Multi CamMulti-cam

Add favorites

Privacy Notice for Employees and Job Applicants

Effective Date: May 9, 2025

  1. Purpose: Surfline\Wavetrak, Inc. and its wholly owned subsidiaries (collectively or individually (as the context requires, “Surfline”) are committed to protecting the privacy and security of personal information. This privacy notice describes how Surfline collects and uses personal information about its employees, job applicants and candidates during and after their working relationship with Surfline, in accordance with applicable data protection and privacy laws (including, for example, without limitation and as applicable in the relevant jurisdictions in which the relevant individual works, the UK General Data Protection Regulation 2016 (“UK GDPR”), the EU General Data Protection Regulation 2016 (“GDPR”) and/or the California Consumer Privacy Act (“CCPA”)).

  2. Privacy Notice: As a current or former Surfline employee, job applicant, or candidate, this notice applies to you (“you”). The relevant Surfline company is a “controller”. This means that it is responsible for deciding how it holds and uses personal information about you. Surfline is required under data protection legislation to notify you of the information contained in this privacy notice.

  3. Changes and Notice and Procedures Review: This notice, as outlined below, may be modified from time to time and updated versions will be published and accessible to you. Where Surfline collects additional categories of personal information or uses the personal information collected for materially different, unrelated, or incompatible purposes, Surfline will post the updated notice on our intranet site or application portal and update the notice’s effective date. The notice and related procedures will be reviewed every twelve (12) months or as necessary.

  4. Collection and Sharing of Personal Information: Surfline collects and maintains different types of personal information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or device (“personal information”) about its employees, job applicants and candidates in accordance with applicable law. For its employees, job applicants and candidates, Surfline collects the following categories of personal information from the listed sources.

    1. Identifiers. This information is collected directly and indirectly from you, and from third parties for the purpose of conducting payroll, processing benefits, and conducting business at Surfline. This information is shared with, among others, human resource information service providers, pension and insurance providers, payroll service providers, credit reference agencies or other background check agencies and artificial intelligence technology vendors that may be leveraged by our service providers that support our recruiting, HRIS, people management, and other business functions.

    2. Personal information categories listed in the California Customer Records statute. This information is collected directly from you for the purpose of conducting payroll, processing benefits, and conducting business at Surfline. This information is shared with, among others, human resource information service providers, pension and insurance providers, payroll service providers, credit reference agencies or other background check agencies and artificial intelligence technology vendors that may be leveraged by our service providers that support our recruiting, HRIS, people management, and other business functions.

    3. Protected classification characteristics under California or federal law. This information is collected directly from you and from third parties who support our human resource functions and because Surfline has a legal obligation to collect this information. This information may be shared with government agencies as required by law.

    4. Commercial information. This information is not collected by Surfline at this time.

    5. Biometric information. This information is not collected by Surfline at this time.

    6. Internet or other similar network activity, including computer/device logs. This information is collected directly and indirectly from you through company assets you may use. The information is collected for security purposes and is not shared with any third parties other than where we may cooperate with police and law enforcement agencies in connection with the suspicion of offences.

    7. Geolocation data. This information is collected directly and indirectly from you through company assets you may use. The information is collected for security purposes and is not shared with any third parties other than where we may cooperate with police and law enforcement agencies in connection with the suspicion of offences.

    8. Sensory and surveillance data. This information may be collected directly and indirectly from you through company technologies that you may use. Such information, if any, is collected for employment and security purposes and is not shared with any third parties other than where we may cooperate with police and law enforcement agencies in connection with the suspicion of offences.

    9. Professional or employment-related information. This information is collected directly and indirectly from you, and from third parties (such as providers of references) for the purpose of assessing your employment application, any employment status, and employment performance at Surfline. This information is shared with human resource information service providers, which may include artificial intelligence vendors leveraged by such service providers.

    10. Non-public education information.This information is collected directly and indirectly from you, and from third parties for the purpose of assessing your employment application, any employment status, and employment performance at Surfline. This information is shared with human resource information service providers, which may include artificial intelligence vendors leveraged by such service providers.

    11. Inferences drawn from other personal information.  This information is collected directly and indirectly from you, and from third parties for the purpose of assessing your employment application, any employment status, and employment performance at Surfline.  This information is shared with human resource information service providers, which may include artificial intelligence vendors leveraged by such service providers.  Surfline may also collect, store and use the following more sensitive types of personal information including special categories of personal data (under EU GDPR, UK GDPR, and CCPA):

      1. information about your race or ethnicity, religious beliefs, sexual orientation and political opinions;

      2. trade union membership;

      3. information about your health, including any medical condition, health and sickness records;

      4. information about your sex life or sexual orientation;

      5. information providing access to a financial account;

      6. where you leave employment and under any share plan operated by a group company the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision;

      7. details of any absences (other than holidays) from work including time on statutory parental leave and sick leave;

        any health information in relation to a claim made under the permanent health insurance scheme; and

      8. where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions and permanent health insurance purposes.

        Surfline only collects and uses sensitive personal information consistent with the permissible uses under the CCPA.

  5. Uses of Personal Information. In addition to the uses described above, Surfline may also use your personal information for the following purposes:

    1. To fulfill or meet the reason you provided the information. For example, to make a decision about your recruitment or appointment, to determine the terms on which you work, to check you are legally entitled to work in the relevant location, enrolling in pensions, to conduct payroll and timekeeping activities, administer benefits, or scale salaries.

    2. To exercise our rights and obligations as an employer including, without limitation, conducting performance reviews, making decisions about your continued employment or engagement, dealing with legal disputes involving you or other employees, workers or contractors, managing performance and determining performance requirements, gathering evidence for possible grievance or disciplinary hearing, making decisions about salaries, benefits and share plans, education/training, assessing qualifications for particular tasks, ascertaining fitness to work and managing sickness absences, equal opportunities monitoring, complying with health and safety obligations.

    3. To enhance business operations through artificial intelligence technologies, including but not limited to automated processing in recruiting tools, HRIS systems, people management platforms, and other third-party service providers. Such processing may involve automated analysis and decision-making, subject to appropriate human oversight and verification of outputs.

    4. To investigate and help prevent fraud or otherwise ensure compliance with policies and procedures.

    5. To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.

    6. To help maintain the safety, security, and integrity of our systems, services, databases, facilities, and other assets and this may include but is not limited to monitoring your use of Surfline information and communication systems to ensure compliance with company policies and ensuring network and information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution.

    7. To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

    8. As described to you when collecting your personal information or as otherwise set forth in the CCPA or other data protection laws.

    9. To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Surfline’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Surfline about our employees is among the assets transferred.

    10. With respect to EU and UK citizens, Surfline will only use your personal information when the law allows Surfline to. Most commonly, Surfline will rely on the following legal bases for processing:

      1. Where Surfline needs to perform the contract it has entered into with you or to take steps at your request to enter into that contract.

      2. Where Surfline need to comply with a legal obligation.

      3. Where it is necessary for legitimate interests pursued by Surfline or a third party and your interests and fundamental rights do not override those interests.

    11. Surfline may also use your personal information in the following situations, which are likely to be rare: (i) Where Surfline need to protect your interests (or someone else’s interests); and (ii) where it is needed in the public interest.

    12. “Special categories” of particularly sensitive personal information, such as information about your health, racial or ethnic origin, sexual orientation or trade union membership, require higher levels of protection. Surfline has in place appropriate safeguards to processing such data. Surfline may process special categories of personal information in the following circumstances:

      1. In limited circumstances, with your explicit written consent.

      2. Where Surfline needs to carry out our legal obligations or exercise rights in connection with employment, social security or social protection law.

      3. Where it is needed in the public interest, such as for equal opportunities monitoring.

      4. Where it is necessary to protect you or another person from harm.

    13. Less commonly, Surfline may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

    14. In general, Surfline will not process particularly sensitive personal information about you unless it is necessary for performing or exercising obligations or rights in connection with employment. On rare occasions, there may be other reasons for processing, such as it is in the public interest to do so.

  6. Does Surfline need your consent? Surfline does not need your consent if it uses special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment, social security or social protection law. In limited circumstances, Surfline may approach you for your written consent to allow Surfline to process certain particularly sensitive data. If Surfline does so, it will provide you with full details of the information that it would like and the reason it needs it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with Surfline that you agree to any request for consent from Surfline.

    Surfline does not need your consent where the purpose of the processing is to protect you or another person from harm or to protect your well-being and if Surfline reasonably believes that you need care and support, are at risk of harm and are unable to protect yourself.

  7. Information about criminal convictions: Surfline may only use information relating to criminal convictions where the law allows it to do so. This will usually be where such processing is necessary to carry out Surfline's obligations. Surfline does not envisage that it will hold information about criminal convictions.

  8. Change of purpose: Surfline will only use your personal information for the purposes for which it collected it, unless Surfline reasonably considers that it needs to use it for another reason and that reason is compatible with the original purpose. If Surfline needs to use your personal information for an unrelated purpose, it will notify you and will explain the legal basis which allows it to do so. Please note that Surfline may, in limited circumstances, process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

  9. When might you share my personal information with other entities in the group? Surfline companies will share your personal information with other entities in their group where a group company uses the relevant computing systems and services of another group company, as part of regular reporting activities on company performance, in the context of a business reorganization or group restructuring exercise, for system maintenance support and hosting of data. Surfline may share personal data relating to your participation in any share plans and pension arrangements operated by a group company with other entities in the group for the purposes of administering any share plans.

  10. Transferring information outside of the Surfline location in which you work: Surfline companies outside the United States of America will transfer the personal information they collect about you from the location in which you work to the United States of America. There are not currently adequacy regulations in respect of the United States of America. Under GDPR this means that the United States of America is not deemed to provide an adequate level of protection for your personal information. However, to ensure that your personal information does receive an adequate level of protection Surfline has put in place appropriate measures to ensure that your personal information is treated by those third parties in a way that respects UK and EU law on data protection.

  11. If you fail to provide personal information: If you fail to provide certain information when requested, Surfline may not be able to perform the contract it has entered into with you (such as paying you or providing a benefit), or Surfline may be prevented from complying with its legal obligations (such as to ensure the health and safety of Surfline workers).

  12. How secure is my personal information? Surfline have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, Surfline limits access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on Surfline’s instructions, and they are subject to a duty of confidentiality. All Surfline's third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with Surfline policies. Surfline does not allow its third-party service providers to use your personal data for their own purposes. Surfline only permit them to process your personal data for specified purposes and in accordance with Surfline's instructions. Surfline has put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where legally required to do so.

  13. How long will you use my information for? Surfline will only retain your personal information for as long as necessary to fulfil the purposes it was collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, Surfline considers the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which Surfline process your personal data and whether Surfline can achieve those purposes through other means, and the applicable legal requirements. In some circumstances Surfline may anonymize your personal information so that it can no longer be associated with you, in which case Surfline may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the relevant company Surfline will retain and securely destroy your personal information in accordance with applicable laws and regulations.

  14. Your rights of access, correction, erasure, and restriction:

    1. Your duty to inform Surfline of changes: It is important that the personal information Surfline hold about you is accurate and current. Please keep Surfline informed if your personal information changes during your working relationship with Surfline.

    2. Your rights: Under certain circumstances, by law you may have the right to:

      1. Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information Surfline hold about you and to check that Surfline is lawfully processing it.

      2. Request correction of the personal information that Surfline holds about you. This enables you to have any incomplete or inaccurate information Surfline holds about you corrected.

      3. Request erasure of your personal information, subject to certain exceptions. This enables you to ask Surfline to delete or remove personal information where there is no good reason for Surfline continuing to process it. You also have the right to ask Surfline to delete or remove your personal information where you have exercised your right to object to processing (see below).

      4. Object to processing of your personal information where Surfline is relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where Surfline is processing your personal information for direct marketing purposes.

      5. Request the restriction of processing of your personal information. This enables you to ask Surfline to suspend the processing of personal information about you, for example if you want Surfline to establish its accuracy or the reason for processing it.

      6. Request the transfer of your personal information to another party.

    3. Surfline will not discriminate against you for exercising any of your rights.

    4. If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that Surfline transfer a copy of your personal information to another party, please contact our People Operations team at [email protected] in writing.

    5. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, Surfline may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, Surfline may refuse to comply with the request in such circumstances.

    6. Surfline may need to request specific information from you to help confirm your identity and ensure your right to access the information (or to exercise any of your other rights), for example, we may need to request your name, email address, dates of employment at Surfline, date of application or the department that you worked or applied for. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. Only you or an authorized agent may make a request related to your personal information. To designate an authorized agent to make a request on your behalf, please contact [email protected] and provide us with a power of attorney or other legally binding written document signed by you and identifying your agent. We may also verify the identity of your designated agent.

    7. In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact [email protected]. Once Surfline has received notification that you have withdrawn your consent, Surfline will no longer process your information for the purpose or purposes you originally agreed to, unless Surfline has another legitimate basis for doing so in law.

  15. Data protection officer: Surfline has appointed a data protection officer (DPO) to oversee compliance with this privacy notice with respect to GDPR. If you have any questions about this privacy notice or how Surfline handles your personal information with respect to GDPR, please contact the DPO through [email protected]. You have the right to make a complaint at any time to the relevant supervisory authorities (for example, in the UK, the Information Commissioner's Office (ICO) with respect to data protection issues.

  16. Questions About This Notice: If you have any questions or comments about this notice or the ways in which Surfline collects and uses your information, please contact [email protected].