We at elite PiC take responsibility of all the data and personal information that we hold and use. We have reviewed our privacy policy on data protection and made sure that it is in line with the General Data Protection Regulation (GDPR) which was approved by EU Parliament in April 2016 and was fully implemented by UK companies by May 25th 2018.
The GDPR seeks to improve individual's data rights primarily with regard to collection, usage, storage and disposal. In order to be compliant, it is necessary for us to completely review procedures and controls.
Consequently, we comply with the data protection laws and principles and therefore confirm that the following are our data protection principles:
- Data will be kept safe and secure.
- Data will be handled legally, responsibly and ethically.
- People are open and transparent about what data they are using and why.
- Data will be processed lawfully, fairly and transparently.
- Data will be collected only for specific legitimate purposes.
- Data will be adequate, relevant and limited to what is necessary.
- Data must be accurate and kept up to date.
- Data will be stored only as long as is necessary.
- We will ensure appropriate security, integrity and confidentiality.
- A Designated Data Officer (DDO) will be responsible for this important subject.
GDPR applies to 'personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
- Information must 'relate to' the identifiable individual to be personal data.
- This means that it does more than simply identifying them - it must concern the individual in some way.
LAWFUL BASIS FOR PROCESSING PERSONAL DATA:
- We must have a valid lawful basis in order to process your personal data.
- The Privacy Notice includes our lawful basis for processing as well as the purposes of processing data.
- Consent: The individual has given clear consent to process their personal data for a specific purpose.
- Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: The processing is necessary to protect someone's life.
- Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.
WE HAVE SELECTED LEGITIMATE INTERESTS AS OUR LAWFUL BASIS FOR PROCESSING:
Article 6(1)(f) of the Regulation:
"Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
This can be broken down into a three-part test:
- Purpose test: Are you pursuing a legitimate interest?{ Yes, the nature of our business requires us to collect, store and process personal data on employees for the purpose of forming contracts of employment, maintaining emergency contacts and registration etc. with various legal and regulatory bodies such as HMRC, Workplace Pension provider, UKVI. The nature of our business requires us to collect, store and process personal data on clients for the purposes of finding them a new job with prospective employers. }
- Necessity test: Is the processing necessary for that purpose?{ Yes }
- Balancing test: Do the individual’s interests override the legitimate interest?{ No, we cannot employ someone without processing personal data and we cannot carry out our business activities without processing certain personal data. }
We use data in ways that people would reasonably expect and that have a minimal privacy impact. This further supports our choice of legitimate interests as our lawful basis.
THE TIME PERIOD FOR WHICH WE HOLD YOUR INFORMATION:
Our data retention policy states that we retain your personal information for a year, after a decision has been made about your job application and appointment. We save your information in our database for a year, so we have proof to show in the event of any legal claim, that we have carried out your recruitment process in a fair, legal and transparent way. After the said period of time, we remove and delete your personal information according to applicable laws.
In case you want us to hold on to your personal information, because you wish us to consider you for any new opportunity that may arise, you will need to write to us and give us formal consent to retain your personal information for a particular period of time.
THE CATEGORIES OF INFORMATION WE HOLD ABOUT YOU:
To further your application for work, we will collect, store, and use the following categories of personal information about you:
- The information you provide in your curriculum vitae and cover letter.
- The information you provide on application forms; including your name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications, referencing details.
- The information you provide during your interviews.
- Marks or results, where applicable.
GDPR PROVIDES THE FOLLOWING RIGHTS FOR INDIVIDUALS (CANDIDATES):
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The Right to be Informed:
- Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
- We provide individuals with information including: our purposes for processing their personal data, our retention periods for that personal data, and who it will be shared with. This is called ‘privacy information’.
- We provide privacy information to individuals at the time we collect their personal data from them.
- If we obtain personal data from other sources, we provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
- There are a few circumstances when we do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
- The information we provide to people is supposed to be concise, transparent, intelligible, easily accessible, and we use clear and plain language.
The Right of Access:
- Individuals have the right to access their personal data.
- This is commonly referred to as subject access.
- Individuals can make a subject access request verbally or in writing.
- We take around one month to respond to a request.
- We cannot charge a fee to deal with a request in most circumstances.
The Right of Rectification:
- GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
- An individual can make a request for rectification verbally or in writing.
- We take one calendar month to respond to a request.
- In certain circumstances we can refuse a request for rectification.
The Right of Erasure:
- GDPR introduces a right for individuals to have personal data erased.
- The right to erasure is also known as ‘the right to be forgotten’.
- Individuals can make a request for erasure verbally or in writing.
- We take one month to respond to a request.
- The right is not absolute and only applies in certain circumstances.
- This right is not the only way in which GDPR places an obligation on us to consider whether to delete personal data.
The Right to Restrict Processing:
- Individuals have the right to request the restriction or suppression of their personal data.
- When processing is restricted, we are permitted to store the personal data, but not use it.
- An individual can make a request for restriction verbally or in writing.
- We take one calendar month to respond to a request.
The Right to Data Portability:
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The Right to Object:
- GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
- Individuals have an absolute right to stop their data being used for direct marketing.
- In other cases where the right to object applies, we may be able to continue processing if we can show that we have a compelling reason for doing so.
- We tell individuals about their right to object.
- An individual can make an objection verbally or in writing.
- We take one calendar month to respond to an objection.
The Right To Withdraw Consent:
When you apply for any given job role, you provide your consent to us processing your personal information for recruitment purposes. However, you have every right to withdraw your consent for processing at any time. If you decide to withdraw your consent, please contact our designated Data Officer. Once we receive the notification that you have withdrawn your consent, we will not process your application any further, and subject to our retention policy we will dispose of your personal data.
DATA SHARING:
Your data will only be shared with the home office, where required by the published Immigration Rules or published Guidance, that is relevant to your application.