Terms and Conditions

Welcome to hronline Thank you for using hronline provided by BrightHR Limited, company registration number 9282467, a subsidiary company of Peninsula Business Services Group Limited and whose registered office is situated at The Peninsula, Victoria Place, Manchester, M4 4FB. By logging in and using hronline, you are agreeing to these terms. Please read them carefully. References to ‘us’, ‘we’ and ‘our’ refer to your hronline product provided by BrightHR Limited. Using hronline

1. Do not misuse hronline. For example, do not interfere with hronline or try to access hronline using a method other than the interface and the instructions that we provide. You may use hronline only as permitted by law. We may suspend or stop providing hronline to you if you do not comply with our terms or policies or if we are investigating suspected misconduct.
2. Using hronline does not give you ownership of any intellectual property rights in it. You may not use content from hronline unless you obtain permission by us or are otherwise permitted by law. These terms grant you the right to use branding or logos but only in the appropriate place within hronline Company Defaults settings page.
3. In connection with your use of hronline we may send you service announcements, administrative messages and other information.

Your hronline Account

1. You need a hronline account in order to use it. Your account is created for you by us when your contract commences in line with “The Terms and Conditions”. If you are an administrator of your hronline account, you may not change the registration information we hold about you.
2. If you learn of any unauthorised use of your password or account, or if you suspect that someone else knows or has changed your password, please reset it so nobody else can sign in to your hronline account.
3. If you’re unable to reset your hronline account password, or you can’t sign in to your account, please email support@hronline.co.uk outlining the problem and including a phone number that we can ring you back on. Under these circumstances, you will be asked some security questions to prove your identity.

Privacy and Copyright Protection

1. The hronline privacy policy statement explains how we treat your personal and your employee’s data and protect your privacy when you use hronline. By using hronline, you agree that we can use such data in accordance with the data protection statement.
2. Copyright of all materials provided pursuant is reserved by us without whose written permission it may not be reproduced or modified.

Your Content in hronline

1. hronline allows you to submit content, which is stored in its document library. You retain ownership of any intellectual property rights that you hold in that content. It is a condition of use of hronline that you do not upload content (for example music or videos) for which you do not hold the copyright.
2. Insofar as you seek advice from Peninsula about an Employee, the limit of any shared responsibility for that employee’s data is their Forename, Surname, Start Date and Job Title. All other content relating to your employees is your sole responsibility. However, in accepting these terms and conditions, you give approval to suitably authorised Peninsula staff to review the other content about an employee in order to ensure that the advice you are given is based on the relevant data.

Modifying hronline

1. We are constantly changing and improving hronline. We may add or remove functionalities or features and we may suspend or stop a function altogether.
2. You can stop using hronline at any time but cancellation must be completed in line with “The Terms and Conditions”.
3. We may add or create new limits to hronline at any time.
4. We believe that you own your data, and preserving your access to such data is important. If we discontinue hronline, where reasonably possible, we will give you reasonable advance notice and a chance to remove information from it.
5. In the event that you request your transactional data from hronline, our responsibility would end at the point of providing you with “.csv” output files for your employees exactly as they exist within hronline. The responsibility for that data remains with you, the client.
6. hronline provides you with the ability to export most of your fixed employee data and your absence transactions to “.csv”.
7. hronline provides you with the ability to export all data stored about an individual employee to a “.csv” output file.

Our Warranties and Disclaimers

1. We provide hronline using a commercially reasonable level of skill and care and we hope that you will benefit from using it. However, there are certain things that we do not promise about hronline.
2. Other than expressly set out in these terms or additional terms, neither us nor its suppliers or distributors makes any specific promises about hronline.

Liability for our Services

1. Where permitted by law, we will not be responsible for lost profits, revenues or data, financial losses or indirect, special, consequential, exemplary or punitive damages.
2. To the extent permitted by law, our total liability for any claims under these terms, including for any implied warranties, is limited to the amount that you paid us to use hronline in the year that you claim a loss.
3. In all cases, we will not be liable for any loss or damage that is not reasonably foreseeable.

