- The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) is a new regulation which replaces the Data Protection Regulation (Directive 95/46/EC). The GDPR aims to harmonise data protection legislation across EU member states, enhancing privacy rights for individuals and providing a strict framework within which commercial organisations can legally operate.
- Even though the UK has expressed its intention to leave the EU in March 2019, the GDPR will be applicable in the UK from 25th May 2018. The Government intends for the GDPR to continue in UK law post Brexit and has also introduced a Data Protection Bill to replace the current Data Protection Act 1998 in due course.
- Your new rights under the GDPR are set out in this Policy but will only apply once the GDPR becomes law on 25th May 2018.
- The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person – otherwise a ‘data subject’. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as; name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- TLR is committed to complying with the GDPR and this Policy sets out the basis on which we will process personal data we collect, or that is provided to us and the rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.
- This Policy applies to the personal data of our Candidates, Clients, Suppliers, Website Users, and other people whom we may contact in order to find out more about our Candidates or whom they indicate is an emergency contact.
- Please read the following carefully to understand your rights and our views and practices regarding your personal data and how we will treat it.
|2.0 DEFINITIONS USED IN THIS POLICY|
2.1 Candidates: includes applicants for all roles advertised or promoted by TLR, including permanent, part-time and temporary positions and freelance roles with TLR’s Clients; as well as people who have supplied a speculative CV to TLR not in relation to a specific job.
2.2 Clients: while it speaks for itself, this category covers our customers, clients, and others to whom TLR provides services in the course of its business.
2.3 Delete: while we will endeavour to permanently erase your personal data once it reaches the end of its retention period or where we receive a valid request from you to do so, some of your data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists on an archive system, this cannot be readily accessed by any of our operational systems, processes or Staff.
2.4 General Data Protection Regulation (GDPR): a European Union statutory instrument which aims to harmonise European data protection laws. It has an effective date of 25 May 2018, and any references to it should be construed accordingly to include any national legislation implementing it.
2.5 Other people whom TLR may contact: these may include Candidates’ and TLR’s Staff emergency contacts and referees. We will only contact them in appropriate circumstances.
2.7 Suppliers: refers to partnerships and companies (including sole traders), and atypical workers such as independent contractors and freelance workers, who provide services to TLR.
2.8 Website Users: any individual who accesses any of the TLR websites.
2.9 Data controllers: are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Regulations. TLR is the data controller of all personal data used in our business for our own commercial purposes.
2.10 Data processors: include any person or organisation that is not a data user that processes personal data on our behalf and on our instructions. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on TLR’s behalf.
2.11 Processing: is any activity that involves use of the personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
2.12 Sensitive personal data: includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.
|3.0 DATA PROTECTION PRINCIPLES & RIGHTS UNDER GDPR|
3.1 Anyone processing personal data must comply with the principles that are set out in the GDPR. These provide that personal data must be:
- Processed fairly and lawfully;
- Processed for limited purposes and in an appropriate way;
- Adequate, relevant and not excessive for the purpose;
- Not kept longer than necessary for the purpose;
- Processed in line with data subjects’ rights;
- Secure; and
- Not transferred to people or organisations situated in countries without adequate protection.
3.1 Broadly speaking, the GDPR provides you with the following rights, to:-
- Be Informed of what your rights under GDPR are;
- Access the personal data that is held on you;
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- Request erasure of your data. This is also known as the ‘right to be forgotten’ and enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below);
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes;
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it;
- Request the transfer of your personal information to another party in certain formats, if practicable; and
- Make a complaint to a supervisory body, which in the United Kingdom is the Information Commissioner’s Office. The ICO can be contacted through this link: https://ico.org.uk/concerns/ .
|4.0 LAWFUL FAIR AND TRANSPARANT DATA PROCESSING|
4.1 The GDPR is not intended to prevent the processing of personal data, but to ensure that it is done lawfully, fairly, for specified, explicit and legitimate purposes, transparently and without adversely affecting the rights of the data subject.
