This Privacy Notice[i]sets out the basis on which The Spencer Group Limited[ii]will process personal information provided to us, this information is also referred to as ‘personal data’. This privacy notice shall also apply to The Spencer Group Ltd, The Spencer Group Holdings Ltd and Check for other group company names and all references to “we”, “us”, “our” and “ours” shall include both The Spencer Group Ltd and The Spencer Group Holdings Ltd and any our group companies.

We take our obligations in respect of the privacy of personal data very seriously and we will only process personal information as detailed in this notice, unless we inform you otherwise. In order to ensure that the personal data we hold is accurate and up to date, we request that you inform us of any relevant changes to the personal information we hold about you.

We help individuals to find work and we are also an employer. Our core business activity is recruitment, we assist individuals in finding work with our hirer clients, whether this is directly or through supply by us, and we assist hirers in introducing or supplying the staff that they require. We also recruit staff to work for us to provide our recruitment services. For the purposes of this Privacy Notice, our commercial activities and services for individuals and businesses are referred to as ‘Recruitment Services’, and our actual or potential hiring customers are referred to as ‘Clients’.

The person responsible for data protection matters within our organisation is Amanda Howett, Office Manager and can be contacted here amanda.howett@spencergroup.com

If you do not wish us to process personal data in accordance with this policy, then please do not provide it to us,  Please refer to Section 4 ’Your rights‘, in respect of data that we already hold, or which we receive from third parties.

 

Section 1: This section applies to individuals wishing to use or using our Recruitment Services or looking for a role to work with us (‘a Candidate’):[iii]

The personal data we collect or receive includes the following as applicable:[iv]

  • Name
  • Address
  • Email and other contact details
  • Date of birth
  • Job history (including information relating to placements through us)
  • Educational history, qualifications & skills
  • Visa and other right to work or identity information
  • Passport
  • Bank details
  • National insurance and tax (payroll) information
  • Next of kin and family details
  • Contact details of referees
  • Personal information relating to hobbies, interests and pastimes
  • Information contained in references and pre-employment checks from third parties
  • Other sensitive personal information such as health records (see ‘Sensitive Personal Data’ section below)
  • Your marketing preferences

We may obtain your personal data from the following sources (please note that this list is not exhaustive):[v]

  • You (e.g. a Curriculum Vitae, application or registration form)
  • A client
  • Other candidates
  • Online jobsites
  • Marketing databases
  • The public domain
  • Social Media
  • At interview
  • Conversations on the telephone or video conferencing (which may be recorded)
  • Notes following a conversation or meeting
  • Our websites and software applications

Where you are a Candidate and we have obtained your personal data from a third party such as an online job board, it is our policy to advise you of the source when we first communicate with you.[vi]

 

How we will use your personal data:[vii]

The processing of your personal information may include:

  • Collecting and storing your personal data, whether in manual or electronic files
  • Notifying you of potential roles or opportunities
  • Assessing and reviewing your suitability for job roles
  • Introducing and/or supplying you to actual or potential Clients
  • Engaging you for a role with us or with our Clients including any related administration e.g. timesheets and payroll
  • Collating market or sector specific information and providing the same to our Clients
  • Sending information to third parties with whom we have or intend to enter into arrangements which are related to our Recruitment Services
  • Providing information to regulatory authorities or statutory bodies, and our legal or other professional advisers including insurers
  • To market our Recruitment Services
  • Retaining a record of our dealings
  • Establishing quality, training and compliance with our obligations and best practice
  • For the purposes of backing up information on our computer systems

 

Why we process your personal data:[viii]

  1. Entering into and performing a contract with you:[ix]

In order to provide our Recruitment Services we may enter into a contract with you and/or a third party. In order to enter into a contract we will need certain information, for example your name and address. A contract will also contain obligations on both your part and our part and we shall process your data as is necessary for the purpose of those obligations. For example, in order to process payroll, a national insurance number and bank details will be required.

