PRIVACY NOTICE

Surrey Satellite Technology Limited (also known as, “SSTL”, or “we” or “us”) are committed to protecting your Personal Data. Your privacy is important to us and we want you to feel comfortable using our websites. The protection of your privacy and Personal Data is an important concern to which we pay special attention throughout our business processes.

This privacy notice tells you what to expect when SSTL collects and processes your personal information.

 

What is Personal Data?

Personal data is information that can be used to identify a person either directly or indirectly. A ‘personal identifier’ is a piece of information that can identify an individual. This definition covers a wide range of personal identifiers to constitute Personal Data, including name, address, email address, identification number, location data or online identifier..

Visitors to our websites

When someone visits www.sstl.co.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Use of cookies by SSTL

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

You can also manage and control the cookies we use on our Website through the use of cookies tools.

For further information about the types of cookies we use and why we use them, please refer to our Cookies Policy.

People who contact us via social media

We use a third party provider, LinkedIn and Twitter to manage our social media interactions.

If you send us a private or direct message via social media the message will be stored by LinkedIn or Twitter. It will not be shared with any other organisations.

People who email us

All incoming and outgoing emails are logged as part of our security protocols. We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

People who email info@sstl.co.uk

The info@sstl.co.uk mailbox is managed by the SSTL marketing team. Where it is clear that an email is intended to a specific department, your email may be forwarded to the intended recipient where appropriate. Your message will be stored for up to one year after which time it will be deleted.

People who email jobs@sstl.co.uk

The jobs@sstl.co.uk mailbox is managed by the SSTL recruitment team. Where it is clear that an email is intended to be an application for employment, it will follow the job application process. Your message will be stored for up to one year after which time it will be deleted.

People who email placements@sstl.co.uk

The placements@sstl.co.uk mailbox is managed by the SSTL HR team. Where it is clear that an email is intended to be an application for a placement, it will follow the placement application process. Your message will be stored for up to one year after which time it will be deleted.

People who use our Video & Conference calling services

When using SSTL’s video conferencing or voice conference calling services, personal data is collected to identify the user during the call and to provide a short call history.

People who use Microsoft Teams Conference calling service

The Microsoft Teams/conference call service is managed by Microsoft, with data stored in a UK data centre. SSTL rely on Legitimate Interests to collect and process your personal information to provide the MS Teams platform to allow communication and collaboration between our staff internally and external contacts.

For SSTL staff your name, profile picture, job title, team, contact details, line manager name, and site details are used to create your MS teams profile and create a contact directory which is viewable by other members of staff. This data is retained until 3 months post-employment.

For data subjects external to SSTL invited into an MS teams meeting your name and email address is used to send a meeting invite and identify you in a call. Details of the call including the date, time, duration, all participants and any voicemail recordings are retained for * months as part of the logging process or until deleted by the participant.

By using Microsoft Teams you are agreeing to being recorded or transcribed during meetings at the discretion of the meeting organiser. Should a meeting be recorded or transcribed, you will be notified by the presence of a banner during the call. Recordings and transcripts will be retained in line with SSTL retention schedules.

Any recorded or transcribed meetings will be saved and stored in MS Azure/SharePoint with limited access and the appropriate restrictions in place for viewing. Retention times for recordings may vary in line with the specific department and project needs.

Personal data recorded in our MS Teams environment relates either to directly consenting participants in recorded meetings or to data where we have established legal basis for processing or explicit consent has been recorded for the business processing.

The categories of personal information held in relation to business meeting recordings and transcriptions are for the most part personal data relating to participant identity, possibly including contact information, and their personal contributions to the meeting. Where this may relate to special category personal data, please see below.

We may record or transcribe meetings in our MS Teams environment for the following purposes:

  • To establish participant identities and further contact details if required
  • To have a record and potential transcript of meeting organisers' and participants' personal meeting contributions where agreed
  • To record business and academic research, for example focus groups and research interviews, where agreed and where ethical approval has been given
  • To record business or academic meetings where requested by the meeting organiser to support ongoing dissemination and to create records of discussions, decisions and progress, where agreed
  • To support participant accessibility where agreed
  • To support specific situations that require a recorded session, for example where mandated for project or academic accreditation

No Automated decision making or profiling is used in the processing of your data.

Here is a link to the Microsoft Privacy Notice.