4.2 For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the GDPR. These include, among other things:-
- for the legitimate interest of the data controller or the party to whom the data is disclosed;
- you consent to the processing;
- the processing is necessary for the performance of a contract with you; and
- the processing is necessary for the compliance with a legal obligation to which we are subject.
4.3 When Sensitive Personal Data is being processed, additional conditions must be met.
|5.0 WHO WE ARE AND WHAT WE DO|
5.1 TLR is a recruitment agency and recruitment business as defined in the Employment Agencies and Employment Businesses Regulations 2003. We are both a Data Controller and a Data Processor.
5.2 As a recruitment agency and recruitment business we primarily introduce Candidates to Clients for permanent employment, temporary employment or independent professional contracts however our service also expands to supporting individuals throughout their career and to supporting business resourcing needs and strategies.
|6.0 WHY WE COLLECT AND PROCESS PERSONAL DATA|
6.1 During the course of our core business activity and delivery of ancillary services, TLR will collect, store and process personal data about prospective and placed Candidates, for permanent or temporary roles; prospective and live Client contacts; Supplier contacts to support our services; employees, consultants and other third parties that we communicate with.
6.2 In order to support our Candidates career aspirations and our Clients resourcing needs, we require a database of Candidate and Client personal data containing historical as well as current resourcing requirements. In order to maintain, expand and develop our business we need to record the personal data of prospective Candidates and Client contacts.
6.3 The exchange of personal data is a fundamental and essential process of our business. In short, therefore the main legal basis for processing personal data is our legitimate business interests.
6.4 In some instances however we are required to process personal data to carry out our obligations arising from contracts we have entered into (or intend to enter into). We can also, in certain circumstances, be required to process personal data by statute or other laws. In some instances, personal data may simply be needed to ensure our relationship runs smoothly.
6.5 Depending on the type of personal data in question and the grounds (i.e. legal basis) on which we may be collecting and processing it, we may need your consent to do so. More on the topic of consent can be found in section 11. Please note that, in certain circumstances, should you decline to provide us with consent or object to us holding personal data, we may not be able to fulfil our contractual requirements, or in certain cases, be able to continue our relationship with you.
6.6 In all circumstances, we recognise that the correct and lawful treatment of the personal data we collect, store and process will maintain confidence in TLR and will provide for successful business operations. As such TLR will only process personal data for the specific purposes set out in this Policy and the purposes for which we process personal data will be informed to you at the time we collect personal data.
|7.0 DATA PROTECTION OFFICER|
7.1 To ensure compliance with the GDPR and this Policy, TLR have appointed a Data Protection Officer (DPO). That post is held by Tina Lacey. Any questions about the operation of this Policy or any concerns that the Policy has not been followed should be referred in the first instance to the DPO who can be contacted at [email protected].
|8.0 WHAT KIND OF PERSONAL DATA DO WE COLLECT|
- Age/date of birth;
- Birth number;
- Marital status;
- Contact details;
- Education details;
- Employment history;
- Emergency contacts and details of any dependents;
- Referee details;
- Immigration status (whether you need a work permit);
- Nationality/citizenship/place of birth;
- A copy of your driving licence and/or passport/identity card;
- Financial information (where we need to carry out financial background checks);
- Social security number and other tax related information;
- Diversity information including racial or ethnic origin, religious or other similar beliefs and physical and mental health, including disability related information;
- Details of any criminal convictions if this is required for a role that you are interested in applying for;
- Financial information including but not limited to details about your current remuneration, pensions and benefit arrangements;
- Information on your interests and needs regarding future employment, both collected directly and inferred, for example from jobs viewed or articles read on our website;
- Extra information that you choose to tell us;
- Extra information that your Referees choose to tell us about you;
- Extra information that our Clients may tell us about you, or that we find out from third party sources such as job sites; and
- The dates, times and frequency with which you access our services.
8.2 CLIENT DATA: The data we collect about Clients is actually very limited. We generally only need to have your contact details or the details of individual contacts at your organisation (such as names, telephone numbers and email addresses) to enable us to provide services to you, including; finding Candidates who are the right fit for you or your organisation and/or notifying you of content published by TLR which is likely to be relevant and useful to you. Our goal in terms of collecting data is to ensure that our business relationship runs smoothly. We may also hold information relating to your online engagement with Candidate profiles and any material published by TLR, which we use to ensure that any marketing communication we send to you are relevant and timely. We may also hold extra information that someone in your organisation has chosen to tell us. In certain circumstances, such as when you engage with our Finance and Debt Recovery teams, our calls with you may be recorded. If we need any additional personal data for any reason, we will let you know.
8.3 SUPPLIER DATA: The data we collect about Suppliers is also very limited. We generally only need to have your contact details or the details of individual contacts at your organisation (such as names, telephone numbers and email addresses) to enable us to communicate with you and make sure that our business relationship runs smoothly. So that we can pay you, we will collect bank details. We may also hold extra information that someone in your organisation has chosen to tell us. In certain circumstances, such as when you engage with our Finance and Debt Recovery teams, our calls with you may be recorded. If we need any additional personal data for any reason, we will let you know.
8.4 DATA WE RECEIVE FROM CANDIDATES AND STAFF, SUCH AS REFEREES AND EMERGENCY CONTACTS: In order to provide Candidates with suitable employment opportunities and to provide for every eventuality for them and for our Staff, we (or our Clients) may need to obtain some basic background information. We only ask for very basic contact details, so that our Clients can get in touch with a third party who has been listed as a Referee or because a third party has been listed as an emergency contact for one of our Candidates or Staff members. Whilst we do not contact Referees ourselves, we pass their details on to our Clients who may contact them so that the Candidate can secure that job they want. Emergency contact details give us somebody to call on in an emergency. So that our Clients can ask for a reference, we’ll obviously need the Referee’s contact details (such as name, email address and telephone number). We’ll also need these details if our Candidate or a member of our Staff has put a third party down as their emergency contact so that we can contact them in the event of an accident or an emergency.
|9.0 HOW DO WE COLLECT YOUR PERSONAL DATA|
9.1 CANDIDATE DATA: There are three main ways in which we collect your personal data:
- Directly from you
This is the information you give to us in order that we can provide a tailored service to you and identify the best job opportunities for you. This may include you entering your details on the TLR website, via an application form, as part of the registration process, or emailing or leaving a hardcopy CV with us.
- From other sources/third parties
Your Referees may disclose personal data about you and our Clients may disclose personal information about you. We may also receive personal data from third party sources such as LinkedIn, corporate websites, job board websites, online CV libraries, business cards, personal recommendations and any relevant social media sites. If you ‘like’ our page on Facebook or ‘follow’ us on Twitter we will receive your personal information from those sites.
9.2 CLIENT DATA: There are three main ways in which we collect Client data:
- Directly from you
This is the information you give to us in order that we can provide a tailored service to you and to make sure we have the best staff for your organisation. This may include where you contact us proactively by phone or by email, and/or where we contact you either by phone or by email.
- From other sources/third parties
Where appropriate and by way of due diligence and market intelligence we may seek more information about you or your colleagues from other sources, including but not limited to market research, online and offline media, from delegate lists at relevant events, or indeed from our Candidates in circumstances where they provide us with your details to act as a Referee.
9.4 PEOPLE WHOSE DATA WE RECEIVE FROM CANDIDATES AND STAFF, SUCH AS REFEREES AND EMERGENCY CONTACTS: In order to provide Candidates with suitable employment opportunities and to provide for every eventuality for them and for our Staff, we may need to obtain some basic background information. We only ask for very basic contact details, so that our Clients can get in touch with a third party who has been listed as a Referee or because a third party has been listed as an emergency contact for one of our Candidates or Staff members. All that is generally needed from Referees is confirmation of what they already know about our Candidate, or indeed a prospective member of Staff, so that they can secure that job they want. Emergency contact details give us somebody to call on in an emergency. To ask for a reference, our Clients will obviously need the Referee’s contact details (such as name, email address and telephone number). We’ll also need these details if our Candidate or a member of our Staff has put a third party down as their emergency contact so that we can contact them in the event of an accident or an emergency.
|10.0 HOW DO WE USE YOUR PERSONAL DATA|
10.1 CANDIDATE DATA: The main reason for using your personal data is to help you find employment or other work roles that might be suitable for you. The more information we have about you, your skillset and your ambitions, the more bespoke we can make our service. We may also use your personal data for things like marketing, profiling and diversity monitoring. Where appropriate, we will seek your consent to undertake some of these activities. More specific details on how we use your data can be found below whilst more information on the topic of consent can be found in section 11:
- Recruitment Activities.
