Candidate Privacy notice



1. What is the purpose of this document? Ltd. (the “Company”, ‘we’, ‘us’, ‘our’) is committed to protecting the privacy and security of your personal data.

This privacy notice describes how we collect and use personal data about you when you apply for a job with us, in accordance with the General Data Protection Regulation 2016/679 (‘EU GDPR’), the EU GDPR as it forms part of UK law (‘UK GDPR’) (together, the ‘GDPR’) and any other applicable law.

The Company is the controller of your personal data. This means that we are responsible for deciding how we hold and use personal data about you. The purpose of this privacy notice is to provide our candidates with information about how we process their personal data and to tell them about their privacy rights and how the law protects them. 

This privacy notice does not form part of any future contract of employment you may have with the Company, is not intended to create any employment relationship between you and the Company, and may be updated at any time.

We will provide you with a revised privacy notice if we make any material updates. It is important that you read this privacy notice so that you are aware of how and why we are using your personal data.

2. The kind of information we hold about you 

Exemplary categories of personal data we may process in relation to candidates include, but are not limited to:

Category of Personal Data collected

What this means 

Identity Data

First name, surname, title, national identification and/or passport number, national insurance number, driver’s licence, photographs.

Contact Data

Your home address, work address, email address and telephone numbers.

Biographical Data

First name, surname, maiden name, marital/civil partnership status, title, date of birth, gender, ethnicity, education history, professional history, professional qualifications and memberships, references, information relating to references such as referees’ names and contact details, information contained within letters of application and CVs, language proficiencies and other skills.

Immigration Data

National identification and/or passport number, national insurance number, details of residency and/or work permit and other information that would allow us to verify your employment eligibility.

Role and Prior Employment Data

Evidence of how you meet the requirements of the job, including resumés and references or other information you provide to us in support of an application and/or the application and recruitment process.

Job title and description, department, work location, dates of employment, employment status and type (e.g., full-time/part-time), terms of employment, employment contract, work history (current, past, or prospective), training and learning program participation, termination date(s) and reason, length of service, willingness to relocate, current salary, desired salary, employment preferences, information necessary to complete background checks, drug and/or alcohol tests, and other screens permitted by law.

Systems Data

Information about your access to Company offices and facilities (e.g., keycard scans and security camera footage).

Other Data you provide to us

This might include data such as your feedback and survey responses where you choose to identify yourself, and information from interviews you may have.

3. How is your personal data collected?  

We typically collect personal data from you directly. In addition, we may collect certain personal data about you from third party sources, such as:

    • job board websites you may have used to apply for a job with us;
    • prior employers, when they provide us with employment references;
    • professional references that you authorise us to contact;
    • providers of background check, credit check, or other screening services (where permitted by applicable law);
    • your public social media profiles or other publicly-available sources;
    • employment agencies or recruiters that refer you to us; and 
    • Company communications and IT systems or applications that automatically collect information about you.

4. How will we use information about you and why? 

We will only use your personal data for the purposes for which we collected it as set out below, unless we reasonably consider that we need to use it for another purpose and that reason is compatible with the original purpose. 

If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

4.1 What is our legal basis for processing your personal data? 

In respect of each of the purposes for which we use your personal data, the GDPR requires us to ensure that we have a “legal basis” for that use. Most commonly, we will rely on one of the following legal bases:

    • where we need to take steps at your request prior to entering into a contract of employment  (“Contractual Necessity”);
    • where we need to comply with a legal or regulatory obligation (“Compliance with Law”);
    • where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). For example, the Company has a legitimate interest in conducting certain background checks on candidates to ensure that it is offering employment to those individuals whom it considers are most likely to be successful when working for the Company; and
    • where it is necessary to process your personal data where it is necessary to protect your (or someone else’s) vital interests (“Vital Interests”).

We have set out below, in a table format, the legal bases we rely on in respect of the relevant purposes for which we use your personal data.