Business users of hronline

1. If you are using hronline on behalf of a business, that business accepts these terms. It will hold harmless and indemnify us and its affiliates, officers, agents and employees from any claim, action or proceedings arising from or related to the use of hronline or violation of these terms, including any liability or expense arising from claims, losses, damages, judgements, litigation costs and legal fees.

About these Terms

1. We may modify the “Terms of Use” that apply to hronline.

Data Security

Data Protection Statement of hronline which is owned and operated by BrightHR Limited

We will use the personal data provided to us only for its intended purpose, and in accordance with Data Protection Law.

Security

We are committed to ensuring that employee information is kept secure at all times, and we will implement appropriate technical and organisational measures against the unauthorised or unlawful disclosure of such information, and so as to prevent its accidental loss, destruction or damage.

Personal access to hronline will only be via a secure username and password. The username and password for each individual is unique and only allows access to their own personal information. Only certain authorised staff, who are required to have access to the personal information of other employees for the purposes of their job role, will be authorised and will have the necessary access rights to do so. They will receive relevant training and will be asked to agree to abide by the terms of this Data Protection Statement.

All users of hronline should keep their unique user and password strictly confidential. Users of hronline must notify us if they become aware of any unauthorised access, and we will notify clients of hronline should we become aware of any security breach involving loss, corruption or theft of employee information.

Storage and Encryption
The data stored on hronline is kept securely in our on-site data centre in Manchester, UK. The information is replicated to an offsite-hosted environment for disaster recovery purposes. We use 128 Bit SSL Encryption for the transportation of data and a Hash Algorithm 128 Bit for passwords. Our systems are periodically penetration tested and kept up to date with ISO 27001 best practices.

Privacy Notice for Website Visitors

This privacy policy explains how personal data is collected and used when you use our websites. It also explains how we process any data that you supply to us on this website, for instance to request a quote or to use our online services.
hronline is the Data Controller for any personal data that you supply to us during your visit to our website.
Our address is
BrightHR Ltd
The Peninsula
Victoria Place
Manchester
M4 4FB
Telephone 0844 892 2779
Email gdpr@hronline.com
What personal data we collect

The personal data collected depends on how you use our website. You can browse the site, you can fill in forms on the website to request information or quotes from us and other activities. Our website collects personal data to provide these services.
We collect information about you when you visit our website; apply for employment with us; and engage in business dealings with us.
What we do with your personal data

When you visit our website, a record of your visit is made. This data includes your device’s IP address. That data is used completely anonymously, in order to determine the number of people who visit our website and the most frequently used sections of the site. This enables us to continually update and refine the site. If you use any forms on the website to send an email to us, a record will also be made of your email address and your telephone number.
The following table sets out how we handle your personal data and our legal basis for doing so under GDPR and the Data Protection Act 2018.

The following table sets out the categories of personal data that we obtain.

We may collect, hold, use and disclose the information collected to compile statistical data and to; maintain our database; develop/improve our website; respond to any email enquiries; notify you of any upcoming marketing, training or other events that you have opted in to; provide you with publications; manage quality control; manage systems administration; attend to compliance issues; provide you or your organisation with advice and determine suitability for employment.
We will not use or disclose your personal information for any other purpose which is not related (or in the case of sensitive information, directly related) to the above purposes without your consent, unless otherwise authorised, required or permitted under the laws of England and Wales. hronline does not sell your data to third parties.
If you no longer wish to receive information about our services, please send an email to our Data Protection and Compliance Officer (gdpr@brighthr.com) advising that you do not wish to receive further information.
Will we disclose your data?

