Privacy Policy
Privacy Policy
1. INTRODUCTION
We are Better Days Recruitment Limited (we, us or our, or the Company), a registered company in England under company number 11121134 with our registered offices at 30/34 North Street, Hailsham, East Sussex, BN27 1DW.
We act as an “employment agency” for the introduction and placement of candidates for permanent and or fixed term roles with our clients for the purposes of the Conduct of Employment Agency and Employment Businesses Regulations (2003) (Conduct Regulations) and as an “employment business” in respect of the introduction and supply of contract resource for temporary and or contract roles with our clients for the purposes of the Conduct Regulations.
We are required to comply with the Conduct Regulations and other employment related laws in the provision of our respective temporary and or permanent recruitment services.
We are registered with the Information Commissioner’s Office (ICO) and our registration number is ZA304931.
This Privacy Policy sets out our obligations under GDPR and clarifies how we will process the personal data (that is information which identifies a natural person) of our Clients, Suppliers, our Personnel, Candidates, Contract Resource, and any other persons whom we process personal data on (Category of Person) in the course of our recruitment activities (Personal Information).
We acknowledge that we are required to comply with the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018 and which includes any amendments, variations, and or any successor to such legislation.
In processing Personal Information in accordance with GDPR, processing includes but is not limited to us; obtaining, recording and holding personal information, transferring and disclosing information to third parties, and storing, erasing, and disposing of such Personal Information.
This Privacy Policy applies to all Personal Information regardless of the media on which that data is stored or whether it relates to any past or present Individuals who fall within the Category of Persons above.
2. CHANGES
This privacy policy may be updated from time to time by the data protection manager or officer (DPO). The DPO is responsible for overseeing this Privacy Policy and this post is held by Ceres Jenkins.
We reserve the right to change this Privacy Policy at any time so please check back regularly to obtain the latest copy of this Privacy Policy. We last revised this Privacy Policy on 1st December 2018. This Privacy Policy does not override any applicable national data privacy laws and regulations in countries where the Company operates.
3. PERSONAL DATA PROTECTION PRINCIPLES
We adhere to the principles relating to processing of Personal Information set out in the GDPR which require Personal Information to be:
(a) processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
(b) Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
(c) Adequate, relevant and limited to what is necessary in relation to purposes for which it is processed (Data Minimisation).
(d) Accurate and where necessary kept up to date (Accuracy).
(e) Not kept in a form which permits identification of Individuals for longer than is necessary for the purposes for which the data is processed (Storage Limitation).
(f) processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
(g) Not transferred to another country without appropriate safeguards being in place (Transfer Limitation).
(h) Made available to Individuals and Individuals allowed to exercise certain rights in relation to their Personal Information (Individual’s Rights and Requests).
We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
4. LAWFULNESS, FAIRNESS, TRANSPARENCY
4.1 LAWFULNESS AND FAIRNESS
Personal Information is processed lawfully, fairly and in a transparent manner in relation to any Individual whom we may process Personal Information about.
We only collect, process and share Personal Information fairly and lawfully and for specified purposes when undertaking our duties in connection with our recruitment activities. We may only process Personal Information to specified purposes. These restrictions are not intended to prevent us processing but ensure that we process Personal Information fairly and without adversely affecting the Category of Person concerned.
The GDPR allows processing for specific purposes, some of which are set out below as they are applicable to our processing activities:
(a) the Individual has given his or her consent (Consent);
(b) the processing is necessary for the performance of a contract with the Individual (Contract Necessity);
(c) to meet our legal compliance obligations (Legal Obligations);
(d to pursue our legitimate interests for purposes where they are not overridden because the processing prejudices the interests or fundamental rights and freedoms of Individuals (Legitimate Interests)
The purposes for which we process Personal Information for legitimate interests are set out in applicable Privacy Notice[MOU1] . Our purposes in the main fall with (b)-(d), with limited application of the requirement for Consent under (a). Where we rely upon purposes outside of Consent, our obligation is satisfied on issuing a Privacy Notice to the Category of Person concerned in accordance with the timeframes set out in the GDPR.
We have identified and documented categories of Personal Information we process, our processing activities, and our legal grounds for each processing activity in relation to all Categories of Person. These are specifically set out in our published Privacy Notice. We will only process Personal Information of the type we are required to process, for processing activities and on grounds that have been published, unless otherwise directed by the DPO.
4.2 CONSENT
Given the nature of our recruitment activities, there will be limited circumstances in which we may require the consent of an Individual to process their Personal Information. Consent requires affirmative action so silence, pre-ticked boxes or inactivity will not be sufficient for us to rely upon and we must allow Individuals to withdraw their consent to processing at any time. Consent does not last forever, and we may have to refresh consent in situations where we may require this.