Lawful basis for processing

Categories of Personal Data processed

Processing activities

Contractual Necessity

  • Identity Data
  • Contact Data
  • Biographical Data
  • Immigration Data
  • Role and Prior Employment Data

Administering and managing the recruitment process, including considering and taking any reasonable steps you may request prior to entering into a contract of employment with you.

Legitimate Interests

  • Identity Data
  • Contact Data
  • Biographical Data
  • Immigration Data
  • Role and Prior Employment Data
  • Performance Data
  • Systems Data

It is in our legitimate interests that we process your personal data for the following purposes:

For talent management, including:

  • considering your job application and determining whether, and on what terms, to make an offer of employment to you;
  • improving our application and/or recruitment process, including improving diversity; 
  • providing training and career development opportunities;
  • performing background, reference, or credit checks, where these are not required by law; and
  • communicating and otherwise managing our relationship with you.

For the operation of our business, including:

  • managing and allocating Company assets and personnel; 
  • strategic planning and project management; 
  • budgeting, financial management and reporting; 
  • recordkeeping and archiving;
  • for business continuity; 
  • anonymisation for statistical purposes;
  • internal communications; and
  • undergoing acquisitions, sales, re-organizations, disposals and integrations with purchasers.

For the operation and management of our IT systems and premises, including:

  • providing information technology resources and support; 
  • operating, maintaining and protecting the security of our network systems and devices; 
  • monitoring offices and facilities, IT and communications systems, devices, equipment and applications through manual review and automated tools such as security software, website and spam filtering software, and mobile device management software;
  • ensuring physical security, including by controlling access to and monitoring our physical premises (e.g., by requiring health screenings to access offices/facilities and using security cameras and keycard scans) to protect our, your or others’ rights, safety and property; 
  • investigating and responding to security and other incidents; and 
  • for business continuity.

For the creation of aggregated data that we use and share to analyse our workforce and business.

For the exercise of our legal rights and remedies, including:

  • defending litigation;
  • managing and defending any internal complaints or claims;
  • conducting investigations; 
  • administering and enforcing internal policies and procedures; and
  • investigating and deterring against fraudulent, harmful, unauthorized, unethical or illegal activity, or conduct in violation of our policies or procedures.

Compliance with Law

  • Identity Data
  • Contact Data
  • Biographical Data
  • Immigration Data
  • Role and Prior Employment Data
  • Systems Data

We process your personal data where necessary to comply with legal obligations to which we are subject, including:

  • complying with audit, recordkeeping and reporting requirements;
  • ensuring health and safety, including the personal safety and security of employees, contractors, vendors, clients and other visitors;
  • verifying identity and eligibility to work;
  • conducting criminal background checks where required or appropriate to do so as a result of the role for which you have applied or are being considered;
  • complying with equal opportunities monitoring requirements. Without limitation to the foregoing, we may use your diversity-related personal data (such as race or ethnicity) in order to comply with legal obligations relating to diversity and anti-discrimination;
  • accommodating disabilities or health conditions; 
  • complying with lawful requests and legal process, such as responding to subpoenas or requests from government authorities; 
  • protecting our, your or others’ rights, safety and property, including by complying with applicable public health guidelines and requirements, including, without limitation, guidance from public health authorities relating to the prevention and control of COVID-19 or other infectious diseases; and
  • sharing information with government authorities, law enforcement, courts or private parties for the foregoing purposes.

Vital Interests

  • Identity Data
  • Contact Data

We may process and share your personal data with third parties where appropriate to do so to protect your vital interests or those of a third party. This may include the processing and disclosure of your data to relevant health authorities and/or health care providers in the event of a medical emergency.

If you are offered and accept employment with the Company, the information collected during the application and recruitment process will become part of your employment record. As an employee, your personal data will be processed in accordance with the Company’s employee privacy notice, which will be made available to you when the Company begins processing your personal data for purposes associated with your employment.

5. What if you do not provide personal data?  

You are under no statutory or contractual obligation to provide data to the Company during the recruitment process. However, if you do not provide the information, the Company may not be able to process your application properly or at all.