Our main area of work is recruitment – connecting the right Candidates with the right Clients and right jobs. We’ve listed below various ways in which we may use and process your personal data for this purpose. Please note that this list is not exhaustive
- Collecting your data from you and other sources, such as LinkedIn;
- Storing your details (and updating them when necessary) on our database, so that we can contact you in relation to recruitment;
- Providing you with our recruitment services and to facilitate the recruitment process;
- Assessing data about you against vacancies which we think may be suitable for you;
- Sending your information to Clients, in order to apply for jobs or to assess your eligibility for jobs;
- Enabling you to submit your CV, apply online for jobs or to subscribe to alerts about jobs we think may be of interest to you;
- Carrying out our obligations arising from any contracts entered into between us;
- Carrying out our obligations arising from any contracts entered into between us and third parties in relation to your recruitment;
- Facilitating our invoicing processes;
- Where applicable, carrying out customer satisfaction surveys
- Verifying details you have provided, using third party resources or to request information (such as references, qualifications and potentially any criminal convictions, to the extent that this is appropriate and in accordance with local laws);
- Complying with our legal obligations in connection with the detection of crime; and
- Processing your data to enable us to send you targeted, relevant marketing materials or other communications which we think are likely to be of interest to you.
- Marketing Activities.
We may periodically send you information that we think you may find interesting or to ask your help in connecting other Candidates with jobs. More details on this can be found below. We may also send you information about the full range of (or expansion to) our recruitment services and send you details of reports, promotions, offers, networking and client events, or indeed general information about the industry sectors which we think may be of interest and/or use to you.
All our marketing is based on what we think will serve our Clients and Candidates best interests. We may use your data to show you adverts and other content on other websites (for example Facebook and Linkedin). If you do not want us to use your data in this way, please turn off the ‘Advertising Cookies’ option (to do this, please refer to our Cookies Policy).
- Equal Opportunities Monitoring and other sensitive personal data.
We are committed to ensuring that our recruitment processes are aligned with equal opportunities requirements. In this respect, some of the data we may collect about you comes under the umbrella of “diversity information”, for example, information about your ethnic background, gender, disability, age, sexual orientation, religion or other similar beliefs, and/or social-economic background. We may disclose this (suitably anonymised where relevant) data to Clients where this is contractually required or the Client specifically requests such information to enable them to comply with their own employment processes.
The information referred to above is what is called ‘sensitive’ personal information and slightly stricter data protection rules apply to it. We therefore need to obtain your explicit consent before we can use it. When the need arises, we will ask for your consent by offering you an opt-in. This means that you have to explicitly and clearly tell us that you agree to us collecting and using this information.
We may collect other sensitive personal data about you, such as health-related information, religious affiliation, or details of any criminal convictions if this is appropriate and is required for a role that you are interested in applying for. We will never do this without your explicit consent. More information on the concept of ‘Consent’ can be found in section 11.
If you are not happy about this, you have the right to withdraw your consent at any time and you can find out how to do so here.
10.2 CLIENT DATA: The main reason for using Client personal data is to ensure that the contractual arrangements between us can be properly implemented so that the relationship runs smoothly. The more information we have, the more bespoke we can make our service. Similar to above, there are three main ways in which we use Client data:
- Recruitment Activities
Our main area of work is recruitment activity for our clients, which falls under the general categorisation of ‘legitimate business interest’. In order to facilitate this we will need personal data in the following circumstances – although please note that this list is not exhaustive:-
- We will collect and store your details on our database (and update them as necessary) so that we can contact you in relation to our services and our recruitment activities;
- We will keep records of conversations and meetings so that we can understand your needs and provide targeted services to you;
- We may undertake customer satisfaction surveys; and
- We may process your data for the purposes of targeting appropriate marketing campaigns.