  1. Compliance with legal obligations (regulatory and statutory obligations):[x]

We must comply with a number of statutory provisions when providing our Recruitment Services, which necessitate the processing of personal data. These include the Conduct of Employment Agencies and Employment Businesses Regulations 2003, which amongst other things requires us to:

  • Verify your identity
  • Assess your suitability for an external job role
  • Maintain records for specific periods

Where we engage a person to work for us (whether directly or as supplied to a Client), there are other statutory obligations that must be complied with including payroll, tax, social security, HMRC reporting requirements, and any other law or regulation.

We are also required to comply with statutory and regulatory obligations relating to business generally, for example complying with tax, bribery, fraud/crime prevention and data protection legislation, and co-operating with regulatory authorities such as HMRC or the Information Commissioner’s Office.

  1. Our legitimate interests (carrying on the commercial activity of Recruitment Services):[xi]

In providing our Recruitment Services, we will carry out some processing of personal data which is necessary for the purpose of our legitimate interests, which include: 

  • Retaining records of our dealings and transactions and where applicable, use such records for the purposes of:
    • establishing compliance with contractual obligations with Clients or suppliers
    • addressing any query or dispute that may ariseincluding establishing, exercising or defending any legal claims
    • protecting our reputation
    • maintaining a back up of our system, solely for the purpose of being able to restore the system to a particular point in the event of a system failure or security breach
    • evaluating quality and compliance including compliance with this Privacy Notice
    • determining staff training and system requirements
  • Using your personal data to:
    • assess suitability and contact you regarding potential opportunities and/or our services
    • collate market information or trends including providing analysis to potential or actual Clients
    • source potential opportunities or roles as part of our Recruitment Services
    • personalise your experience and our offering, whether via our website or otherwise

This means that for our commercial viability and to pursue these legitimate interests, we may continue to process your personal data for as long as we consider necessary for these purposes.

  1. Consent to our processing of your data:[xii]

We may process your personal data on the basis that you have consented to us doing so for a specific purpose, for example, if you apply for a specific role you may have consented to our processing of the data that has been provided for the purpose of progressing your application and considering your suitability for that role. In other cases you may have provided your written or verbal consent to the use of your data for a specific reason.

You may withdraw your consent to our processing of your personal information for a particular purpose at any stage. However, please note that we may continue to retain, or otherwise use your personal information thereafter where we have a legitimate interest or a legal or contractual obligation to do so. Our processing in that respect will be limited to what is necessary in furtherance of those interests or obligations. Withdrawal of consent will not have any effect on the lawfulness of any processing based on consent before its withdrawal.

What if we obtain your personal data from a third party?[xiii]

Part of our business activity involves researching information relating to individuals for the purposes of filling job roles. This may include obtaining personal data from online sources, for example we may obtain information from social media sites such as LinkedIn and job boards,[xiv]some information being publicly available but others being from sites or providers to which we subscribe. From time to time we may also receive personal information about you from hiring organisations, colleagues and former employers, or from persons for whom you have provided services or been otherwise engaged.

Where information from third party sources is of no use to us, or where you have notified us that you do not want us to provide you with services, we shall discard it, however we may maintain a limited record in order to avoid the duplication of process. Where we consider that information may be of use to us in pursuance of the provision of our Recruitment Services, any processing will be in accordance with this Privacy Notice. You do have the right to object to processing, please see Section 4 ‘Your rights’.

Sensitive Personal Data (SPD)[xv]

Sensitive personal data is information which is intensely personal to you and is usually irrelevant to our consideration of your suitability for a job role. Examples of SPD include information which reveals your political, religious or philosophical beliefs, sexual orientation, race or ethnic origin, or information relating to your health.