We anticipate that circumstances in which consent may be required will be limited to:
· processing of personal information which reveals the racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, or biometric or genetic data of an Individual (Special Categories of Personal Data) or data relating to criminal convictions and offences (Criminal Convictions Data);
· Sharing and disclosing of personal information to a third party in a country outside of the EEA;
· Where our clients may require us to undertake certain activities which requires us to obtain the consent of an Individual; and/or
· If we ever in the future make decisions regarding Individuals based solely on automated processing of their personal information (use automated means to evaluate personal aspects of an Individual e.g. to analyse or predict aspects of their performance at work, their interests, reliability, behaviour, including profiling an Individual and which could significantly affect an Individual (Automated Decision Making)
Unless we can rely on another legal basis of processing, a clear and specific statement of consent (Explicit Consent) is usually required for processing special categories of Personal Data and Criminal Convictions Data, for Automated Decision-Making and for cross border data transfers.
Usually we will be relying on another legal basis (and not require Explicit Consent) to process most types of Special Categories of Personal Data and Criminal Convictions Data. Where Explicit Consent is required, we will provide you with relevant documentation to issue and capture Explicit Consent from the Individual concerned and our procedures for storing such consent.
4.3 TRANSPARENCY (NOTIFYING INDIVIDUALS)
Whenever we collect Personal Information directly from Individuals, whether in connect with our recruitment services, and including for human resources or employment purposes, we must provide the Individual with all the information required by the GDPR including our full identity as a company and the details of our DPO, and how and why we will use, process, disclose, protect and retain that Personal Information. We provide this level of information through our Privacy Notice which must be presented when an Individual provides their Personal Information to us, which we have already referred to above.
Our Privacy Notices comply with GDPR, and contain the following statutory information required:
a) Our details including, but not limited to, the identity of our DPO;
b) The purpose(s) for which the Personal Information is being collected and will be processed (as detailed in the Privacy Notice) and the legal basis justifying that collection and processing;
c) Where applicable, the legitimate interests upon which we justify our processing of Personal Information;
d) Where the Personal Information is not obtained directly from the Individual, the categories of Personal Information collected and processed;
e) Where the Personal Information is to be transferred to one or more third parties, details of those parties;
f) Where the Personal Information is to be transferred to a third party that is located outside of the EEA, details of that transfer, including but not limited to the safeguards in place (see Section 11 of this Privacy Policy for further details);
g) Details of data retention;
h) Details of the Individual’s rights under the GDPR;
i) Details of the Individual’s right to withdraw their consent to our processing of their Personal Information at any time;
j) Details of the Individual’s right to complain to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for GDPR;
k) Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the Personal Information and details of any consequences of failing to provide it; and
l) Details of any automated decision-making or profiling that will take place using the Personal Information, including information on how decisions will be made, the significance of those decisions, and any consequences.
When Personal Information is collected indirectly (for example, from a third party or publicly available source), we will provide the Individual with all the information required by the GDPR as soon as possible after collecting/receiving the data. We will also check that the Personal Information was collected by the third party in accordance with the GDPR and on a basis which contemplates our proposed processing of that Personal Information. We are required to disclose to Individuals in this circumstance where we obtained their Personal Information from.
5. PURPOSE LIMITATION
We will only collect Personal Information for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes. Our Privacy Notice make it clear to all Categories of Person for what purpose we collect, and process Personal Information based on the Category of Person.
Should it become necessary for us to change the purpose for which we obtain Personal Information at any time, our DPO will notify all Categories of Persons of any changes to our published Privacy Notice and or any requirements to obtain consent from any Individuals where this may be required.
6. DATA MINIMISATION
We will only process Personal Information that is adequate, relevant and limited to what is necessary in relation to the purposes for which we require processing.
We will not process Personal Information for any reason unrelated to our role and duties.
We ensure that when recording Personal Information in our systems that we are mindful of the amount of Personal Information you obtain and record in respect of the Individual concerned. We will only record Personal Information that is necessary for our recruitment activities and in particular that such Personal Information falls within our Category of Personal Information Lists for each Category of Person in our Privacy Notice.
7. ACCURACY
We will use all reasonable endeavours to ensure that Personal Information is accurate and, where necessary, kept up to date. It must also be corrected or deleted without delay when inaccurate.
For our recruitment activities, we will check the accuracy of any Personal Information at the point of collection with an Individual and at regular intervals afterwards during the course of our relationship with an Individual. Accordingly, when we speak to our Candidates, our Contract Resource, and or our Clients, about potential roles whether permanent and or temporary in nature we should always seek to check that the Personal Information we hold is up to date within our systems, particular if there has been a gap in time since our last interaction with that particular Individual.
We will action any requests from any Category of Person to update their Personal Information and or we may receive this request as part of a more formal request for information and exercising of other rights by the Individual under GDPR.