If you are not happy with this, in certain circumstances you have the right to object. If you would like to know more about what this means, please refer to section 10.
- Marketing Activities
We will not, as a matter of course, seek consent when sending marketing materials to a corporate postal or email address. However, if you are not happy about this, you have the right to opt out of receiving marketing materials from us and can find out how to do so in the section titled Consent.
- To help us establish, exercise or defend legal claims
In more unusual circumstances, we may use your personal data to help us to establish, exercise or defend legal claims
10.3 SUPPLIER DATA: We only use your personal data for legitimate business interests during the course of our work with you. In order to facilitate this we will need personal data in the following circumstances – although please note that this list is not exhaustive:-
- We will store your details on our database (and update them as necessary) so that we can contact you in relation to the services that you supply to us;
- To obtain support and services from you and in relation to our agreements;
- To perform certain legal obligations; and
- Where necessary, to help us to establish, exercise or defend legal claims.
We will not as a matter of course, seek your consent if we send messages to you at a corporate postal or email address.
10.4 PEOPLE WHOSE DATA WE RECEIVE FROM CANDIDATES AND STAFF, SUCH AS REFEREES AND EMERGENCY CONTACTS: We will only use the information that our Candidates give us about you – for example a referee – to help our Candidates to find employment which is suited to them. Whilst we do not take references ourselves, we will pass this information on to our Clients. If a Client is able to verify a Candidates details and qualifications, this can assist the Candidate find employment that is suited to them
11.1 We need your consent for some aspects of our activities which are not covered by our legitimate business interests, in particular and by way of example, the collection of data via cookies and the delivery of direct marketing to you through digital channels.
11.2 Should we want or need to rely on consent to lawfully collect, process and store your personal data we will request your consent orally, by email or by an online process (for the specific activity we require consent for), and we will record your response on our system.
11.3 Where consent is the lawful basis for our processing, depending on the circumstances, we will ask for this via an ‘opt-in’ or a ‘soft opt-in’. In either way, you have the right to withdraw your consent to this particular processing at any time.
11.4 Article 4(11) GDPR states that ‘’opt-in’ consent is “any freely given, specific, informed unambiguous indication of the data subject wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” In plain language this means that you:-
- Have to give us your consent freely, without us putting you under any type of pressure;
- You have to know what you are consenting to – so we will make sure and give you enough information;
- You should have control over which processing activities you consent to and which you don’t; and
- You need to take positive and affirmative action in giving us your consent – we’re likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion;
We will keep a record of the types of consent you have given in this way.
11.5 Soft opt-in’ consent is a specific type of consent which applies and which we are allowed to rely upon where you have previously engaged with us (for example by submitting a job application or a CV) and we are marketing other recruitment related services.
11.6 Under ‘soft opt-in’ consent, we will take your consent as given unless you opt out. For most people this is beneficial as it allows us to suggest other jobs to you alongside the specific one you applied for, thus significantly increasing the likelihood of us finding you a position.
|12.0 WHO DO WE SHARE YOUR PERSONAL DATA WITH|
12.1 GENERAL: We may share your personal data with various parties, in various ways, for various reasons. We may share your data with third party service providers who perform functions on our behalf (including but not limited to; external consultants, business associates and professional advisors such as lawyers, accountants, technical support functions, IT consultants and marketing technology platforms. If TLR merges with or is acquired by another business or company in the future (or is in meaningful discussions about such a possibility) we may share your personal data with the (prospective) new owners.
12.2 CANDIDATE DATA: Primarily we will share your personal data with prospective employers in order to increase your chances of securing the job you want and where we think this will improve the chances of you finding the right job. Unless you specify otherwise, we may also share your personal data with any of our service providers where we feel this will help us provide you with the best possible service (for example such as job boards).