Personal data will only be disclosed on a confidential basis to external service providers so that they can provide services such as financial or administrative services in connection with the operation of our business; and to any person (where necessary) in connection with their services, such as law enforcement, regulatory authorities, partners or advisors; or to companies within hronline in the UK.
The handling of these operations is governed by a data processing contract between us and our external service provider, ensuring a commitment to the principals of the GDPR and the Data Protection Act 2018. We ensure external service providers are only authorised to use personal data for the limited purposes specified in our agreement with them.
How long we keep your personal data

Personal data from our data subjects is retained in line with our data retention policy. hronline keeps most data for 7 years, which covers the 6 years by law in which we have to keep certain information for a minimum of 6 years plus the current year. Personal data that is no longer necessary to be kept under hronline’s data retention policy will be deleted. Under hronline’s data retention policy, there are certain exemptions in relation to financial data and health data. A copy of hronline’s data retention policy can be made available upon request.
Your Rights

You have the following rights in relation to personal data held on you by hronline:

• The right to be informed about how personal data is used – (this notice)
• The right to access a copy of personal data that hronline holds about you
• The right to rectification of any errors in personal data held by hronline
• The right to erasure of any personal data
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making including profiling

If you wish to learn more about these rights and how they operate, please look at the ICO’s website https://ico.org.uk/for-the-public/.
hronline does not operate any automated decision making systems.
You have a right to request a copy of the personal data that we hold about you. If you would like a copy of some or all of your personal data please email gdpr@brighthr.com or write to our Data Protection and Compliance Officer at The Peninsula, Victoria Place, Manchester, M4 4FB. Proof of your identity will be required for security purposes.
If you are unhappy with the response that you receive from us when you exercise your GDPR rights or Data Protection Act 2018 rights, you have the right to lodge a complaint to the ICO. More guidance about raising a complaint with us is available on the ICO’s website https://ico.org.uk/for-the-public/raising-concerns/ and for raising a complaint with the ICO, more information is available on https://ico.org.uk/concerns/.
Cookies

This website uses Google Analytics, a web analytics service provided by Google, Inc. Google Analytics sets a cookie in order to evaluate your use of this website and compile reports for us on activity on the website. Google stores the information collected by the cookie on servers in the United States and the transfer of the data to servers in the USA is governed by the EU-US Privacy Shield framework. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. More information about Google’s compliance with GDPR can be obtained from their website https://privacy.google.com/businesses/compliance.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. For further information visit www.aboutcookies.org.
You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.
Other websites

Our website may contain links to other sites. This privacy policy only applies to this website so when you link to other websites you should read their own privacy policy.
How to contact us

Please review the website regularly as this statement may change from time to time. If you have any questions about our privacy policy or information we hold about you please contact:
Data Protection and Compliance Officer
Telephone 0844 892 2779
Email gdpr@brighthr.com

Privacy Notice for Client’s Employees

In accordance with the General Data Protection Regulation (GDPR), hronline have implemented this privacy notice to inform you, our client’s employee, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data. We are a data processor and your employer remains the data controller at all times. Your data may have been provided to us by the data controller or by you as the data subject.

This notice applies to users of the hronline software who are employees of our Clients.

1. DATA PROTECTION COMPLIANCE

Our Data Protection Officer, Gail Tuck, who can be contacted at:
hronline, The Peninsula, Victoria Place, Manchester, M4 4FB.
Telephone: 0808 145 3490
Email: gdpr@brighthr.com

2. DATA PROTECTION PRINCIPLES

Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

1. processing is fair, lawful and transparent
2. data is collected for specific, explicit, and legitimate purposes
3. data collected is adequate, relevant and limited to what is necessary for the purposes of processing
4. data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
5. data is not kept for longer than is necessary for its given purpose
6. data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
7. we comply with the relevant GDPR procedures for international transferring of personal data

3. TYPES OF DATA HELD

We may keep several categories of personal data about you in order to allow you to use the software. We keep this data within our secure computer systems.
Specifically, we may hold the following types of data:

1. Name
2. Address
3. Date of Birth
4. Job title
5. Contact details, for example, details of next of kin
6. Immigration status details i.e. passport number/visa number and expiry dates
7. National Insurance Number
8. Documents your employer uploads
9. Information relating to employment, i.e. absence records, development records and annual leave entitlement, sickness records, working pattern records and shift and rota patterns.