Regardless of the basis for your dealings with us, we request that you do not provide us with any sensitive personal data unless absolutely necessary. However, to the extent that you do provide us with any sensitive personal data, such as data which you choose to share with us in conversation, we shall only use that data for the purposes of our relationship with you or for the provision of our Recruitment Services. This will be for one or more of the following reasons:

  • You have explicitly consented to the processing
  • For the purpose of our assessment of your suitability for job roles or working capacity
  • Where processing is necessary for the purpose of obligations or rights under employment, social security or social protection law
  • To maintain records of our dealings to address any later dispute, including but not limited to the establishment, exercise or defence of any legal claims

 

Who we share personal data with:

We shall not share your personal information unless we are entitled to do so. The categories of persons with whom we may share your personal information include:

  • Individuals, hirers and other third parties necessary for the provision of our Recruitment Services
  • Any regulatory authority or statutory body pursuant to a request for information or any legal obligation which applies to us
  • Parties who process data on our behalf [, which may include
    • outsourced payroll providers
    • IT support
    • External research organisations
    • storage service providers including cloud
    • background screening providers][xvi]
  • Legal and professional advisers
  • Insurers

 

Automated decisions[xvii]

 [We do not use any automated decision making software][xviii]

Where we use software to assist us with our assessment of your suitability for a particular job role and you consider that any such assessment has been made wrongly or incorrectly, you may ask for an explanation.

 

Section 2: This section applies where you are an individual working for a third party with whom we have dealings. For example, a client or a payroll company.[xix]

We may collect your personal data in the course of our dealings and this may include the following:[xx]

  • Your contact information, which may include your full name, job role, contact telephone number and email
  • Your statements and opinions about candidates and/or other personnel e.g. a reference
  • Information relating to our relationship with you or the party for whom you work including records of any meetings or discussions
  • Your marketing preferences

 

We may obtain your personal data from the following sources (please note that this list is not exhaustive):[xxi]

 

  • You, including where you have provided us with your contact details or other information for the purposes of using our Recruitment Services
  • Staff or other representatives of the organisation you represent
  • Candidates
  • Marketing databases
  • Social media
  • The public domain
  • Conversations, with you or others, on the telephone or video conferencing (which may be recorded) or in meetings
  • Notes following a conversation, with you or others, or meetings you attend

How we will use your personal data:[xxii]

We will process your personal data in the context of our dealings with the third party for whom you work and as part of our Recruitment Services. Processing may include:

  • Collecting and storing your personal data, whether in manual or electronic files
  • Using the data to communicate with you
  • Sending information to third parties with whom we have or intend to enter into arrangements which are related to our Recruitment Services
  • Actions necessary to further any obligation on us pursuant to a contract between ourselves and the third party you work for
  • Collating market or sector specific information and providing the same to our clients
  • Providing information to regulatory authorities or statutory bodies and our legal or other professional advisers including insurers
  • Retaining records of our dealings with you and the organisation whom you represent
  • Establishing quality, training and compliance with our obligations and best practice

 

Why we process your personal data:[xxiii]

  1. Compliance with legal obligations (regulatory and statutory obligations)

We must comply with a number of statutory provisions when providing our Recruitment Services, which necessitate the processing of personal data. These include the Conduct of Employment Agencies and Employment Businesses Regulations 2003, which amongst other things requires us to assess suitability of candidates and obtain information from Clients.

We are also required to comply with statutory and regulatory obligations relating to business generally, for example tax, bribery and fraud/crime prevention legislation, and co-operating with regulatory authorities such as HMRC.