People who use our Cisco Webex video & conference call service

The Cisco Webex video/conference call service is managed by Cisco Systems Inc. in the USA. The name and email address provided by the person joining the video call (or their phone number if joining a phone call), and call record (date and duration) are stored on the Cisco Systems Inc. servers to keep a record of calls. Personal data held by Cisco Systems Inc. is protected by the Privacy Shield frame work. This data can be accessed by administrators of the Cisco Webex platform for diagnostic and fault finding purposes.

Here is a link to the Cisco Webex Privacy Notice.

Marketing bids and prospects

To the extent permitted by law or with your consent, we may use your Personal Data for marketing and promotional purposes, including communications through email or equivalent electronic means. For example, we use your Personal Data, such as your email address, to send news, or information about our products and services we think will interest you.

Your contact details may be stored in our secure contacts database. We use a third party, Kantar Media to store business contacts. Please be aware that should you disclose business information to us this will be uploaded to the third party platform.

If you visit our premises, we may ask you for information such as dietary, mobility and personal data to ensure we can accommodate your visit with us. This information will be processed into our outlook and deleted once the visit has ended. We may, if you are a business representative, add this to our outlook server or MS Dynamics system for future reference.

As part of our compliance processes we may need to pass on your personal data onto our parent company Airbus under their Binding Corporate Rules (BCR). For example, this may be as part of the anti-money laundering and counter terrorism compliance checks as part of the bid process. You will be informed if this happens.

Here is a link to the Airbus Privacy Notice.

Job applicants, current and former SSTL employees

SSTL is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at jobs@sstl.co.uk.

What will we do with the information you provide to us?

All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for. 

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.

Application stage

If you use our online application system, this will be collected by a data processor (CIPHR i-Recruit) on our behalf (please see below).

We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.

You will also be asked to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you do provide, will be used only to produce and monitor equal opportunities statistics.

Shortlisting

Our hiring managers shortlist applications for interview. They will not be provided with your contact details or with your equal opportunities information unless you have provided it on your CV.

Assessments

We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by SSTL.

If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our recruitment portal for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.

Conditional offer

If we make a conditional offer of employment we will ask you for information so that we can carry out Baseline Personal Security Standard (BPSS) pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom (UK) and seek assurance as to their trustworthiness, integrity and reliability. Supplying false information or failing to disclose relevant information could be grounds for refusal/dismissal and could amount to a criminal offence.

You will therefore be required to provide:

  • Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
  • Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.
  • You will be asked to complete a criminal records declaration to declare any unspent convictions.
  • We will provide your email address to the Government Recruitment Service who will contact you to complete an application for a Basic Criminal Record check via the Disclosure and Barring Service, or Access NI, which will verify your declaration of unspent convictions.
  • We will contact your referees, using the details you provide in your application, directly to obtain references
  • We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work.

If we make a final offer, we will also ask you for the following:

  • Bank details – to process salary payments
  • Emergency contact details – so we know who to contact in case you have an emergency at work

Post start date 

Some roles require a higher level of security clearance – this will be clear on the advert. If this is the case, then you will be asked to submit information via the National Security Vetting process to HMRC. HMRC will be the data controller for this information.

HMRC will tell us whether your application is successful or not. If it is unsuccessful, SSTL will not be told the reason(s) why but we might need to review your suitability for the role or how you perform your duties.

Our Code of Conduct requires all staff to declare if they have any potential conflicts of interest, or if they are active within a political party. If you complete a declaration, the information will be held on your personnel file.

Use of data processors

Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

i-Recruit

If you use our online application system, you will provide the requested information to i-Recruit, a service managed by CIPHR, who provide this online service for us. Once you click ‘apply now’ you will be taken to i-Recruit website where they hold the information you submit but SSTL will have access to it.

Here is a link to their Privacy Notice

CIPHR

If you accept a final offer from us, some of your personnel records will be held on CIPHR which is an internally used HR records system.

Here is a link to their Privacy Notice.

Airbus

Once your employment commences, your employment status and details are passed onto our parent company Airbus under their Binding Corporate Rules (BCR). This to record your employment record with the organisation and to allow you to enjoy benefits such as your pension.

Here is a link to their Privacy Notice.

How long is the information retained for?

If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.

If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.

Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.

Equal opportunities information is retained for 6 months following the closure of the campaign whether you are successful or not.

i-Recruit will provide us with management information about our recruitment campaigns. This is anonymised information which tells us about the effectiveness of campaigns, for example, from which source did we get the most candidates, equal opportunities information for monitoring purposes. This anonymised information will be retained for up to 6 years from the end of the campaign. 

