GDPR: Data Privacy Notice – Recruitment
bibic (“We”) are committed to protecting and respecting your privacy.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
Data controller – A controller determines the purposes and means of processing personal data. Data processor – A processor is responsible for processing personal data on behalf of a controller. Data subject – Natural person
Categories of data: Personal data and special categories of personal data
Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example, name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
2. Who are we?
bibic is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: Old Kelways, Somerton Road, Langport, Somerset, TA10 9SJ, telephone 01458 253344, firstname.lastname@example.org
For all data protection matters contact our Data Protection Controller, Lynda Williams, email@example.com
3. The purpose(s} of processing your personal data
We use your personal data for the following purposes:
• progressing your application,
• to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area.
The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test, or we might take interview notes. This information is held by us.
If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.
If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
• Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
• Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.
• You will be asked to complete a criminal records declaration to declare any unspent convictions.
• You will be asked to complete an Enhanced Disclosure and Barring Service (DBS) check via a third party (SPARK) We will be notified of the result in order to verify your declaration of unspent convictions.
• We will contact your referees, using the details you provide in your application, directly to obtain references
• We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work.
In order for us to set you up correctly on the system and manage you as an employee we will also ask you for the following:
• Bank details – to process salary payments
• Emergency contact details – so we know who to contact in case you have an emergency at work
• Next of Kin
How do we make decisions about recruitment?
Final recruitment decisions are made by members of recruitment panel. All of the information gathered during the application process is taken into account.
You are able to ask about decisions made about your application by speaking to your contact within the team.
Disclosure of personal information
In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies.
4. The categories of personal data concerned during recruitment
With reference to the categories of personal data described in the definitions section, we process the following categories of your data:
l. Personal data
o Identification information (Name, contact details, next of kin details)
o Recruitment Records (Interview notes; CVs, application forms, covering letters, and similar documents; Assessments, performance reviews, and similar documents, employment history
2. Special categories of personal data (article 9 of GDPR)
o Equal Opportunities monitoring (Age, Gender, Ethnicity, Nationality, Religion – anonymised were possible)
o Health Records (Details of sick leave, Medical condition, Disabilities, Prescribed medication)
5. What is our legal basis for processing your personal data?
Personal data (article 6 of GDPR)
Our lawful basis for processing your general personal data:
Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contract Job Application Employment Contract.
Processing necessary for compliance with a legal obligation Disclosure and Barring Service Checks.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Emailing you updates on company events and employment opportunities.
Special categories of personal data (article 9 of GDPR).
Our Lawful basis for processing your special categories of data.
Processing necessary for carrying out obligations under employment, social security or social protection law.
More information on lawful processing can be found on the ICO website.
6. Sharing your personal data
Your personal data will be treated as strictly confidential and will be shared internally with those who require it within the recruitment, HR and Line management processes. We may share information with third parties such as Benefit Providers and those who require it for legal purposes e.g. HMRC etc.
7. How long do we keep your personal data?
We keep your personal data for no longer than reasonably necessary in order to ensure we comply with any legal claims, complaints or regulatory obligations.
If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 7 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.
If you are unsuccessful at any stage of the process, the information you have provided until that point maybe kept for up to 6 months from the closure of the campaign.
Information generated throughout the assessment process, for example interview notes, maybe retained by us for up to 6 months following the closure of the campaign.
Equal opportunities information maybe retained for up to 6 months following the closure of the campaign whether you are successful or not.
8. Providing us with your personal data
You are under no statutory or contractual requirement or obligation to provide us with your personal data during the recruitment stage. But failure to do so will affect our ability to process you through our recruitment process and offer you employment. As an employee we require your personal data as it is a contractual requirement in order to continue to employ and pay you.
9. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
The right to request a copy of the personal data which we hold about you;
• The right to request that we correct any personal data if it is found to be inaccurate or out of date;
• The right to request your personal data is erased where it is no longer necessary to retain such data;
• The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
• The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics).
10. Data Anonymisation and Aggregation
Personal data may be converted into statistical or aggregated data which cannot be used to identify an individual, then used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described in this Privacy Notice.
11. Marketing Preferences
bibic will use your email address to contact you about company information updates and opportunities. You can change your preferences and unsubscribe at any time. If you do not want such information, you can let us know by contacting our Data Protection Controller – via email on firstname.lastname@example.org.
12. Transfer of Data Abroad
We do not transfer personal data outside of the UK.
13. Automated Decision Making
We do not use any form of automated decision making in our business.
14. Further Processing
If we wish to use your personal data for new purposes, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
15. How to make a complaint
To exercise all relevant rights, queries or complaints in the first instance contact our Data Controller Lynda Williams, bibic, Old Kelways, Somerton Road, Langport, Somerset, TA10 9SJ. Telephone: 01458 253344, email: email@example.com.
If this does not resolve your complaint, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England
Any changes we may make to our privacy notice in the future will be posted on this page and, where
appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy