Data Controller: The Recruitment Lab Limited (“The Company”)
GDPR Responsible Person: Simon Royston, Managing Director email@example.com
As a recruitment business, the company collects and processes personal data relating to job applicants who may be applying for agency work, temporary work or permanent roles, either with the company itself or within its clients or third-party hirers.
We are committed to being transparent about how we collect, use, store, transfer and retain this data and in meeting our data protection obligations.
What information do we collect?
We collect a range of information about you which may include;
- your name, address and contact details, including email address, social media addresses, and telephone numbers;
- details of your qualifications, skills, experience and employment history;
- Information about your current level of remuneration, including benefit entitlements;
- whether or not you have a disability for which the company needs to make reasonable adjustments during the recruitment process;
- information about your entitlement to work in the UK;
- equal opportunities monitoring information, including information about your race, ethnic origin, gender, sexual orientation, health and religion or belief.
- Health information to ensure that we fulfil our duty of care; and
- Information relating to criminal processes or convictions;
The company may collect this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment including on-line tests.
We may also collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks. The company will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.
Data will be stored in a range of different places, including on our databases, in HR management systems and on other IT systems (including email).
Why do we process your personal data?
We need to process data to assess your suitability for work or employment in advance of entering into a contract with you.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check a successful applicant’s eligibility to work in the UK before employment starts.
We have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the company to manage the recruitment process, assess and confirm a candidate’s suitability for employment or work and, in some cases, decide to whom to offer work to. We may also need to process data from job applicants to respond to and defend against legal claims.
The company may process information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.
Where the company processes other special categories of data, such as information about ethnic origin, sexual health and orientation, religion or belief, this is for equal opportunities monitoring purposes.
For some roles, the company is obliged to seek information about health and criminal convictions and offences. Where the company seeks this information, it will request your consent.
If your application is unsuccessful, the company may keep your personal data on file in case there are future employment opportunities for which you may be suited. The company will ask for your consent before it keeps your data for this purpose and you are free to withdraw your consent at any time.
Who has access to data?
Your information may be shared for the purposes of the recruitment exercise. This includes sharing with members of The Recruitment Lab team, our clients and our HR and IT providers who may need to access the data for the necessary performance of their roles.
The company will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment or if it needs to defend a claim or share the information for audit purposes.
If you are offered employment or work, then the company will share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks.
It is possible that your data may be transferred outside the European Economic Area (EEA) however this is kept to an absolute minimum and if done so, will ensure that the third-party providers are GDPR compliant in all aspects of data security.
How do we protect data?
The company takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
For how long do we keep your data?
If your application for employment is unsuccessful, the company may hold your data on file for 2 years after the end of the relevant recruitment process.
If you agree to allow the company to keep your personal data on file, the company will hold your data on file for a further unlimited period for consideration for future employment opportunities or until such time that you request that the data be deleted.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your hard copy and electronic personal file and retained during your employment. The periods for which your data will be held will be provided to you in a separate Privacy Notice as applicable.
What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to us during the recruitment process however, if you do not provide the information, we may not be able to process your application properly or at all.
Recruitment processes are not based solely on automated decision-making.
As a data subject, you have a number of rights.
- access and obtain a copy of your data on request;
- require the company to change incorrect or incomplete data;
- require the company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- object to the processing of your data where the company is relying on its legitimate interests as the legal ground for processing.
If you would like to exercise any of these rights, please contact the above named person.
If you believe that the company has not complied with your data protection rights, you can complain to the Information Commissioner Office (ICO) however we would appreciate the opportunity to address your concerns and therefore ask that you contact us in the first instance.
Our GDPR Commitment
The General Data Protection Regulation (GDPR) is the latest EU data privacy and protection framework which is effective from 25th of May 2018.
The Recruitment Lab Limited (The Company) provide recruitment services to businesses including the placement of Agency Workers and the introduction of candidates for temporary or permanent job vacancies.
In the effective delivery of our services we accept that we are a “controller” and a “processor”, as defined within GDPR, of personal data and, in some cases, special categories of personal data for individuals who register with us.
We identify that the processing of such data is fundamental to the delivery of our service and commit to doing as such as is reasonably possible to ensure that it is processed responsibly, transferred to third parties responsibly, kept safe, erased when no longer required and that we take our obligations and responsibilities under GDPR seriously.
We are committed to GDPR compliance including building GDPR into our current and future processes, into our day to day working and contractual commitments with our customers, suppliers, applicants, workers and employees.
Getting GDPR compliant has required the evolution of our current data protection policies and processes, clarifying, improving and maintaining key data protection and privacy controls to ensure that we are GDPR complaint.
Here are some aspects you may want to consider when conducting your assessment of The Recruitment Lab from a GDPR point of view:
We employ and work with security and privacy professionals to maintain our systems, develop security review processes, build security infrastructure, and implement our security policies.
Our team engages with clients and contacts to shape our services in a manner that helps them meet their compliance needs.
Our privacy policies in relation to Applicants, Agency Workers and Employees have been developed to provide full transparency to the individual concerned and are publicly available on our website.
We are committed to only requesting and processing personal data and special categories of personal data which is required either;
- For the fulfilment of a contract; or
- Because it is legally required; or
- For a legitimate business reason
Outside of these circumstances, other data will only be obtained and processed when freely given consent has been provided by the individual. There will be no discrimination if consent is withheld.
Data Processing & Security
We promise to maintain a high level of security. Any personal data or special categories of personal data that an individual provides will only be processed in accordance with our policies and will be stored securely in an electronic or hard copy form.
Our IT systems are well supported with fully compliant GDPR providers who place security at the height of its decision making and any hard copy documentation is locked away with restricted access.
Any data which is transferred to third party IT systems, software or organisations, whether inside or outside the EEA, are checked that they are also GDPR compliant in advance of any transfer.
In the highly unlikely event of a breach we will ensure timely reporting to meet all GDPR expectations.
Employee Confidentiality and Training
All of our employees are required to sign a confidentiality agreement as part of their employment and complete mandatory confidentiality and GDPR training, which includes expected behaviour with respect to the protection of information.
Data Return and Retention of Data
We are able to amend, supply or delete personal data or special categories of personal data at any time upon request and commit to doing this without unreasonable delay, unless we require it to be kept lawfully or for legitimate business reasons.
We commit to retaining personal data and records only for periods of time which are deemed to be relevant and justifiable.
We have robust IT systems, data back-up and disaster recovery plans in place.
GDPR Compliance and Contact Details
Under GDPR requirements, we are not required to have an appointed Data Protection Officer however in taking our obligations seriously, the Managing Director, Simon Royston, has ultimate responsibility for GDPR with support from an internal Compliance Officer.
Any questions or queries can be directed to; firstname.lastname@example.org
You have the right to make a complaint to the ICO (www.ico.org.uk) however we would like to address any concerns and ask that you contact us in the first instance.