What is GDPR (General Data Protection Regulation). In 2018, new data protection rules will enforce greater obligations on organisations whilst giving more rights to individuals in relation to how their personal data is processed and stored.
The rules are set out in the GDPR – this is a piece of European legislation which came into play on 25th May 2018.
Who we are and what we do, we are a recruitment agency and recruitment business as defined in the Employment Agencies and Employment Business Regulations 2013.
We collect personal data from the following types of people to allow us to undertake our business
Prospective and placed candidates for permanent and contract roles
Prospective and live client contacts
Supplier contacts to support our services
Employees, consultants, temporary workers
Where we obtain your information
We may obtain candidate information from any number of locations:
When you register with our website or apply for jobs via our website
When you correspond with us by phone, email or otherwise
When you visit our website
When you register your CV on a job board and it matches the skills we recruit for
When you apply for one of our jobs via a job board
When you are referred by a friend / colleague
Your online profiles
When we obtain your information from external sources such as LinkedIn, corporate websites and job boards we will inform you, by sending you this privacy notice, within a maximum of 30 days of collecting the data of the fact we hold personal data about you, the source the personal data originates from, and for what purpose we intend to retain and process your personal data.
There are two main ways in which we collect client data
Directly from you
From third parties such as candidates, online job boards, LinkedIn and networking.
Data Storage and Processing
All of the personal data we hold about you will be processed by our staff in the United Kingdom, and accessed by our secure, cloud-based CRM system. We take all reasonable steps to ensure that your personal data is processed securely and prevent unauthorised access to, and misuse of your personal data.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential.
We will delete candidate personal data from our systems if we have not had any meaningful contact with you for five years (or for such longer period as we believe, in good faith, that the law or relevant regulators require us to preserve your data). After this period, it is likely your data will no longer be relevant for the purposes for which it was collected.
We will consider there to be meaningful contact with you if you submit your updated CV onto our website, apply for jobs with us or we receive an updated CV from a job board. We will also consider it meaningful contact if you communicate with us about potential roles, either by verbal or written communication or engage with any of our marketing communications.
Under new data protection regulations (GDPR), we are required to keep the data we hold accurate and, where necessary, up to date. As such, we will make an effort to regularly communicate with you to ensure your data is up to date and accurate.
Whilst we will endeavour to permanently erase your personal data once it reaches the end of its retention period or where we receive a valid request from you to do so, some of your data may still exist within an archive system. While certain details may still exist on an archive system, this cannot be readily accessed by any of our operational systems, processes or staff.
Article 6(1)(f) of the GDPR is the one that is relevant here – it states that we can process your data where it “is necessary for the purposes of the legitimate interests pursued by [us] or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of [you] which require protection of personal data.”
We think that it is reasonable to expect that if you’re looking for employment or have posted your professional information on a job board or professional networking site, you are happy for us to collect and otherwise use your personal data to offer or provide our recruitment services to you, share that information with prospective employers with your consent (please see below) and assess your skills against our clients requirements and the current vacancies we have.
Wherever possible we will obtain your specific consent to process your data and this will normally be when representing you for specific opportunities. We will not share your data with a third party without obtaining your “consent” and wherever possible we will try and get this in written form, but on occasions we may have to rely on verbal consent too.
Right to withdraw consent:
If you have given consent to us, you have the right to withdraw that consent at any time. If we receive a request from you to withdraw consent, we will stop processing your data right away.
Right to Object:
You have the right to object to your data being processed. If you wish to object to your data being processed, please email to email@example.com with your request and we will respond accordingly.
Data Subject Access Requests
You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. If you wish to access your data at any time, please email to firstname.lastname@example.org with your request and we will respond accordingly.
If you make a SAR, we will respond as quickly as we can and usually within 7 days of receiving the request. Please be aware time to time it may take longer than that, but we are legally required to respond within 40 calendar days of receiving the request.
There is no cost connected with providing you this information, but it is worth noting we can legally apply an administration cost to multiple requests for the same information or possibly refuse to comply for the same reason.
If you wish to request an SAR, you can do so by e mailing email@example.com and putting in the subject bar – “SUBJECT ACCESS REQUEST”.
Right of Rectification of inaccurate or incomplete data:
You have the right to request that we correct any incomplete data we may hold on/about you. We will aim to respond to any such request within 2 weeks, but it shall normally be with 48hrs.
If you wish to request for any inaccurate data to be corrected or completed, you can do so by e mailing firstname.lastname@example.org and putting in the subject bar – “RIGHT OF RECTIFICATION REQUEST”.
Right to Erasure:
You can request that any details/information we hold of yours be deleted. This is not an absolute right though and we can still legally keep personal data if we have a legal basis to do so. If you request for your data to be erased, we may ask whether you just do not want to hear from us for a matter of time or if you want your data to be deleted permanently. We may still contact you in the future, if we find your information on a third-party job board for instance as we will not have any record we have been in contact with you in the past. We are legally required to keep some information such as ID or right to work checks and payroll records for a certain period of time. These obligations will override any request to erase data or any objection to procession for so long as we must keep the data.
If you wish to make a Right to Erasure request, please read the following:
Upon submitting such a request, the information we will provide you with is:
a copy of the information comprising the data; and given details of the source of the data (where this is available) confirmation / evidence that any records and information we hold on you has been permanently deleted If you make a Right to Erasure request, we shall respond as quickly as we can and usually within 48hrs of receiving the request. It is worth noting from time to time it may take longer than this, but we are legally required to respond within 40 calendar days of receiving the request.
If you wish to place a ‘Right to Erasure’ request, you can do so by e mailing info@sqtconsulting. com and putting in the subject bar– “RIGHT TO ERASURE REQUEST”.
Personal data breaches:
If Bamber Education identifies or thinks we have suffered data breach e.g.; a loss or theft of personal data, we will inform the ICO (Information Commissioners Office). If there is a high risk to any individual in relation to the data loss we will also immediately inform you
Questions, comments or requests regarding this privacy notice are welcomed and should be addressed to email@example.com