinary hearings.
7.3.13 Making decisions about your continued employment or engagement.
7.3.14 Education, training and development requirements.
7.3.15 Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work.
7.3.16 Ascertaining your fitness to work.
7.3.17 Managing sickness absence.
7.3.18 Complying with health and safety obligations.
7.3.19 Preventing fraud.
7.3.20 Monitoring your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system, platform, device identifiers and other technology on the devices you use to access our information and communication systems and/or ensure compliance with our IT policies.
7.3.21 Ensuring network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
7.4 Cybin will ensure, so far as is possible, that the information held about you is accurate and, where necessary, kept up to date. However, it is your responsibility to ensure that any changes to your information held by us are provided to email@example.com your line manager or your usual contact as soon as possible. In the absence of evidence to the contrary, Cybin will assume that the information provided by you is accurate. If there is any reasonable doubt as to the accuracy of the data, we will contact you to confirm the information. Should you inform us, or we otherwise become aware of any inaccuracies in the information, the inaccuracies shall be rectified promptly.
8. HOW LONG WE KEEP YOUR PERSONAL DATA
8.1 Cybin keeps your personal file in a secure, electronic format. We also keep other information about you, including health and safety information. All such records are stored in accordance with this policy.
8.2 For legal reasons, we will generally keep your personal file for the duration of your employment/ engagement and for up to 7 years following the termination of your employment/ engagement. Other personal information will be kept for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When determining the relevant retention periods, we consider guidelines issued by relevant data protection authorities, as well as the time periods needed to comply with applicable regulations, laws, to meet regulatory and financial reporting obligations, for tax, accounting and audit purposes, and to fulfil and protect our contractual and legal obligations and rights.
9. WHO DO WE SHARE YOUR INFORMATION WITH AND WHERE ARE THEY BASED?
9.1 Cybin may transfer your personal data to third parties, including Cybin affiliates and subsidiaries, suppliers or service providers, benefits providers, HR support, travel agencies, insurers, medical advisors, professional advisors, pension schemes, providers of psychometric testing and surveys, and tax authorities. Personal Data may be shared with other third parties at your own request.
9.2 Some of these third parties will be based outside of the EEA. Where your information is transferred to any third party, we will ensure an agreement is in place between Cybin and such third-party on terms which protect your personal data. Where such third party is based outside of the EEA, we will include extra terms in our agreement to allow the data to be shared (and adequately protected) outside of the EEA.
9.3 Personal data will also be transferred to the relevant entities within our group where we use shared IT platforms or systems or receive services from other group members. For example, human relations services, payroll service providers, IT support services, travel agencies, insurance and group benefits providers, banking and financial services, applicable regulators and other government authorities.
9.4 As your personal data is shared across the Cybin group, it will be transferred outside of the EEA (namely to Canada and the USA). We are able to share your personal data in this way, as there is an agreement is in place between the Cybin group, on terms which protect such data and allow it to be shared outside of the EEA.
10. HOW WE STORE YOUR DATA
10.1 Your information is stored and handled in accordance with the principles set out in this policy. We protect your personal data by ensuring that all of our people who are involved in processing personal data do so in accordance with the principles set out in this policy.
Cybin keeps your personal file in a secure, electronic format. We have also put in place measures to ensure the security of the information collected and its correct use. These are appropriate to the nature of the information and to prevent unauthorised access. Security measures include protected access to HR documentation.
11.1 Cybin is ultimately responsible for all business communications but, so far as possible, your privacy will be respected. We may monitor and record your communications and use of websites for reasons which include: ensuring that our procedures, policies and contracts with you are adhered to; complying with any legal obligations; monitoring standards of service, your performance, and for your training; preventing or detecting unauthorised use of our IT systems or criminal activities; and maintaining the effective operation of our IT systems.
11.2 You should be aware that such monitoring might reveal special categories of personal data about you. For example, if you regularly visit web sites of a particular political party or religious group, then those visits might indicate political opinions or religious beliefs.
11.3 All incoming email is scanned using virus-checking software. The software will also block unsolicited marketing email (spam) and emails which have potentially inappropriate attachments.
12. WHAT RIGHTS DO YOU HAVE?
12.1 Individuals are entitled (subject to certain exceptions) to request access, rectification, deletion, restriction and portability in relation to information held about them. It should be noted that there are certain restrictions on the information to which individuals are entitled under applicable laws.