  1. Our legitimate interests (carrying on the commercial activity of Recruitment Services):

In providing our Recruitment Services, we will carry out some processing of personal data  which is necessary for the purpose of our legitimate interests, which include:

  • Using your personal data:
    • to contact you regarding our Recruitment Services
    • to assess suitability of Candidates and roles, for example, referencing or other feedback
    • to collate market information or trends including providing analysis to potential or actual Clients
    • as otherwise necessary to provide our Recruitment Services and/or to meet our obligations towards either the party whom you represent, or other Clients or suppliers
    • to personalise your experience and our offering, whether via our website or otherwise

 

  • Retaining records of our dealings and transactions and where applicable, use such records for the purposes of:
    • establishing compliance with contractual obligations with Clients or suppliers
    • addressing any query or dispute that may ariseincluding establishing, exercising or defending any legal claims
    • protecting our reputation
    • maintaining a back up of our system, solely for the purpose of being able to restore the system to a particular point in the event of a system failure or security breach
    • evaluating quality and compliance including compliance with this Privacy Notice
    • determining staff training and system requirements

For our commercial viability and to pursue these legitimate interests, we may continue to process your personal information for as long as we consider reasonably appropriate for these purposes.

  1. Consent

We may process your personal data on the basis that you have consented to us doing so for a specific purpose, for example, if you have provided your contact details in order that we may use these to provide you with details of our services you may have consented to our processing of the data for that purpose. In other cases you may have provided your written or verbal consent to the use of your data for a specific reason, for example references.

You may withdraw your consent to our processing of your personal data for a particular purpose at any stage. However, please note that we may continue to retain, or otherwise use your personal information thereafter where we have a legitimate interest or a legal or contractual obligation to do so. Our processing in that respect will be limited to what is necessary in furtherance of those interests or obligations.  Withdrawal of consent will not have any effect on the lawfulness of any processing based on consent before its withdrawal.

 

What if we obtain your personal data from a third party?[xxiv]

Part of our business activity involves researching information for the purposes of finding and filling job roles. This may include obtaining personal data from sources including job boards, advertisements, LinkedIn or other social media,[xxv]some information being publicly available but others being from sites or providers to which we subscribe. From time to time we may also receive personal data about you from hiring organisations, colleagues and former employers, or from persons for whom you have provided services or been otherwise engaged.

Where information from third party sources is of no use to us we shall discard it, however we may maintain a limited record in order to avoid the duplication of process. Where we consider that information may be of use to us in pursuance of the provision of our Recruitment Services, any processing will be in accordance with this Privacy Notice. You do have the right to object to processing, please see Section 4 ‘Your rights’.

 

Sensitive Personal Data (SPD)[xxvi]

Sensitive personal data is information which is intensely personal to you and is usually irrelevant to our dealings with you in respect of our Recruitment Services. Examples of SPD include information which reveals your political, religious or philosophical beliefs, sexual orientation, race or ethnic origin, or information relating to your health.

Regardless of the basis for your dealings with us, we request that you do not provide us with any sensitive personal data unless absolutely necessary. However, to the extent that you do provide us with any sensitive personal data, such as data which you choose to share with us in conversation, we shall only use that personal data for the purposes of our relationship with you or for the provision of our Recruitment Services. This will be for one or more of the following reasons:

  • You have explicitly consented to the processing
  • Where processing is necessary for the purpose of obligations or rights under employment, social security or social protection law
  • To maintain records of our dealings to address any later dispute, including but not limitedto the establishment, exercise or defence of any legal claims

 

Who we share personal data with:

We shall not share your personal data unless we are entitled to do so. The categories of persons with whom we may share your personal information include:

  • Candidates and other third parties necessary for the provision of our Recruitment Services
  • Any regulatory authority or statutory body pursuant to a request for information or any legal obligation which applies to us
  • Parties who process data on our behalf[, which may include
    • outsourced payroll providers
    • IT support
    • storage service providers including cloud providers
    • background screening providers][xxvii]
  • Legal and professional advisers
  • Insurers

 

Section 3: This section applies to all personal data[xxviii] 

Transfer of data to other jurisdictions[xxix]

In the course of the provision of our Recruitment Services we may transfer data to countries or international organisations outside of the EEA. This may, for example, be to Clients or Candidates, or third parties who provide support services to us.  Where information is to be so transferred, it may be to a country in respect of which there is an adequacy decision from the EU Commission. However, if this is not the case, it is our policy to take steps to identify risks and in so far as is reasonably practicable, ensure that appropriate safeguards are in place. Details relating to specific countries or organisations are available on request from amanda.howett@spencergroup.com

If you do not wish to provide us with necessary data[xxx]

There may be circumstances where we require you to provide data which is necessary in order for us to meet statutory or contractual obligations, or perform our Recruitment Services. If you do not wish to provide us with information we request then please notify us. However, please be aware that as a result we may be unable to provide you or the party who you represent with a Recruitment Service, and in some cases may result in a breach of the contract we have with you or a third party you represent.

Group companies & transfer[xxxi]

Although this Privacy Notice applies to us your data may be accessible to, and shared with other organisations within our group including  the Spencer Group for any of the purposes set out within this Privacy Notice, or where we have shared administration systems and staff.

In the event  of a sale, merger, liquidation, receivership or the transfer of all or part of our assets to a third party, we may need to transfer your information to a third party. Any transfer will be subject to the agreement of the third party to this Privacy Notice and any processing being only in accordance with this Privacy Notice.

Data Security and Confidentiality[xxxii]

It is our policy to ensure, in so far as is reasonably practicable, that our systems and records are secure and not accessible to unauthorised third parties in line with contemporary practice.

Cookies[xxxiii]

A cookie is a small file of letters and numbers that is downloaded on to your computer when you visit a website, which enables the website to tailor its offerings to your preferences when you visit it.

Cookies are used by your browser and by most websites to help personalise or improve your experience using the worldwide web. If you wish to restrict or block the cookies which are set by The Spencer Group’s Websites, or indeed any other website, you can do this through your browser settings. Restricting cookies may affect some of the functionality of this Website, such as the ability to log in to password-protected areas, but most of the Site will still be accessible to you.

The Help menu on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether.

You can find more information about deleting and controlling cookies from AboutCookies.org.

The Spencer Group will not use cookies to collect personally identifiable information about you. However, in order to provide services to you within this Site's extranet, it is necessary to gather information that will enable the Website to personalise, improve and operate such services. In connection with certain aspects of the services, we may request, collect and/or display some of your personal information.

The table below explains the cookies we use and why.

Name

Purpose

Expires

PHPSESSID

PHP Session ID. This is a unique identifier that is automatically created when a session starts for a given visitor.

This cookie is deleted when the browser is closed.

_utma

Google Analytics randomly generated number.

We use Google Analytics to monitor traffic levels, search queries and visits to this Website. 

Google Analytics stores IP address anonymously on its servers, and neither The Spencer Group or Google associate your IP address with any personally identifiable information.

Two years

_utmb

30 minutes

_utmc

This cookie is deleted when the browser is closed.

_utmz

Six months

COOKIE_LAST_EXTRANET_EMAIL

CMS Extranet opt-in cookie. This is set if you choose to ask this Website to remember your login name.

Until you opt out via the login screen

LOG_ME_IN_COOKIE

CMS Extranet opt-in cookie. This is set if you choose to ask your computer to automatically log you in at this computer.

Until you opt out via the login screen

spencergroup_storefront_basket_id

CMS e-commerce cookie. This is set when you put an item in your basket.

One month

 

Retaining your data[xxxiv]

In most circumstances your data will not be retained for more than 6 years from the last point at which we provided any services or otherwise engaged with you and it is our policy to only store your personal  data for as long as is reasonably necessary for us to comply with our legal obligations and for our legitimate business interests. However, we may retain data for longer than a 6 year period where we have a legal or contractual obligation to do so, or we form the view that there is otherwise a continued basis to do so, for example where your personal information identifies specialist skill sets which may remain in demand, or we are subject to a legal obligation which applies for a longer period.

If however you believe that we should delete your personal data at an earlier date, please inform us in writing of your reasons.  Please see Section 4 ‘Your Rights’ below.