12.3 CLIENT DATA: We will share your personal data primarily to ensure we provide you with a suitable pool of Candidates. Unless you specify otherwise, we may share your personal data with associated third parties (such as service providers and marketing technology platforms) to help us meet these aims.
12.4 SUPPLIER DATA: Unless you specify otherwise, we may share your information with any associated third parties such as our service providers and organisations to whom we provide services.
12.5 PEOPLE WHOSE DATA WE RECEIVE FROM CANDIDATES AND STAFF, SUCH AS REFEREES AND EMERGENCY CONTACTS: in terms of referee’s details, whilst we do not take references ourselves, we will share this information with the recruiting Client:
|13.0 HOW DO WE SAFEGUARD YOUR PERSONAL DATA|
13.1 We put in place appropriate organisational and data protection measures that are designed to prevent unauthorised access to, and misuse of, your personal data. We shall ensure that all our employees, agents, contractors, or other parties working on our behalf comply with the following when working with personal data. For example:
- ORANISATIONAL MEASURES
- All employees, agents, contractors, or other parties working on our behalf shall be made fully aware of both their individual responsibilities and our responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy;
- Only employees, agents, sub-contractors, or other parties working on our behalf that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the us;
- All employees, agents, contractors, or other parties working on our behalf handling personal data will be appropriately trained to do so;
- All employees, agents, contractors, or other parties working on our behalf handling personal data will be appropriately supervised;
- Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed;
- The performance of those employees, agents, contractors, or other parties working on GDPR and this Policy by contract;
- All agents, contractors, or other parties working on our behalf handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as we are because of this Policy and the GDPR;
- Where any agent, contractor or other party working on our behalf handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
- DATA PROTECTION MEASURES
- We do not keep personal data for any longer than is necessary in light of the purposes for which the data was originally collected and processed. When the data is no longer required, all reasonable steps will eb taken to erase it without delay.
- All emails containing personal data must be encrypted;
- Where any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. Hardcopies should be shredded, and electronic copies should be deleted securely.
- Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;
- Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
- Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted;
- Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
- Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using registered post.
- No personal data may be shared informally and if an employee, agent, subcontractor, or other party working on behalf of us requires access to any personal data that they do not already have access to, such access should be formally requested from Tina Lacey DPO
- All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet or similar;
- No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of us or not, without the authorisation of Tina Lacey;
- Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors or other parties at any time;
- If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it;
- No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets and smartphones), whether such device belong to us or otherwise without the formal written approval of Tina Lacey. and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary.
- No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of us where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to us that all suitable technical and organisational measures have been taken);
- All personal data stored electronically should be backed up with backups stored offsite. All backups should be encrypted.
- All electronic copies of personal data should be stored securely using passwords and data encryption;
- All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols; and
- Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on our behalf, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords.
13.2 If we receive personal data about you from other sources, we will provide you with this information as soon as possible thereafter.
13.3 We will also inform data subjects whose personal data we process that we are the data controller with regard to that data.
|14.0 HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR|
14.1 If we have not had meaningful contact with you (or, where appropriate, the company you are working for or with) for a period of five (5) years, and unless we believe in good faith that the law or other regulations requires us to preserve it (for example because of obligations to tax authorities or in connection with anticipated litigation) we will delete your personal data from our systems.
14.2 When we refer to ‘meaningful contact’ we mean, for example, communication between us (either verbal or written), or where you are actively engaging with our online services.
14.3 If you are a Candidate, we will consider there to be meaningful contact with you if you submit a CV onto our website or communicate with us about potential roles either by verbal or written communication or click through any of our marketing communication.
|15.0 HOW CAN YOU ACCESS AMEND OR TAKE BACK THE PERSONAL DATA THAT YOU HAVE GIVEN TO US|
15.1 One of the GDPR’s main objectives is to protect and clarify the rights of EU citizens and individuals in the EU with regards to data privacy. This means that you retain various rights in respect of your data, even once you have given it to us. These are described in more detail below.
