Data Protection Policy

Last updated: July 2025

Introduction

All organisations that process personal data are required to comply with data protection legislation. The Company is committed to ensuring the security and protection of the personal data we process, and to provide a compliant and consistent approach to data protection in line with the Data Protection Act 2018, and the UK General Data Protection Regulation (UK GDPR), and other relevant legislation (together the ‘Data Protection Laws’). 

As a recruitment business, the Company collects and processes both personal data and sensitive personal data, including data about the company personnel. It is required to do so to conduct its business and comply with other legislation. It is also required to keep this data for different periods depending on the nature of the data. 

This policy sets out how we collect, use, store, process and protect personal data and implement the Data Protection Laws. It should be read in conjunction with the Breach Policy and the Privacy Notice. 

This policy applies to all company personnel (‘you’, ‘your’). You must read, understand and comply with this policy when processing personal data on our behalf.

Definitions 

In this policy the following terms have the following meanings: 

  • ‘company personnel’ means all employees, workers, contractors, agency workers, consultants, directors, members and others. 
  • ‘consent’ means any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; 
  • ‘data controller’ means an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Company is the data controller of all personal data relating to our company personnel and personal data used in our business for our own commercial purposes; 
  • ‘data processor’ means an individual or organisation which processes personal data on behalf of the data controller; 
  • ‘data subject’ means a living, identified or identifiable individual about whom we hold personal data; 
  • ‘personal data’ means any information relating to an individual who can be identified, such as by a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 
  • ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data; 
  • ‘processing’ means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 
  • ‘sensitive personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, data concerning health, an individual’s sex life or sexual orientation and an individual’s criminal convictions; and 
  • ‘Supervisory authority’ means an independent public authority which is responsible for monitoring the application of data protection. In the UK the supervisory authority is the Information Commissioner’s Office (ICO). 

The Company processes personal data in relation to company personnel, work-seekers and individual client contacts and is a data controller for the purposes of the Data Protection Laws.

1. Collecting Personal Data

We may collect, use, store and otherwise process the following non-exhaustive list of information: 

  • Personal name and contact details; 
  • Emergency contact details;
  • Personal bank details; and 
  • Employment history and qualifications. 

We may collect, use, store and otherwise process sensitive data such as details of health-related information or criminal offence data when the data subject provides such information. This category of information is only processed with the data subject’s prior consent (and unless otherwise permitted under the law to process such data) and will be handled with a higher degree of protection at all times. Examples of when we might need to process sensitive data include when we are acting as your employer and we require such information to comply with our legal and regulatory requirements (such as to verify your right to work and identity) or to provide you with various benefits such as statutory sick pay or to enrol you in a pension scheme where applicable. 

The Company may hold personal data on individuals for the following purposes: 

  • Staff administration; 
  • Advertising and marketing; 
  • Accounts and records; 
  • Administration and processing of work-seekers’ personal data for the purposes of providing work-finding services, including processing using software solution providers and back office support; and 
  • Administration and processing of clients’ personal data for the purposes of supplying/introducing work-seekers.

2. The Data Protection Principles

The Data Protection Laws require the Company acting as either data controller or data processor to process data in accordance with the principles of data protection. These require that personal data is:

Lawful, fair, and transparent:

Data processing must be lawful, fair, and transparent to the data subject.  

Purpose limitation:

Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes.  

Data minimisation:

Organisations should only collect and retain the minimum amount of personal data necessary for the intended purpose.  

Accuracy:

Personal data must be accurate and kept up to date. Inaccurate data should be rectified or erased without delay.  

Storage limitation:

Personal data should not be kept for longer than necessary for the purpose it was collected.  

Integrity and confidentiality (security):

Personal data should be processed in a way that ensures its security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.  

Accountability:

Organisations are responsible for demonstrating compliance with all the data protection principles. 

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. 

The Company will only process personal data where it has a legal basis for doing so. Where the Company does not have a legal reason for processing personal data any processing will be a breach of the Data Protection Laws. 

The UK GDPR allows us to process your personal data for specific purposes, and the bases on which we will primarily rely are set out below: 

  • The data subject has given their consent; 
  • The processing is necessary for the performance of a contract with the data subject; 
  • To meet our legal compliance obligations; 
  • To pursue our legitimate interest for purposes where they are not overridden because the processing prejudices the interests of fundamental rights and freedoms of data subjects. 

The Company will review the personal data it holds on a regular basis to ensure it is being lawfully processed and it is accurate, relevant and up to date and those people listed in the Appendix shall be responsible for doing this.

4. Privacy by Design and Default

The Company has implemented measures and procedures that adequately protect the privacy of individuals and ensures that data protection is integral to all processing activities. This includes implementing measures such as: 

  • data minimisation; 
  • cyber security; 
  • privacy impact assessments, where necessary; 
  • staff training on Phishing;
  • encryption on all mobile devices; 
  • banning of USB memory sticks;
  • password-protected CRM (e.g. Bullhorn);
  • role-based access controls;
  • encrypted emails and cloud storage;
  • two-factor authentication; and
  • regular audits and access reviews.

The Company shall provide any information relating to data processing to an individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. The Company may provide this information orally if requested to do so by the individual.

5. Data Subject Rights

Data subjects have the following rights:

  • Right to be informed – about how personal data is collected and used
  • Right of access – to obtain a copy of their personal data
  • Right to rectification – to correct inaccurate or incomplete data
  • Right to erasure (right to be forgotten) – under certain conditions
  • Right to restrict processing – in certain circumstances
  • Right to data portability – to obtain data in a structured format
  • Right to object – to processing based on legitimate interests or direct marketing
  • Rights related to automated decision making – if applicable

Requests should be submitted to the Data Protection Officer (DPO) listed at the end of this policy.

We will respond within one calendar month of receipt.

6. Data Retention

Candidate data, client contact details, and employee records are retained for as long as there is a legitimate business interest to do so, or until an individual requests deletion, unless we are legally or contractually required to retain it. 

Data will be securely deleted or anonymised once it is no longer required and no retention obligations remain.

7. Data Sharing and Transfers

We may share personal data with:

  • Clients and prospective employers;
  • Background check providers;
  • Payroll and compliance partners;
  • Legal/regulatory authorities when required;

We do not sell personal data. If personal data is transferred outside the UK, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses or adequacy decisions).

8. Breach Notification

All personal data breaches must be reported immediately to the DPO. Where there is a risk to individuals’ rights and freedoms, the ICO will be notified within 72 hours, and affected data subjects will be informed without undue delay.

9. Review and Updates

This policy is reviewed annually or upon significant legal or business changes. All employees must familiarise themselves with this policy and complete relevant data protection training.

10. Contact

For questions, concerns, or to exercise your rights, please contact:

Data Protection Officer: Candice Dennison

Email: [email protected]

Tel:+44 (0)20 7608 5806