Changes to this Privacy Notice[xxxv]

This Privacy Notice is regularly reviewed and may be updated from time to time to reflect changes in our business, or legal or commercial practice. Where an update is relevant to our processing of your data, we shall notify you of the same.

Section 4: Your rights

We take the protection of your personal data very seriously and it is important that you know your rights within that context, which include rights to:

  • Request a copy of the personal data that we hold
  • Object to our processing of your data where that processing is based upon legitimate interest and there are no compelling grounds for the continued processing of that data
  • Request that we restrict processing of your data in certain circumstances
  • Request that data is erased where the continued use of that data cannot be justified
  • Object to any decision, which significantly affects you, being taken solely by a computer or via another automated process
  • Withdraw your consent to our processing of your personal data for a particular purpose at any stage. However, please note that we may continue to retain, or otherwise use your personal information thereafter where we have a legitimate interest or a legal or contractual obligation to do so. Our processing in that respect will be limited to what is necessary in furtherance of those interests or obligations
  • Request that inaccurate or incomplete data is rectified
  • Request that data provided directly by you and processed by automated means is transferred to you or another controller; this right only being applicable where our processing of your data is based either on your consent or in performance of a contract
  • Make a complaint to the Information Commissioner’s Office Request that direct marketing by us to you is stopped

Please note that should you exercise your right to request that we erase data or cease any processing activity, we may retain a record of this request and the action taken in order to both evidence our compliance, and to take steps to minimise the prospect of any data being processed in the future should it be received again from a third party source.

If you have any questions concerning your rights or should you wish to exercise any of these rights please contact amanda.howett@spencergroup.com

Complaints

If you are dissatisfied about any aspect of the way in which your data is processed you may, in the first instance refer the matter to amanda.howett@spencergroup.com[xxxvi]. This does not affect your right to make a complaint to the Information Commissioner’s Office.

 

 

[i] This Privacy Notice is intended for use by organisations undertaking recruitment activity. It addresses general use of data for recruitment purposes, and is intended to comply with the requirements of the General Data Protection Regulation.  The information contained within this notice should be carefully considered, along with the reasons why you collect, use, transfer or otherwise process personal data, in order to ensure that it fully matches your activity. If there are reasons why you process data which are not set out within this agreement, for example which are different from standard practice then ammendment will be required, or data subjects will need a separate notification.  

[ii] Insert full company name plus trading name if applicable e.g. ABC Limited t/a ABC Recruitment

[iii] This section is intended to apply to existing Candidates and contractors or any person applying for a role either with you or in order that they be placed with a Client.

[iv] This is a non exhaustive list, however if there is other specific information you collect regarding Candidates it should be added to this list.

[v] Where information is obtained from a third party source (i.e. other than directly from the individual), there is an additional requirement to inform the individual of the source of the information. As this is likely to differ depending upon the nature of the data, it is impossible to provide such detail within this document, you should therefore ensure that where data is from a third party source, the individual is made aware of that source, and further whether the source is publicly available.  If you require assistance with specific wording in this area please contact Lawspeed. 

[vi] There are specific time frames in which a data subject must be informed of data collected from a third party source. These are set out within article 14 of the GDPR, however, in essence within 1 month of the data being received, or at the point the data is used to communicate with the data subject or is disclosed to a third party, if sooner.

[vii] This is a non exhaustive list, however, if there are other specific ways in which you process candidate personal data these should be added to this list.

[viii] The GDPR requires that personal data be processed only where one or more permitted reasons exist. These are set out in the GDPR and referred to as lawful bases. It is also a requirement that a data subject be advised of these purposes or bases. This section therefore sets out in further detail the reasons why Candidate personal data is processed. 