12.2 Any employee who would like to correct or request information that Cybin holds relating to them or exercise any of their rights below should contact firstname.lastname@example.org.
ACCESS YOUR PERSONAL DATA
How may I access my personal data?
This will include but is not limited to employee records. You have the right to make a request to access your personal data by writing to email@example.com.
What happens next?
Your request will be dealt with promptly and the information to which you are entitled will be provided to you no later than one month (except in extenuating circumstances, for example in the case of excessively large requests) from when we receive your request, subject to the requirements and exemptions of the data protection laws. If such extenuating circumstances mean we are unable to comply with your request within one month, we will tell you as soon as possible about this delay.
REQUEST YOUR DATA IS RECTIFIED
You may request that your personal data is rectified either where the personal data is inaccurate or to request we complete any incomplete information (e.g. by way of supplementary statement).
What happens next?
Your request will be dealt with promptly and without undue delay (no later than within one month). Please be aware that Cybin will only rectify factually inaccurate information. Opinion based “personal data” (for example performance reviews / appraisal documentation) will not fall under the scope of personal data we can rectify.
REQUEST YOUR DATA IS DELETED
You have a right to request Cybin deletes information held about you in certain circumstances (e.g. where we no longer have the right to process the information). If you wish Cybin to delete some (or all) of your personal data, you should apply in writing to firstname.lastname@example.org.
What happens next?
Your request will be dealt with promptly and without undue delay (no later than within one month), subject to the requirements and exemptions of the data protection laws. In some circumstances we will be unable to comply with your request, for example where we have legal duties or obligations to continue processing the data. It is unlikely Cybin will be able to erase certain information whilst you remain an employee / engaged with us, as it will be necessary for the purposes of your continuing employment / contract and to meet our obligations in relation to tax and other regulatory duties. This will be addressed on a case-by-case basis following a request for erasure.
RESTRICT OR OBJECT TO PROCESSING
When can I restrict the processing my Personal Data?
You may request this in writing to email@example.com where:
· you contest the accuracy of the personal data (and so processing will be restricted for a period of time which will enable us to verify the accuracy of the personal data);
· the processing is unlawful and you oppose the erasure of personal data and request restriction instead;
· Cybin no longer needs the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of a legal claim;
· you have objected to the processing based on Cybin’s legitimate interests pending the verification of whether such legitimate grounds override yours.
What happens next?
Where this right applies, we will restrict further processing of your personal data until further notice, unless we can rely on an exemption, in which case you will be notified in writing.
When can I object to Cybin processing my Personal Data?
You can object to us processing your personal data where Cybin is processing your personal data on the basis of its legitimate interests, including “profiling”. For the purposes of data protection laws means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. To the extent we cannot demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms we will no longer process your personal data for these purposes.
What happens next?
Where this right applies, Cybin will cease processing your personal data, unless it can rely on an exemption, in which case you will be notified in writing.
WITHDRAW YOUR CONSENT
How may I withdraw my consent for you to process my Personal Data?
Where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time. We will always (where possible) try to offer an alternative at the time of obtaining your consent, to allow you to make a free and genuine choice. If you wish to withdraw your consent (where you have previously given it), please apply in writing to firstname.lastname@example.org.
What is data portability?
Under the data protection laws, you are entitled to receive all personal data concerning you, which you have provided to a data controller, in a structured, commonly used and machine-readable format.
Can I exercise my right to data portability?
Cybin does not consider that you will have a specific right to data portability in the context of your employment or engagement with us as:
· the processing will not be carried out on the basis of consent; and no automated processing is carried out in respect of our people.
13. WHERE DO I ADDRESS QUESTIONS, CONCERNS OR COMPLAINTS?
13.1 If you have a complaint or concern around the use of your personal data in the context of your employment or engagement with Cybin, please discuss this with your line manager or write to email@example.com in the first instance, who may advise you to put your complaint or concern in writing. We will try our very best to assist you and rectify any concerns or complaints.
13.2 In the event you are dissatisfied with our response, you have the right to complain to the Data Protection Commission at https://www.dataprotection.ie/
14. CHANGES TO THIS POLICY
Updated November 2021