Data Protection Policy

All organisations that process personal data are required to comply with data protection legislation. This includes in particular the Data Protection Act 2018 (or its successor) and the EU General Data Protection Regulation (together the 'Data Protection Laws'). The Data Protection Laws give individuals (known as 'data subjects') certain rights over their personal data whilst imposing certain obligations on the organisations that process their data.

As a recruitment business the Company collects and processes both personal data and sensitive personal data. It is required to do so to comply with other legislation. It is also required to keep this data for different periods depending on the nature of the data.

This policy sets out how the Company implements the Data Protection Laws. It should be read in conjunction with the Data Protection Procedure.

In this policy the following terms have the following meanings:

* For the purposes of this policy, 'personal data' includes 'sensitive personal data' except where we specifically need to refer to sensitive personal data.

All defined terms are italicised throughout this policy.

The Company processes personal data in relation to its own staff, work-seekers and individual client contacts and is a data controller for the purposes of the Data Protection Laws. The Company has registered with the ICO — registration number Z1519596.

The Company may hold personal data for the following purposes:

• Staff administration
• Advertising, marketing and public relations
• Accounts and records
• Administration and processing of work-seekers' data for work-finding services
• Administration and processing of clients' data for supplying/introducing work-seekers

3.1 The data protection principles

The Data Protection Laws require that personal data is:

1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, legitimate purposes and not processed incompatibly with those purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and kept up to date
5. Kept no longer than necessary
6. Processed with appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage
7. Demonstrably compliant — the data controller bears responsibility for compliance

3.2 Legal bases for processing

The Company will only process personal data where it has a legal basis for doing so (see Annex). It will regularly review the personal data it holds to ensure lawful processing. Before transferring personal data to any third party, the Company will establish that it has a legal reason for making the transfer.

3.3 Privacy by design and by default

The Company has implemented measures to ensure data protection is integral to all processing activities, including:

• Data minimisation (not keeping data longer than necessary)
• Pseudonymisation
• Anonymisation
• Cyber security

The Company shall provide information relating to data processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in writing or by other means including electronic.

4.1 Privacy notices

The Company will give individuals a privacy notice at the time it first obtains their personal data. Where data is collected indirectly, a privacy notice will be issued within one month. If further processing beyond the original purpose is intended, individuals will be informed before it begins.

4.2 Subject access requests

The individual is entitled to access their personal data on request from the data controller.

4.3 Rectification

Individuals have the right to request rectification of inaccurate or incomplete personal data. Where data has been passed to third parties, the Company will notify them of the rectification request unless impossible or disproportionate to do so.

4.4 Erasure

Individuals have the right to request erasure of their personal data. The Company will ask whether full removal is desired or retention on a do-not-contact list. Where data has been made public or shared with third parties, the Company will take reasonable steps to ensure erasure.

4.5 Restriction of processing

Individuals may request restriction of processing where:

• The accuracy of data is challenged
• The processing is unlawful and the individual opposes erasure
• The data is needed for legal claims but the Company no longer requires it
• The individual has objected to processing pending verification of legitimate grounds

4.6 Data portability

Individuals have the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit it to another data controller where the processing is based on consent or contract and carried out by automated means. The Company will send data to a named third party on request where feasible.

4.7 Object to processing

Individuals may object to processing based on public or legitimate interest, including profiling. The Company will cease processing unless it has compelling legitimate grounds that override the individual's interests, or for the establishment, exercise or defence of legal claims. Individuals may also object to direct marketing at any time.

4.8 Enforcement of rights

All requests should be sent to the person listed in the Appendix. The Company will respond within one month, extendable by two further months for complex cases. Manifestly unfounded or excessive requests may be refused or charged a reasonable fee.

4.9 Automated decision making

The Company will not subject individuals to solely automated decisions that produce a legal or similarly significant effect, except where:

• Necessary for entering into or performing a contract
• Authorised by law
• The individual has given explicit consent

The Company will not carry out automated decision-making or profiling using the data of a child.

All data breaches should be referred to the person listed in the Appendix.

5.1 Where the Company is the data controller

The Company will take steps to contain and recover from any confirmed breach. Where a breach is likely to result in risk to the rights and freedoms of individuals, the Company will notify the ICO. Breaches outside the UK will be reported to the relevant supervisory authority.

5.2 Where the Company is the data processor

The Company will alert the relevant data controller as soon as it becomes aware of a breach.

5.3 Communicating breaches to individuals

Where a breach results in high risk to individuals, the Company will notify all affected individuals without undue delay. Notification is not required where:

• Appropriate technical measures (e.g. encryption) render the data unintelligible to unauthorised persons
• Subsequent measures ensure the high risk is no longer likely to materialise
• It would involve disproportionate effort — in which case a public communication will be made instead

All individuals have the following rights under the Human Rights Act 1998, which must be respected when dealing with personal data:

• Right to respect for private and family life (Article 8)
• Freedom of thought, belief and religion (Article 9)
• Freedom of expression (Article 10)
• Freedom of assembly and association (Article 11)
• Protection from discrimination in respect of rights and freedoms under the HRA (Article 14)

If you have a complaint or suggestion about the Company's handling of personal data, please contact the person listed in the Appendix below.

Alternatively, you can contact the ICO directly:

• Phone: 0303 123 1113
• Online: https://ico.org.uk/global/contact-us/email/

Sharon Hacker is responsible for:

• Adding, amending or deleting personal data
• Responding to subject access requests and requests for rectification, erasure, restriction, data portability, objection and automated decision-making
• Reporting data breaches and dealing with complaints
• Acting as or liaising with the Data Protection Officer where applicable