You are under no obligation to provide information for equal opportunity monitoring purposes and there are no consequences for your application if you choose not to provide such information.

6. Automated decision-making 

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

7. Data sharing 

Your information may be shared with the following recipients and for the following reasons: 

    • internally within the Company (including human resources, interviewers involved in the recruitment process, and other recruitment decision makers within the Company) for recruitment purposes; 
    • providers of services to the Company, such as human resources, information technology systems and support, information and physical security, background checks and other screenings;
    • accountants, auditors, lawyers, insurers, bankers and other professional advisors;
    • in relation to actual or prospective corporate events (e.g. investments into the Company, or the sale, transfer or merger of all or part of our business, assets or shares), we may need to share certain personal data with prospective counterparties and their advisers; and
    • entities that regulate or have jurisdiction over the Company such as regulatory authorities, public bodies and judicial bodies.

8. Transferring information outside the EU

We may share your personal data with third parties who are based outside the UK and/or the European Economic Area (‘EEA’). In such circumstances, their processing of your personal data will involve a transfer of your personal data to countries based outside the UK and/or the EEA. Whenever we transfer your personal data outside the UK and/or EEA, we try to ensure a similar degree of protection is afforded to it by making sure that at least one of the following mechanisms is implemented:

    • We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by either the UK Government or the European Commission, as applicable.
    • We may transfer your personal data to countries that have not been deemed to provide an adequate level of protection for personal data by the UK Government and/or the European Commission – provided that, in these cases:
      • we may use specific appropriate safeguards that are designed to give personal data the same protection it has in the UK and/or the EEA (for example, requiring the recipient of personal data to enter into the relevant form of the so-called ‘Standard Contractual Clauses’ issued or approved from time to time), in compliance with applicable laws; or
      • in very limited circumstances, we may rely on an exception, or ‘derogation’, which permits us to transfer your information to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – for example, reliance on your explicit consent to that transfer.

For more information about the mechanism we implement, please contact us using the details in the ‘Contact us / changes to this privacy notice’ section of this privacy notice.

9. Data security

We have put in place appropriate data security measures to prevent your personal data from being lost, altered, used, accessed without authorisation, or accidentally disclosed. 

We will notify you and any applicable regulator of a suspected breach where we are legally required to do so and in compliance with any reporting time periods set out in the GDPR.

10. Data retention

The Company will not use your data for any purpose other than recruitment and will not store your data for any longer than is necessary to achieve this purpose. If your application is unsuccessful, we may keep your personal data on file for up to six (6) months in case there are future employment opportunities for which you may be suited. 

In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held in that case will be provided to you in the Company’s employee privacy notice.

11. Rights of access, correction, erasure and restriction

11.1 Your rights in connection with personal data

Under certain circumstances, by law you have the right to:

      • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that it is correct and that we are lawfully processing it.
      • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
      • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
      • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
      • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
        To make any of these requests, please contact the recruitment team at

11.2 No fee usually required

You will usually not have to pay a fee to access your personal data (or to exercise any of the other rights under applicable law). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

11.3 What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another data security measure to ensure that we disclose personal data to the correct authorised recipient.

11.4 Right to withdraw consent

In the limited circumstances where you may have consented to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the recruitment team at  Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

11.5 Contact us / changes to this privacy notice 

We reserve the right to update this privacy notice from time to time in our absolute discretion.  We will provide you with a new privacy notice when we make any substantial updates. When we make changes to this notice, the “last updated” date at the top of the notice will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, we will take commercially reasonable steps to let you know.

If you have any questions about this privacy notice, please contact the Company’s Data Protection Officer (“DPO”) at

If you believe that the company has not complied with your data protection rights, you can file a complaint with the relevant supervisory authority:

12. Your obligations

You should keep your personal data up to date and inform the Company of any changes to your personal data submitted as part of your application.  

If you provide us with the personal data of a referee or any other individual as part of your application, it is your responsibility to inform them of the use (including transfer and disclosure) of that personal data by the Company for the purposes set out in this privacy notice.