This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a new regulation which replaces the Data Protection Regulation (Directive 95/46/EC) The Regulation aims to harmonise data protection legislation across EU member states, enhancing privacy rights for individuals and providing a strict framework within which commercial organisations can legally operate.
Your new rights under the GDPR are set out in this notice, and were last updated on 10th May 2018.
The Information we collect
To carry out our core recruitment activities, we collect information about you which may include: your name, address and post code; private and corporate e-mail address and phone number; financial information and compliance documentation; references verifying your qualifications and experience and your right to work in the United Kingdom; curriculum vitae and photograph; employment details and preferences; links to your professional profiles available in the public domain e.g. LinkedIn, Twitter, Facebook for Business or corporate website.
How we collect this information
The information we collect about you will be provided by you, either by filling out a form on our website [www.exceptionuk.com] or by corresponding with us by phone, e-mail or otherwise. It will also include information you provide when you register to use our website, subscribe to our services, attend our events, participate in discussion boards or other social media functions on our website, enter a competition, promotion or survey, and when you report a problem with our site.
We may also obtain information about you from other sources such as LinkedIn, corporate websites, job board websites, online CV libraries, your business card, personal recommendations, and any relevant social media sites. In this case – and within 30 days of collecting – we will inform you that we hold this personal data, the source the data originated from, whether it came from publicly accessible sources, and for what purpose we intend to retain and process your personal data.
Our legal basis for processing data
Our legal basis for the processing of personal data is: legitimate interest and consent when processing data for the purposes of recruitment.
Where we store your personal data
All information stored on our recruitment software is secured through the Microsoft Azure Infrastructure and located at two data centres locations within Europe. Our primary centre is located in Microsoft’s Western European centre, and these facilities are secured by a series of measures, including (but not limited to) biometric access, security alarm systems and round-the-clock security staff. Additional security information on Microsoft’s data centres can be found here.
How long we keep your data for
We retain different types of data for differing periods of time. The criteria we use to determine whether we should retain your personal data and how long for includes:
- The nature of the personal data
- Its perceived accuracy of your date
- Your engagement levels with our services
- Our legal obligations following an offer or when a placement has been made
We may archive part or all of your personal data, or retain it on our financial systems but delete all or part of it from our recruitment software system. On removal, we may anonymise parts of your data – particularly following a request for suppression or deletion of your data – to ensure we do not re-enter your personal data to our database, unless you have requested us to do so.
Our current retention period for data on candidates who have not been placed, or are no longer showing any signs of engagement with our website is 12 months.
The GDPR provides you with the following rights.:
- The right to be informed about the personal data we process on you
- The right of access to the personal data we process on you
- The right to rectification of your personal data
- The right to erasure of your personal data in certain circumstances
- The right to restrict processing of your personal data
- The right to data portability in certain circumstances
- The right to object to the processing of your personal data
- The right not to be subjected to automated decision-making and profiling
Therefore, we encourage you to log in to your profile through our website to ensure your data is accurate, complete and up to date at all times.
Fair Process Notification – Cifas
Exception is a member of Cifas – the UK’s leading anti-fraud organisation. Fraud prevention databases have been established for the purpose of allowing employers to share data on their employment fraud cases. This means that as part of our offer process (for either permanent or contract roles):
- We will check your details against the Cifas databases established for the purpose of allowing organisations to record and share data on their fraud cases, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct (“Relevant Conduct”) carried out by their staff and potential staff. “Staff” means an individual engaged as an employee, director, trainee, homeworker, consultant, contractor, temporary or agency worker, or self-employed individual, whether full or part time or for a fixed-term.
- The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and other relevant conduct and to verify your identity.
- Details of the personal information that will be processed include: name, address, date of birth, any maiden or previous name, contact details, document references, National Insurance Number, and nationality. Where relevant, other data including employment details will also be processed.
- We and Cifas may also enable law enforcement agencies to access and use your personal data to detect, investigate, and prevent crime.
- We process your personal data on the basis that we have a legitimate interest in preventing fraud and other Relevant Conduct, and to verify identity, in order to protect our business and customers and to comply with laws that apply to us. This processing of your personal data is also a requirement of your engagement with us.
- Cifas will hold your personal data for up to six years if you are considered to pose a fraud or Relevant Conduct risk.
Consequences of Processing
- Should our investigations identify fraud or any other Relevant Conduct by you when applying for or during the course of your engagement with us, your new engagement may be refused or your existing engagement may be terminated or other disciplinary action taken (subject to your rights under your existing contract and under employment law generally).
- A record of any fraudulent or other Relevant Conduct by you will be retained by Cifas and may result in others refusing to employ you. If you have any questions about this, please contact us using the details provided.
- Should Cifas decide to transfer your personal data outside of the European Economic Area, they will impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Changes to our privacy notice
Any changes we make to our privacy notice in future will be posted on this page and, where appropriate, you will be notified by e-mail. Please check back frequently to view any updates or changes to our privacy notice or for any further information please email firstname.lastname@example.org.