How we make decisions about recruitment?

Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.

You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by emailing jobs@sstl.co.uk.

Customer Engineers and Customer Visitors

What is a Customer Engineer or Customer Visitor?

Within SSTL we have training programmes whereby our customers send their own engineers for training, working alongside SSTL engineers building a satellite together, these are known to SSTL as Customer Engineers (CEs), or to visit to SSTL, known as a  Customer Visitor.

What happens to the data the Customer Engineer or Customer Visitor shares with SSTL?

All of the information provided during the application process, visa process, appointment and management of the Customer Engineers or Visitors stay whilst with SSTL, will only be used for the purpose of progressing applications, or to fulfil legal, contractual or regulatory requirements as necessary, as well as ensuring UK Tax Laws and the general wellbeing of the Customer Engineers or Customer Visitors are met. 

Types of data that may be requested and processed are: Name and contact details (including address and telephone numbers), date of birth, immigration and passport details. These details differ from Customer Engineer to Customer Visitor and the data will be retained for as long as your visit and may be kept up to 7 years post visit to fulfil contractual or legal obligations including but not limited to financial obligations and security reasons. We will not retain data for longer than is necessary.

Your personal data is sent to internal departments such as payroll, finance and security for example to allow SSTL to support your application and yourself whilst seconded to us in the UK.  Your personal data is also shared with the Home Office for immigration purposes and HMRC for tax obligations whilst you are in the UK.  

SSTL will not share any of the information provided with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information provided will be held securely by us and/or our data processors whether the information is in electronic or physical format.

Customer Support

SSTL offers two principle mechanisms for the Customer Spacecraft support.

Non-Emergency Support

Non-emergency support provides technical support through a helpdesk system. Any support requests submitted will be received by the Spacecraft Operations team, or the operator on-call, should the request be submitted out of hours.

For out-of-hours support, a mobile telephone number will be provided which will allow you to contact the operator on-call in the case of a critical spacecraft issue.

Depending on the nature of the request, the Spacecraft Operations team may contact you by email or telephone for further details, or to inform the requestor of any changes. The details of the request and subsequent contact details may be passed on to the relevant engineering departments when necessary.

Emergency Support

Emergency support will be given directly by phone or email using contact details provided by the customer, or by an SSTL operator taking direct control of the satellite through our own ground station network. This could also include remote support, whereby an SSTL operator will log in directly to a customer's Operations Centre to take control of a satellite, or to oversee a pass and give direction if appropriate.

For remote support and for SSTL to be able to operate the spacecraft from our own ground station, details of computer hostnames/IP addresses, passwords and encryption keys (where necessary) will be requested.

Customer feedback

When feedback is given to our customerfeedback@sstl.co.uk address, this information is stored within our servers. The personal data may contain, name, role, email and postal address, telephone number and opinions on SSTL and SSTL staff members. The information is stored in a mailbox and will be archived 1 year post contact and deleted 10 years post contact. At any times, your rights as a data subject can be exercised to erase, or rectify this data.

What is the basis for processing of your Personal Data?

As a responsible company, we need a lawful basis for collecting and/or processing your data. We generally rely on a number of grounds (reasons) for our business processing.

We process your Personal Data in accordance with the provisions set out in the GDPR and the relevant applicable Data Protection Laws and Regulations. The purposes for processing your Personal Data are:

To comply with contractual obligations.

When you enter a contract of employment with SSTL, we will need certain information such as bank details

As a result of your consent.

When you have consented to the processing of your Personal Data by us for certain services through the Website you can withdraw consent at any time by following the instructions provided in the application process or by contacting us at data.protection@sstl.co.uk.  For further information on the right of withdrawal, please see below Section “Am I obliged to provide my Personal Data?”

Within the scope of a legitimate interest.

On occasion we may not need your permission to use your data, given our legitimate interest to do so but we must inform you that we do this; examples of this are:

  • providing product information requested or in response to queries raised
  • recruitment;
  • performance  of  the  employment  contract  (including  discharge  of  obligations laid down by law or collective agreements);
  • management, planning and organisation of work;
  • equality and diversity in the workplace;
  • health and safety at work;
  • protection of an employer’s or customer’s property;
  • exercise  and  enjoyment  (on  an  individual  basis)  of  rights  and  benefits  related  to employment;
  • termination of the employment relationship;
  • the analysis and optimisation of the website;
  • ensuring IT security and the IT operation of SSTL;
  • prevention and investigation of criminal acts

On the basis of SSTL’s legal obligations or in the public interest.

SSTL, as any other company, is subject to legal obligations and regulations. In some cases the processing of your Personal Data will be necessary for SSTL in order to fulfil these obligations.

Who may receive your Personal Data?

  • Authorised persons working for or on behalf of SSTL;
  • Airbus Group SE and affiliates of SSTL, on a need-to-know basis for the purposes as outlined in this Privacy Notice
  • Our agents, service providers and advisers (e.g. Third party service providers and advisers providing the variety of products and services we need such as recruitment, compliance and security services, etc.);
  • Law enforcement or government authorities where necessary to comply with applicable law.

Will your Personal Data be transferred to a third country outside the United Kingdom (UK)?

SSTL processes your Personal Data mostly in the UK.  On occasion Personal Data is transferred on a need-to-know basis to entities outside the UK.

If SSTL arrange the launch or a visit on a customer’s behalf we may need to pass on the appropriate personal details to the relevant people.

How long will your Personal Data be stored?

We process and store your Personal Data for as long as is required to meet our contractual and statutory obligations. If your Personal Data is no longer required for the performance of the contractual or statutory obligations, these will be erased on a regular basis unless further processing is necessary, for instance, for preserving particular evidence under the applicable Data Protection Laws and Regulations, or in the context of legal liabilities limitation.

Security

We use technical and organisational security measures in order to protect the data we have under our control against accidental or intentional manipulation, loss, destruction and against access by unauthorised persons.

Our security procedures are continually enhanced as new technology becomes available.

What are your rights and how to exercise them?

You may at any time exercise your data protection rights

  • Right to access/obtain a report detailing the information held about you: You have the right to obtain confirmation as to whether or not your Personal Data is being processed by SSTL and if so, what specific data is being processed.
  • Right to correct Personal Data: You have the right to change any inaccurate Personal Data concerning you.
  • Right to be forgotten:  In some cases, for instance, when the Personal Data is no longer necessary in relation to the purposes for which they were collected, you have the right for your Personal Data to be erased.
  • Right to stop the processing of your data: You have the right to restrict the processing of your Personal Data by SSTL, for instance when the processing is unlawful and you oppose the erasure of your Personal Data. In such cases, your Personal Data will only be processed with your consent or for the exercise or defence of legal claims.
  • Right to data portability: Under some circumstances provided by law, you have the right to receive the Personal Data concerning you in a structured, commonly used and machine-readable format and/or transmit those Personal Data to another controller.
  • Right to object and to withdraw consent: please see below section “Am I obliged to provide my Personal Data?”

To this effect, please contact SSTL in writing either by e-mail at the following address: data.protection@sstl.co.uk or you can write to the address below, enclosing a copy of a document evidencing your identity.

Privacy Officer, Surrey Satellite Technology Ltd,Tycho House,20 Stephenson Road,Surrey Research Park,Guildford,Surrey,GU2 7YE

Am I obliged to provide my Personal Data?

You may at any time object to the processing of your Personal Data or where your consent is required, withdraw such consent by contacting us at data.protection@sstl.co.uk; However, please note that if you withdraw your consent, you may not be able to access and use certain information, features or services of the website.

How can I contact the responsible person for processing my Personal Data?

If you are unhappy with the way in which your Personal Data has been processed or should you have questions regarding the processing of your Personal Data, you may refer in the first instance to the SSTL Privacy Officer, who is available for enquiries or complaints, at the following email address: data.protection@sstl.co.uk or you can write to the address below, enclosing a copy of a document evidencing your identity.

Privacy Officer, Surrey Satellite Technology Ltd, Tycho House, 20 Stephenson Road, Surrey Research Park, Guildford, Surrey, GU2 7YE

Can I ask for assistance to the competent authorities?

If you remain unsatisfied, then you have the right to apply directly to the Information Commissioner’s Office (ICO) as follows:

https://ico.org.uk/concerns/

Modification of the Privacy Notice

SSTL will update this Privacy Notice from time to time in order to reflect the changes in our practices and services and also to remain compliant to Data Protection Laws and Regulations. We will inform you of any substantial modification in how we process your Personal Data..

Privacy Notice February 2023