15.2 Right to object: This right enables you to object to us processing your personal data where we do so for one of the following four reasons: (i) our legitimate interests; (ii) to enable us to perform a task in the public interest or exercise official authority; (iii) to send you direct marketing materials; and (iv) for scientific, historical, research, or statistical purposes.
The “legitimate interests” and “direct marketing” categories above are the ones most likely to apply to our Website Users, Candidates, Clients and Suppliers.
If your objection relates to us processing your personal data because we deem it necessary for your legitimate interests, we must act on your objection by ceasing the activity in question unless: (i) we can show that we have compelling legitimate grounds for processing which overrides your interests; or (ii) we are processing your data for the establishment, exercise or defence of a legal claim.
If your objection relates to direct marketing, we must act on your objection by ceasing this activity.
If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.
15.3 Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities, for example consent to market to you, you may withdraw your consent at any time.
15.4 Data Subject Access Requests (DSAR): Just so it’s clear, you have the right to ask us to confirm what information we hold about you at any time, and you may ask us to modify, update or Delete such information. DSAR’s should be sent o [email protected] .
Upon receipt of a DSAR we may comply with your request or, additionally do one of the following:
- We may ask you to verify your identity, or ask for more information about your request; and/or
- Where we are legally permitted to do so, we may decline your request but we will explain why if we do so.
We are normally required to respond to a DSAR within 30 days of receipt, however this time period can be extended by up to 60 days in the case of complex and/or numerous requests. If there is a need for an extension we will inform you as soon as practicable.
We do not charge a fee for the handling of a DSAR, however do reserve the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject and/or for requests that are manifestly unfounded, excessive or repetitive.
15.5 Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will Delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
15.6 Right to rectification: If you inform us that personal data held by us is inaccurate or incomplete and request that it is rectified, the personal data in question shall be rectified and you shall be informed of this, within 30 days of receipt of your notice. In certain situations, we may be allowed to extend this period up to 60 days.
15.7 Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this – either by directly transferring your data for you, or by providing you with a copy in a commonly used machine-readable format.
15.8 Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority:
15.9 If your interests or requirements change, you can unsubscribe from part or all of our marketing content (for example job role emails) by sending an email to [email protected].
|16.0 HOW DO WE ENSURE DATA IS ACCURATE AND KEEP IT UP TO DATE|
16.1 We shall ensure that all personal data we hold is kept accurate and up to date.
16.2 The accuracy of data shall be checked when it is collected and at regular intervals thereafter.
16.3 Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data.
|17.0 HOW DO WE KEEP YOU INFORMED|
17.1 Where we collect personal data directly from you, we will inform you about:
- The purpose or purposes for which we intend to process that personal data;
- The types of third parties, if any, with which we will share or to which we will disclose that personal data; and
- The means, if any, with which you can limit our use and disclosure of your personal data.
17.2 If we receive your personal data from other sources, we will provide you with this information as soon as possible thereafter.
17.3 We will only collect personal data to the extent that it is required for the specific purpose notified to you and we will also inform data subjects whose personal data we process that we are the data controller with regard to that data.
17.4 We will also not keep personal data longer than is necessary for the purpose or purposes for which it was collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
|18.0 HOW WE STORE AND TRANSFER YOUR DATA INTERNATIONALLY|
18.1 We want to make sure that your data is stored and transferred in a way which is secure.
18.2 We will only transfer your data outside of the EEA where to do so is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data.
|19.0 TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA|
19.1 Where the need arises for us to transfer any personal data we hold to a country outside the European Economic Area (“EEA”), we will only do so provided that one of the following conditions applies:
- The country to which the personal data is transferred ensures an adequate level of protection for the data subjects’ rights and freedoms;
- You have given your consent to the transfer.
- The transfer is necessary for one of the reasons set out in the GDPR, including the performance of a contract between us and you, or for legitimate business interests;
- The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
- The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
19.2 Subject to the requirements in paragraph 19.1 above, personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. That staff may be engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.
The cookie information text on this site was derived from content provided by Attacat Internet Marketing http://www.attacat.co.uk/, a marketing agency based in Edinburgh. If you need similar information for your own website you can use their free cookie audit tool.