General Data Protection Regulation
The purpose of this document is to details the GDPR (General Data Protection Regulations) laws and principles Secure and recruit Limited comply with whilst conducting any recruitment requirements.
The GDPR protects personal data (which is any form of information relating to an identifiable person directly or indirectly identified in particular by reference to an identifier).
2.1 Personal identifier ie, name, identification number, location data or online identifier.
2.2 Sensitive personal data is based on special categories of personal data ie, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data and for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
3. GDPR DEFINITIONS
3.1 GDPR applies to ‘controllers’ and ‘processors’ who access and process personal data (data subjects i.e., consumer, customer, respondent, individual).
3.2 We (Secure and Recruit Limited) are a controller, joint controller and/or processor of data depending on each of the project requirements we undertake.
3.3 A ‘Controller’ (Client/Agency) determines the purposes and means of processing personal data. As a controller you/they are obligated to ensure compliance with GDPR.
4. GDPR PRINCIPLES
The GDPR principles state that data must be:
4.1 Processed lawfully, fairly and in a transparent manner in relation to individuals.
4.2 Collected for the specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes of recruiting.
4.3 Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4.4 Accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
4.5 Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for recruitment.
4.6 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5. RIGHTS FOR INDIVIDUALS
The GDPR provides the following 8 rights for individuals:
5.1 The right to be informed
5.1.1 The need for transparency over how personal data is used.
5.2 The right of access
5.2.1 Individuals have the right to access their personal data and supplementary information.
5.2.2 Right of access allows individuals to be aware of and verify the lawfulness of the processing.
5.2.3 They have the right to obtain: confirmation that their data is being processed, access to their personal data, and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.
5.3 The right to rectification
5.3.1 Individuals have the right to have their personal information rectified.
5.3.2 Personal data can be rectified if it is inaccurate or incomplete.
5.3.3 Any requests from individuals must be responded to within one month (this can be extended to 2 months if it is a complex request).
5.4 The right to erase
5.4.1 Individuals have the right to have personal data erased.
5.4.2 Where data is no longer necessary in relation to the purpose for which it was originally collected/processed.
5.4.3 When the individual withdraws consent or objects to the processing and there is no overriding legitimate interest for continuing the processing.
5.4.4 The personal data has to be erased in order to comply with a legal obligation.
5.5 The right to restrict processing
5.5.1 Individuals have the right to ‘block’ or suppress processing of personal data.
5.5.2 When processing is restricted, can store the personal data but not further process it.
5.5.3 Allowed to retain just enough information about the individual to ensure that the restriction is respected in the future.
5.6 The right to data portability
5.6.1 Allows individuals to obtain and reuse their personal data for their own purposes across different services.
5.7 The right to object
5.7.1 Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
5.7.2 Processing for the purposes of recruitment.
5.8 Rights in relation to automated decision making and profiling
5.8.1 The GDPR has provisions on: automated individual decision-making (deciding solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).
6. PRIVACY NOTICE
6.1 Our compliance with GDPR and any information relating to how we process data is documented in our privacy notice which is available once request.
7. CONTROLLER RESPONSIBILITIES
Data provided by the Client/Agency must be compliant with these GDPR principles. All individuals must have consented to their data being used for the purpose intended.
The controller (Client/Agency) must ensure that the individuals are aware of their rights (see section 5).
8. Secure and Recruit Limited RESPONSIBILITIES
As a supplier we confirm that we are GDPR compliant.
We will only act on the written instructions provided and ensure that anyone in our organisation is fully adheres to GDPR.
We will not engage a sub-contractor/processor without prior consent from yourselves.
Any data stored by ourselves will be stored securely with encryption and back up.
We ensure we keep records of all processing activities carried out and will also comply with the GDPR Rights for Individuals and subject access requests.
As per our Data Breach Policy - we confirm we would notify you of any data breaches without any undue delay. We are aware that these must be escalated to yourselves.
9. DATA RETENTION & DATA DISPOSAL
All data stored at Secure and Recruit Limited is stored in line with the Data Protection Act 1998.
Any personal data collected is disposed upon request. Any paper documents ie, paper questionnaires (any PI personal identifiers are removed before storage) and the paper questionnaire retained for 12 months.
We ensure that we dispose of personal, confidential and businesses critical information in a secure manner.
Paper Information – managed/ disposed of on-site and will be shredded.