[ix] A potential reason for processing personal data is where is it neccesary to perform a contract with a data subject or to take steps at the data subject’s request. A recruiter will be required to enter into a contract with a work-seeker where the Conduct of Employment Agencies and Employment Businesses Regulations 2003 (Conduct Regulations) apply before the provision of work-finding services. However, even where there is an opt out from those regulations the existence of a contract with the work-seeker is necessary for commercial purposes and a work-seeker’s personal data will invariably have to be processed.

[x] Personal data may also be processed in compliance with legal obligations, for example, the Conduct Regulations, tax requirements or even the GDPR. A potential reason for processing personal data is where is it neccesary to perform a contract with a data subject or to take steps at the data subject’s request, for example, you will need information relating to a candidate’s qualifications, experience and availability in order to provide work-finding services.

[xi] Another permitted reason or basis under the GDPR is where processing is necessary in furtherance of the legitimate interests of the data controller, this is subject to balancing these interests against the rights and freedoms of the data subject, but does cover matters which are neither legal obligations, nor contractual requirements, for example, best practice, or compliance with requirements in a hirer’s contract. It is a requirement of the GDPR that where legitimate interest is relied upon, an individual be informed what that interest is. Therefore, if there are other legitimate interests that you have, these should be added within this section.

[xii] Consent of the data subject to processing for a specific purpose is a permitted reason for the processing of personal data. However, under the GDPR it is a high standard to achieve, and one which means that general consent provisions in contracts or within registration forms will no longer suffice. We would therefore suggest that advice be sought as to the specific requirememts prior to relying on consent as a basis for processing.

[xiii] Article 14(2)(f) of the GDPR requires that where personal data is obtained from a third party source i.e. not directly from the data subject, the individual is entitled to be informed of the source from which the data has been obtained and whether this source is publicly accessible. Although this Privacy Notice has general information regarding potential sources, and you can include other potential sources within it, the reality is that the individual is entitled to be informed of the actual source. Accordingly you must let the individual know the source of the information and whether it is publicly accessible in addition to issuing this Privacy Notice.

[xiv] You should add other specific sources if you use these regularly.

[xv] Sensitive personal data has a specific category of protection under the GDPR, requiring more specific reasons than personal data generally, these include explicit consent, or that processing is necessary to comply with rights and obligations under employment, social security and social protection law. Where the purpose for the processing of sensitive data is that it is necessary to comply with legal obligations, such as assessing capacity for work under the Conduct Regulations or to comply with health and safety law, you must have in place an appropriate policy that deals with these matters, such a policy should document how the processing of this information complies with general GDPR principles and should deal with security and erasure of information. If you require further information on this policy, you should contact Lawspeed.

[xvi] This section lists examples of the categories of organisation to which data may be transferred please select as appropriate to your business, or, if you use other categories of provider please insert the same here also. Yellow highlighting and square brackets should be removed prior to publication.

[xvii] Please choose the applicable wording depending on whether or not your business uses automated decision making.

[xviii] Select the option which applies to your business. The second option addresses the type of automated processing that a recruitment business might undertake, however if there are any other automated processing being undertaken it should be addressed here.

[xix] This section is intended to apply to personal data of persons other than Candidates. This may for example be individuals who work for hirers or suppliers. 

[xx] This is a non exhaustive list, if there is other data that you collect and you wish to include in this Privacy Notice the same can be inserted here.

[xxi] Where information is obtained from a third party source (i.e. other than directly from the individual), there is an additional requirement to inform the individual of the source of the information. As this is likely to differ depending upon the nature of the data, it is impossible to provide such detail within this document, you should therefore ensure that where data is from a third party source, the individual is made aware of that source, and further whether the source is publicly available.  If you require assistance with specific wording in this area please contact Lawspeed. 

[xxii] This is a non exhaustive list, however if there are other specific ways in which you process personal data these should be added to this list.

[xxiii] The reasons set out here are very similar to the reasons why data of candidates is processed, and are linked to the provsision of your Recruitment Services. Please review the reasons, and ensure that (i) they fit your business reasons and (ii) there are no other reasons you process data that we have not already stated.