4. LAWFUL BASIS FOR PROCESSING

The law on data protection allows us to process your data for certain reasons only. We process your data for our legitimate interests in order to provide you access to and use of the software. We may also process personal data in connection with the establishment, exercise or defence of legal claims.

5. WHO WE SHARE YOUR DATA WITH

• Employees within our company who have responsibility for the provision of technical support services may have access to your data which is relevant to their function to allow them to provide technical support services to you or your employer. All employees with such responsibility have been trained in ensuring data is processing in line with GDPR.
• We may share your data with third parties to comply with a legal obligation upon us.
• We will not share your data with bodies outside of the European Economic Area.

6. PROTECTING YOUR DATA

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.

7. RETENTION PERIODS

We only keep your data for as long as we need it for, which will be at least for the duration of your employer’s contract with us for the provision of the service.

8. AUTOMATED DECISION MAKING

Automated decision making means making decision about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

9. INDIVIDUAL’S RIGHTS

You have the following rights in relation to the personal data. However if you wish to exercise your rights any request should be made to your employer as the data controller. Any request made to us as the data processor will be forwarded to our data controller.

1. the right to be informed about the data we hold on you and what we do with it;
2. the right of access to the data we hold on you.
3. the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
4. the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
5. the right to restrict the processing of the data;
6. the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
7. the right to object to the inclusion of any information;
8. the right to regulate any automated decision-making and profiling of personal data.

10. CONSENT

Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.

11. MAKING A COMPLAINT

If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.

Data Processing

hronline will only process personal data in accordance with the User’s instructions, the User retains the responsibilities of the data controller and determines the purposes and means of processing personal data.

1. During Processing the Provider shall
   1. comply with Data Protection Law;
   2. only process the Personal Data for the purposes of performing its obligations under this Agreement and in accordance with the written instructions given by the User from time to time, unless the party is subject to an obligation under applicable law (including Data Protection Law) of the European Union or a member state of the European Union to do otherwise, in which case the party shall (unless prohibited by law) notify the User in advance of that legal obligation;
   3. notify the User immediately if an instruction from the User breaches a requirement of Data Protection Law;
   4. not disclose the Personal Data to any third party in any circumstances other than on the User’s written instructions, with the User’s specific written consent or where required to do so by applicable law (including (without limitation) Data Protection Law);
   5. with respect to the Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the GDPR , and the measures shall, at a minimum, comply with the requirements of Data Protection Law, including Article 32 of the GDPR;.
   6. ensure that all personnel with access to Personal Data:
      1. are subject to a contractual duty of confidence to hold the Personal Data in strict confidence;
      2. only process the Personal Data in the manner permitted by this Schedule;
   7. at the User’s request, provide the User with such assistance as is contemplated by Article 28(3)(f) of the GDPR;
   8. immediately notify the User in writing of each Security Incident of which it becomes aware;
   9. assist the User with all data subject rights requests received from data subjects of the Personal Data, including (without limitation) by providing to the User such assistance as is contemplated by Article 28(3)(e) of the GDPR;
   10. if it receives any complaint, notice, request (including any subject access request) or communication (whether from a data subject, data protection regulator or other person) which relates directly or indirectly to the processing of Personal Data or to either party’s compliance with Data Protection Law, it shall immediately notify the User in writing and it shall provide the User with full cooperation and assistance in relation to the same, and shall not respond to the complaint, notice, request or communication without the prior written consent of the User (except to the extent required by law), provided that the Supplier may acknowledge receipt;
   11. not transfer access or process the Personal Data outside the EEA save where expressly authorised or instructed by the User in writing to do so;
   12. not subcontract the processing of Personal Data to a sub-processor without the prior written consent of the User and in the event that the User provides its consent, the party shall (prior to the sub-processor processing the Personal Data) enter into an agreement with the sub-processor on terms that provide no less protection for the Personal Data than those set out in this Schedule and meet the requirements of Data Protection Law, and the party shall remain fully liable for the acts and omissions of each sub-processor;
   13. at the User’s option, securely return to the User or securely destroy the Personal Data, together with all copies in any form and in any media, in the party’s power, possession or control promptly following the earlier of:

1. 13. 1. termination or expiry of this Agreement;
       2. a request from the User; or
       3. if the party no longer needs the Personal Data in connection with the performance of its obligations under the Agreement;
   14. provide the User with all information requested by the User to enable the User to verify the party’s (and each sub-processor’s) compliance with this Schedule;
   15. on request supply the User with written confirmation that all facilities, premises, equipment, systems, documents and electronic data used for the processing of Personal Data by the party are compliant with the GDPR.

2. Data Processing Details

Privacy Notice for Customers

In accordance with the General Data Protection Regulation (GDPR), hronline have implemented this privacy information notice to inform you, our current and former clients, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.
This notice applies to current and former clients.
We are a Data Processor of the personal data that you supply to us under your contract with us.

1. DATA PROTECTION PRINCIPLES

Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

1. 1. processing is fair, lawful and transparent
   2. data is collected for specific, explicit, and legitimate purposes
   3. data collected is adequate, relevant and limited to what is necessary for the purposes of processing
   4. data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
   5. data is not kept for longer than is necessary for its given purpose
   6. data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
   7. we comply with the relevant GDPR procedures for international transferring of personal data
2. TYPES OF DATA HELD

We keep several categories of personal data on and from our clients in order to carry out effective and efficient processes. We hold the data within our computer systems to provide our advice service and case management systems.
Specifically, we hold the following types of data:

1. personal details such as name, address, phone numbers, job title, email addresses etc for the main contact and other contacts for the delivery of the service
2. IT service use including online service access records.

3. COLLECTING YOUR DATA

You provide several pieces of data to us directly when the contract is signed, during the on boarding process and during the contract and after the contract has ended.
Personal data is kept in within the Company’s secure systems.

4. LAWFUL BASIS FOR PROCESSING

The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to comply with a legal requirement or in order to effectively manage the service contract we have with you, including ensuring we can deliver the service to you.
The information below categorises the types of data processing we undertake and the lawful basis we rely on.

5. FAILURE TO PROVIDE DATA

Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a contract with you. This could include being unable to offer you services or administer existing contractual services.

6. WHO WE SHARE YOUR DATA WITH

All employees within hronline that handle your personal data are trained in ensuring data is processed in line with GDPR.
Data is shared with other companies within the Peninsula Group of Companies. hronline is a company within the Group. Data may be shared for the following reasons: administration of services specifically supplied by Group subsidiaries. For example, Peninsula/Croner provides employment and health and safety services. Your data is shared with GROUP companies to facilitate the delivery of all the services you are contracted to receive.
Your data is not shared with third parties, except for other reasons to comply with a legal obligation placed upon us. We have a data processing contract in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

7. PROTECTING YOUR DATA

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.

8. RETENTION PERIODS

We only keep your data for as long as we need it for, which will be at least for the duration of your service contract plus 12 months from the date that service contract with us terminates, although in some cases we will keep your data for a longer period after your contract has ended. Some data retention periods are set by the law. Retention periods can vary depending on why we need your data, as set out below:

9. AUTOMATED DECISION MAKING

Automated decision making means making decision about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

10. CLIENT RIGHTS

You have the following rights in relation to the personal data we hold on you:

1. the right to be informed about the data we hold on you and what we do with it;
2. the right of access to the data we hold on you. More information on this can be found in the section headed “Access to Data” below and in our separate policy on Subject Access Requests”;
3. the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
4. the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
5. the right to restrict the processing of the data;
6. the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
7. the right to object to the inclusion of any information;
8. the right to regulate any automated decision-making and profiling of personal data.

11. CONSENT

Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.

12. MAKING A COMPLAINT

If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.

13. DATA PROTECTION COMPLIANCE

Our Data Protection and Compliance Officer is:
Gail Tuck
Telephone 0844 892 2779
Email gdpr@brighthr.com