We will not delete, destroy or otherwise amend Personal Information of any Candidate, Contract Resource or Other Person in the ordinary course of our dealings with those Individuals other than in respect of obvious inaccuracies or out of data Personal Information unless with the consent of the DPO or where instructed by the DPO to do so.
Any amendment to any Personal Information of any Personnel may only be conducted by the DPO.
8. STORAGE LIMITATION
We will not keep Personal Information for longer than is necessary for the purposes for which we require Personal Information to be processed.
Our Privacy Notices to Categories of Persons explain how long we will hold Personal Information for, as is required under GDPR.
Our guidelines explain that Personal Information will be maintained for at least the minimum periods of time required by law, and for any period exceeding this based upon our needs in the delivery of and provision of our recruitment services.
All formal requests from Individuals to delete their Personal Information from our systems are directed to the DPO to be handled as there are clear obligations and rules relating to steps we must take when responding to and or complying with such a request.
No deletion of Personal Information will be undertaken by any Personnel (other than the DPO in respect of Personnel records) unless with the written agreement of the DPO and only then in accordance with our guidelines on retention.
9. SECURITY INTEGRITY AND CONFIDENTIALITY
9.1 PROTECTING PERSONAL DATA
We will ensure that Personal Information is secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Information that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of Personal Information.
We will not share, transfer and or otherwise disclose Personal Information relating to any Individual unless in accordance with our Privacy Notice.
9.2 REPORTING A PERSONAL DATA BREACH
A Personal Data Breach means any act or omission that compromises the security, confidentiality, integrity or availability of Personal Information or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Information is a Personal Data Breach.
We are required to notify any Personal Data Breach to the Information Commissioner’s Office (ICO) and, in certain instances, the Individual whose Personal Information has been compromised.
We have put in place procedures to deal with any suspected Personal Data Breach and will notify Individuals or any applicable regulator where we are legally required to do so.
10. TRANSFER LIMITATION
The GDPR restricts data transfers to countries outside the EEA (which means the 28 EU member states plus Iceland, Norway and Liechtenstein) in order to ensure that the level of data protection afforded to Individuals by the GDPR is not undermined. We may transfer Personal Information originating in one country across borders when we transmit, send, view or access that data in or to a different country.
We may only transfer Personal Information outside the EEA if one of the following conditions applies:
(a) the European Commission has issued a decision confirming that the country to which we transfer the Personal Information ensures an adequate level of protection for the Individuals’ rights and freedoms;
(b) appropriate safeguards are in place (i.e. we have secured standard contractual clauses approved by the European Commission with our Clients and or Suppliers, a copy of which can be obtained from the DPO;
(c) the Individual has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or
(d) the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the Individual, reasons of public interest, to establish, exercise or defend legal claims and, in some limited cases, where it is necessary for our legitimate interest.
We will always seek to avoid the need for Explicit Consent where possible, but if a Category of Person to whom we wish to disclose the Personal Information is not willing to provide the appropriate comfort to us in their contract with us we will seek the Explicit Consent of the Individual affected by the transfer of Personal Information outside of the EEA.
11. INDIVIDUAL’S RIGHTS AND REQUESTS
Individuals have rights when it comes to how we handle their Personal Information. These include rights to:
(a) withdraw Consent to processing at any time;
(b) receive certain information about the Data Controller’s processing activities;
(c) request access to their Personal Information that we hold (SAR);
(d) prevent our use of their Personal Information for direct marketing purposes;
(e) ask us to erase Personal Information if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
(f) restrict processing in specific circumstances;
(g) challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
(h) request a copy of an agreement under which Personal Information is transferred outside of the EEA;
(i) object to decisions based solely on Automated processing, including profiling (ADM);
(j) prevent processing that is likely to cause damage or distress to the Individual or anyone else;
(k) be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
(l) make a complaint to the supervisory authority; and
(m) in limited circumstances, receive or ask for their Personal Information to be transferred to a third party in a structured, commonly used and machine-readable format.
12. ACCOUNTABILITY
12.1 General
We are required to implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. We are also responsible for, and must be able to demonstrate, compliance with the data protection principles. We have appointed a DPO who will take responsibility for our GDPR compliance including the following responsibilities and activities:
(b) implementing Privacy by Design when processing Personal Information and completing DPIAs where processing presents a high risk to rights and freedoms of Individuals whose personal information we are intending to process;
(c) integrating data protection into internal documents including this Privacy Policy, our Procedures, our guidelines and Privacy Notices;
(d) regularly training Personnel on the GDPR, this Privacy Policy, our Procedures, our guidelines and data protection matters and maintain a record of training attendance by Personnel;
(e) maintain records of personal information collected, held, and processed, as required under GDPR; and
(f) regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
If you have any query regarding any aspect of our data protection obligations, our processes, our guidelines and or with regard to our policies and notices, you should always raise your concern or query with the DPO.
The DPO will manage and maintain such corporate records and you will comply with any request or instruction made by the DPO in respect of our corporate records. You will comply at all times with our record keeping guidelines.
12.2 Training and Audit
In accordance with our obligations under GDPR, all our personnel will be required to attend all data privacy related training required by us during the course of their employment.
12.3 Privacy by Design and Data Protection Impact Assessments (DPIA)
We will ensure that we apply privacy by design principles to our business activities, meaning that we will always ensure that we are mindful of and consider the impact of data protection rights and laws on our business operations and activities. In particular, we will ensure we will carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal information within our business operations, as part of our compliance with ensuring that we always maintain appropriate technical and organisational measures are in place to protect the rights and freedoms of Individuals. Usually, this will occur where we look to use new technologies in our recruitment activities and or we wish to introduce new processing methods which are likely to result in a high risk to the rights and freedoms of Individuals under the GDPR.
The DPO will always take responsibility with respect to DPIAs and which will include addressing the risks posed to Individuals, risks to the business and to Personnel, the necessity and need for the use of Personal Information or project, each time we wish to undertake an activity which we believe requires a DPIA.
13. AUTOMATED PROCESSING (INCLUDING PROFILING) AND AUTOMATED DECISION-MAKING (ADM)
At the moment, we do not utilise automated processing and or automated decision making as part of our recruitment activities. Our business relies on its recruitment consultants making decisions about the suitability of candidates for role based on their review and interview of candidates. We do not use systems to profile our candidates or select a candidate for a role without human intervention.
If you are concerned that you may be undertaking an activity which potentially undertakes any automated processing (including profiling) or ADM activities, please notify the DPO immediately.
14. DIRECT MARKETING
We are subject to certain rules and privacy laws when marketing to our customers, which includes our Candidates, Contract Resource and our Clients.
We are entitled to market our customers on the basis of our legitimate interest for GDPR purposes, subject always to any other laws affecting our right to market and provided that we make it clear to Individuals whom we may market to that they have a right to object to our direct marketing. Our Privacy Notices to our Categories of Persons expressly this right and how an Individual may exercise that right, which should be via email to the DPO.
We will always ensure that if we receive a request from an Individual in respect of any objection to marketing or any concern regarding our marketing activities, such request or query should be forwarded to the DPO immediately.
15. SHARING PERSONAL DATA
We will only share the Personal Information we hold with another employee, agent or representative of our group (which includes our subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.
We will only share the Personal Information we hold with third parties, such as our service providers if:
(a) they have a need to know the information for the purposes of providing the contracted services;
(b) sharing the Personal Information complies with the Privacy Notice provided to the Individual concerned and, if required, the Individual’s Consent has been obtained;
(c) the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
(d) the transfer complies with any applicable cross border transfer restrictions; and
(e) a fully executed written contract that contains GDPR approved third party clauses has been obtained.
Annex A – Privacy Policy Definitions:
Candidate or candidate: Individuals who approach us seeking a new role or to discuss a role that they have become aware of, who respond to an advertisement we publish in respect of a role, or who we approach as someone who may be interested in a role we are currently seeking to fulfil for a client organisation or who may be interested in future roles we may have; who are Individuals and in respect of who we process Personal Information.
Contract Resource or contract resource: Individuals who are Candidates and whom are subsequently supplied on a contract assignment to a Client, and whether engaged by us as directly as a PAYE Worker or engaged under contract through their personal service company or employed or engaged via an umbrella company; who are Individuals and in respect of who we process Personal Information.
Client or client: any person (natural or legal) to whom we provide and deliver our recruitment services, whether as an employment agency and or an employment business and which includes any other recruitment agency acting as a master vendor, recruitment process outsourcing service provider, managed service provider or similar service provider who we contract with to deliver our recruitment services.
Emergency contact/net of kin: any family member or other person whom any Individual.
Personal Information: any information identifying an Individual or information relating to an Individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Information means Personal Information defined in GDPR and which includes Special Categories of Personal Data but excludes anonymous data or data that has had the identity of an Individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour. Personal Information specifically includes but is not limited to the categories set out in the privacy notice on our website.
Other Persons: any personnel of any Client or Supplier, any Referee, Emergency contact/net of kin, who are Individuals, any website user that does not fall into the above list, and or any other Individual whom we may process Personal Information on in the provision of our recruitment services and or arising from the operation of our business.
Referees: any person whom any Individual may give us details of to allow us to verify employment history, suitability, technical competence, and or personal skills (as appropriate) of any Individual as part of our suitability and employment checks undertaken by us.
Supplier or supplier: any person (natural or legal) from whom we receive services from including but not limited to IT service providers, accountants, HR providers, marketing consultancies, recruitment agencies whom we engage as a sub-contractor to us, rec to rec agencies (help us find recruitment staff, and lawyers and other professional service providers.