[xxiv] Where personal data is obtained from a third party source the data subject must be informed of where that information has been obtained and whether or not that source is a publicly available resource e.g. LinkedIn.

[xxv] You may wish to add other social media sources if you use these regularly.

[xxvi] This section may be included solely in the section referring to Candidates on the basis that a recruiter is unlikely to hold SPD of a Client or third party individual. However, as a belt-and-braces approach, it is included here to cover remote scenarios such as a record being retained of a client’s representative’s political belief or health.

[xxvii] This section lists examples of the categories of organisation to which data may be transferred Please select as appropriate to your business, or, if you use other categories of provider please insert the same here also. Yellow highlighting and square brackets should be removed prior to publication.

[xxviii] This section applies to all personal data whether Candidate or any other individual.

[xxix] The GDPR contains specific rules regarding the safeguards that must be in place where data is to be transferred outside of the European Economic Area (EEA).  In the event that an organisation is to transfer data in this way, then it must advise individuals of the same, along with the safeguards that are in place. Whilst this is something we address generally in this Privacy Notice, as the safeguards may differ from country to country, it is not something that can be addressed in detail. If there are specific countries to which you transfer data on a regular basis, you may want to include this specifically in the Privacy Notice, e.g. you use back office support in a Non EEA country. Otherwise it is something that needs to be advised to individuals on a case by case basis.

[xxx] It is a requirement under GDPR that where data is collected as necessary for compliance with statutory or contractual obligations, the individual be advised of the consequences of not providing that information. This section addresses the fact that should information not be provided, you may be unable to provide your work-finding services.

[xxxi] This section addresess the use of data between group companies and where organisations have shared administration systems and therefore may have access to one another’s data. If this is not applicable to your organisation this section will not be required

[xxxii] Whilst it is a principle within the GDPR that data is stored securely there is not actually a requirement to inform as to measures taken. However, if you wish to add to the existing statement the following wording may be included: “We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data and against the accidental loss of or damage to, personal data. We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. These procedures will guarantee the confidentiality, integrity and availability of the personal data. We will only transfer personal data to a third party if they have in place measures that provide for a similar level of security”.

[xxxiii] Organisations are responsible for providing clear information about the way they use cookies and ensuring that they give people using their website the right choices. We have suggested text indicating what a cookie is, however it is for each individual organisation to specify what cookies are used and their purposes. This is an area of the law that has not changed as a result of the GDPR, so your existing arrangements, including notification of cookies on your website should still stand. If in doubt please check with your website provider as to whether any cookies are used and if so how.  You may also wish to provide details of how users can change or delete their cookie settings.

[xxxiv] It is a requirement of the GDPR that a data subject is informed of the periods for which data will be stored or the factors that will be taken into consideration in determining this period. This section sets out the likely reasons that exist for retention after a 6 year period. However, if as a result of your data cleanse or spring clean of existing data, you have other factors that need to be considered, the same should be included here. 

[xxxv] In the event that there is a change in the information within this Privacy Notice, or the reason why you are processing data changes, the Privacy Notice should be updated and a revised copy provided to all affected data subjects.

[xxxvi] Please insert the details of the applicable person to whom any issue should be raised. Whilst a internal complaints process is not essential, it may assist in enabling an issue to be addressed prior to an ICO complaint.

 

 

COPYRIGHT NOTE:      

COPYRIGHT IN ALL CONTRACTS & DOCUMENTS PREPARED BY LAWSPEED IS RESERVED TO LAWSPEED LIMITED AND YOU MAY ONLY USE THIS TEMPLATE OR ANY PART OF IT IN ACCORDANCE WITH CURRENT LAWSPEED TERMS OF BUSINESS APPLICABLE TO COPYRIGHT. THIS INCLUDES RETAINING OUR COPYRIGHT NOTICE WITHIN THE FOOTER OF ALL COPIES OF THIS DOCUMENT.