- What is GDPR (General Data Protection Regulation)?
- Data Controller
- Personal Data – What is it?
- How is Your Personal Data Collected?
- On What Legal Basis are we Relying on to Process Your Data?
- How We Use Your Personal Data
- Disclosing your Personal Data to Third Parties
- IP Addresses and Cookies
- Transferring Your Personal Data Outside of the UK/Europe
- Data Security
- How Long we Retain your Personal Data
- Your Legal Rights
- Additional Information, Response Times and Fees
2. What is GDPR (General Data Protection Regulation)?
On the 25th May 2018, new data protection rules will impose greater obligations on organisations whilst giving more rights to individuals in relation to how their personal data is processed. The rules are set out in the GDPR – this is a piece of European legislation (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ )
3. Data Controller
IT Mob Limited is the data controller and responsible for your personal data (collectively referred to as “IT Mob Limited”, “we”, “us” or “our” in this privacy notice). IT Mob Limited is the data controller and responsible for this website, the processing of client and candidate data and the provision of recruitment services. We can be contacted at: IT Mob Limited, Town Hall, Lodge Road, West Bromwich, B70 8DY Tel: 0845 643 9060 Email: email@example.com IT Mob Limited is registered under Data Protection Act 1998. Reg.No. Z1279697 You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
4. Personal Data – What is it?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Whether you are candidate, contractor, client, supplier, or website user, we may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
- Identity Data includes first name, last name, username or similar identifier, title, job role or position held.
- Contact Data includes postal address, email address and telephone numbers, which may include professional contact details.
- Financial Data of our clients or suppliers including bank details you may supply to us.
- Transaction Data includes details about payments from you or your company following use of our services.
- Technical Data includes internet protocol (IP) address, time zone setting and location, operating system and platform and other technology on the devices you use to access this website.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
There is also a category of data called sensitive personal data which includes information on physical and mental health, sexual orientation, race or ethnic origin, religious beliefs, trade union membership and criminal records. We do not collect this data, except in rare circumstances where it is legally required (eg security clearance, diversity information etc). Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you.
5. How is your Personal Data Collected?
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your Identity, Contact, Job title, Position, Employer or Role by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- Fill the contact form on our website;
- Request marketing to be sent to you;
- Contact us directly;
- Provide us your details at a job fair or any event that we run;
- Give us some feedback.
- Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:
- Social media and Job boards based inside or outside the EU, and the Internet (for example, public LinkedIn accounts or from your professional profile on your company’s website)
- Identity and Contact Data from publicly availably sources such as Companies House and the Electoral Register based inside the EU.
- 6. On What Legal Basis are we Relying on to Process Your Data?
- Legitimate Interests :
Article 6(1)(f) of the GDPR is the one that is relevant here – it says that we can process your data where it “is necessary for the purposes of the legitimate interests pursued by (us) or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of (you) which require protection of personal data.”
- We think it’s reasonable to expect that if you are looking for employment or have posted your professional CV information on a job board or professional networking site, you are happy for us to collect and otherwise use your personal data to offer or provide our recruitment services to you, share that information with prospective employers with your consent (please see below) and assess your skills against our clients requirements and the current vacancies we have.
- We consider that our legitimate interests as a recruitment agency and those of our clients to fill vacancies are not out of balance with your interests or rights as an individual. We consider that in this instance, our legitimate interests are likely to align with yours, as the aim is to find a new job or assignment.
Wherever possible we will acquire your specific consent to process your data and this will usually be when representing you for specific opportunities. We will not share your data with a 3rdparty without your “consent” and wherever possible we will try and get this in written form, but on occasions we may have to really on verbal consent too.
7. How We Use Your Personal Data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
The purposes for which your personal data will be used include:
- Registering as a new client, candidate, or supplier
- The provision of recruitment services (client), and work-finding services(candidate)
- Management of the relationship of clients, candidates, and suppliers
- To administer and protect our business and this website
- To use data analytics to improve the website, marketing, customer relationships.
- To make suggestions and recommendations to you about candidates or clients and to provide general staffing and recruitment assistance and advice or do business with you as a supplier.
Change of Purpose
- We will only use your personal data for the purposes for which we collected it (eg the provision of recruitment services (client), and work-finding services(candidate), unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
- If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
- We may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
- 8. Disclosing your Personal Data to Third Parties
We may have to share your personal data with third parties such as.
- Candidates, Contractors or Clients
- Specific third parties such as accountants, lawyers, tax administration,etc
- Government agencies such as HMRC, UK Border Agency, Home Office, Police and other law enforcement agencies
- Recruitment regulatory bodies such as The Recruitment & Employment Confederation(REC)
- Suppliers such as data centres, cloud storage, IT service providers, e-mail providers and data base managements systems (in this case, we will ensure that data is encrypted or anonymised to protect your privacy rights).
Where applicable, we will impose appropriate contractual, security, confidentiality and other obligations on to third party service providers and processors we have appointed, based on the nature of the services they provide to us. We will only permit them to process your personal data in accordance with the law and our instructions. We do not allow them to use your personal data for their own purposes and when our relationship ends we will ensure your personal data is securely returned or destroyed.
9. IP Addresses and Cookies
10. Transferring Your Personal Data Outside of the UK/Europe
From time to time, we may transfer your personal data outside the European Economic Area (EEA) such as when using, social media and other web-based platforms such as LinkedIn, cloud storage, email services or data centres, or when providing your contact details to our candidates or clients who may be based outside of the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to your personal data by ensuring that at least one of the following safeguards is implemented:
- We may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
- Where we make transfers to the US, we may transfer data to third parties if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
- 11. Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
12. How Long we Retain your Personal Data
IT Mob Limited will retain your personal data for as long as necessary to fulfil the purposes that we collected it for. This means we will keep your personal data throughout the period of your relationship with us and whilst we are providing you with work finding services or recruitment services. If you no longer wish to receive our services we will continue to retain your personal data on our Candidate database for a further period of 2 years after our relationship ends, so that we can comply with our regulatory obligations. However we will inactivate your candidate record and limit access to your personal data during this period. After the 2 year retention period expires, we will anonymise the personal data in our database so that we can no longer identify you. We are required by law to keep basic information about our Candidates, Clients and customers (including contracts, evidence of identity, financial and transaction data) for up to 7 years from when our relationship ends, for legal, compliance and tax purposes. Where there is no retention period stated in law, we determine the appropriate retention period for personal data by considering the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the data, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you and we cannot identify you). We do this for research or statistical purposes in which case we may use this anonymised data indefinitely without further notice to you.
13. Your Legal Rights
You have the right to:
- Request access to your personal data (commonly known as a ‘Data Subject Access Request’). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer (data portability) of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
If you wish to exercise any of the rights set out above, please send an email to firstname.lastname@example.org
14. Additional Information, Response Times and Fees
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights or when you make an informal request). This is a security measure to ensure that personal data is not disclosed to any person other than the individual who has the right to receive it. We may also contact you to ask you for further information in relation to your request to help us locate your data and to speed up our response. We try to respond to all legitimate requests within one month. It may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. You will not have to pay a fee to exercise any of these rights. However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.