The General Data Protection Regulations (GDPR) came into force on 25 May 2018. It imposes greater obligations on organisations whilst giving more rights to individuals in relation to how their personal data is processed. GDPR will oblige organisations to take a ‘privacy by design and by default’ approach to data protection. This means that data protection must be integral to all data processing activities.
GDPR applies to all organisations which collect the personal data of individuals living within the EU. This bill replaces the Data Protection Act 1998 and will import the GDPR standards into UK law whilst also dealing with any exemptions/derogations permitted by the GDPR.
Danluker Limited are committed to protecting and respecting your privacy.
This policy (together with our terms of and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. This website is governed by the laws of England and Wales and the English and Welsh Courts shall have exclusive jurisdiction over it.
Danluker Limited are registered with the Information Commissioners Office (ICO). This ensures we adhere to our data protection obligations under the DPA and appropriate action is taken where there is a breach or a breach is suspected has taken place. The aim of the policy, in line with the DPA obligations, is to ensure all information, including sensitive information is lawfully processed, subject data is held with their knowledge, consent and for a particular purpose. Subjects are also entitled to request their information by making a “Subject Access Requests”.
Data Protections Policy and Privacy Statement also applies to our candidates registering.
Definitions and Key Terms
‘consent’ means any freely given, specific, informed and unambiguous indication of an individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of persona data relating to him or her;
‘Data controller’ means an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘Data processor’ means an individual or organisation which processes personal data on behalf of the data controller;
“Data subject” is the living individual to whom the personal data relates. Organisations are not data subjects.
“Personal data” means data that can identify a data subject as a living individual. There is general personal data such as a data subject’s name, address, National Insurance number and online identifiers/location data. Sensitive personal data which includes information on physical and mental health, sexual orientation, race or ethnic origin, religious beliefs, trade union membership and criminal records. Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts.
Personal data we gather may include: individuals’ contact details, educational background, details of certificates and diplomas, education and skills, marital status, nationality, job title, DBS Status, Eligibility to Work status and CV.
Financial and pay details will remain between the candidate and Danluker Limited or the client/vendor and Danluker Limited. Payment history may be part of the audit requirements between Danluker Limited and the Vendor and/or umbrella company.
Personal data will be uploaded to vendor sites and or for compliance/audit requests
Sensitive personal data must be protected to a higher level: Personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of sensitive personal data should be strictly controlled in accordance with this policy.
The purposes for which personal data may be used by us: Personnel, administrative, financial, regulatory, payroll and business development purposes.
Business purposes include the following:
- Compliance with our legal, regulatory and corporate governance obligations and good practice
- this includes audits from relevant vendors and framework organisations
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
- Ensuring business policies are adhered to (such as policies covering email and internet use)
- Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
- Investigating complaints
- Checking references, Qualifications, DBS and Eligibility to Work details, ensuring safe working practices.
- monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
- Monitoring staff conduct, disciplinary matters
- Marketing our business
Lawful basis: There are six lawful bases for processing a data subject’s personal data:
a) The lawfulness of processing conditions for personal data are:
- Consent of the individual for one or more specific purposes.
- Processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual to enter into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject to.
- Processing is necessary to protect the vital interests of the individual or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the individual which require protection of personal data, in particular where the individual is a child.
The following are the lawful bases for processing a data subject’s sensitive personal data:
b) The lawfulness of processing conditions for sensitive personal data are:
- Explicit consent of the individual for one or more specified purposes, unless reliance on consent is prohibited by EU or Member State law.
- Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement, provided for appropriate safeguards for the fundamental rights and interests of the individual.
- Processing is necessary to protect the vital interests of the individual or another individual where the individual is physically or legally incapable of giving consent.
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.
- Processing relates to personal data which manifestly made public by the individual.
- Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law which is proportionate to the aim pursued and which contains suitable and specific measures to safeguard the fundamental rights and interests of the individual.
- Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of EU or Member State law or a contract with a health professional
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices.
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
Consent, legitimate interests, performance of a contract and legal obligations are likely to be the most relevant for recruitment companies (though note that legitimate interests and performance of a contract are not lawful bases for processing sensitive personal data).
In this policy the following terms have the following meanings:
“Third Parties/3rd Party” means Clients, Managed Vendors, Umbrella companies, DBS Services, Occupational Health Providers, Training Providers
“Cookies” means small pieces of data on a user’s device.
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;
‘processing’ means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to an individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual;
‘supervisory authority’ means an independent public authority which is responsible for monitoring the application of data protection. In the UK the supervisory authority is the Information Commissioner’s Office (ICO).
“User” means the user using the service. The User corresponds with the data subject, who is the subject of personal data.
“Usage Data” means data collected automatically either generated by the use of the service or from the Service Infrastructure itself (e.g. duration of page visit)
WHO IS RESPONSIBLE FOR THE MANAGEMENT OF THIS POLICY
Everyone has the responsibility to adhere to this policy. Our Safeguarding and Compliance Manager holds the role of Data Protection Officer (DPO), and has overall responsibility for the day-to-day implementation of this policy.
INFORMATION WE MAY COLLECT FROM YOU
We may collect and process the following data about you:
- Information that you provide by filling in forms on this site. This includes information provided at the time of registering to use our site, subscribing to our service, posting material or requesting further services. We may also ask you for information when you enter a competition or promotion and when you report a problem with our site.
- If you contact us, we may keep a record of that correspondence.
- We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
- Details relating to our recruitment services and the supply of your services to our clients.
- Personal data including your name, email address, phone number(s). If you are a work seeker, we will also record the type of work you are looking for, preferred work locations, rates of pay.
- Information relating to training certificates and professional qualifications
- Documents relating to your Eligibility to Work (Passport, Visa, proof of address, NI Number, DOB etc)
- Disclosure and Barring Certificates
- Documents relating to Driving (Licences, MOT, Insurance certificates)
- If you are working for us additionally we may hold bank details
- Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
- When you access the Service by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.
- Like many websites, we routinely capture your IP address information to determine your location. This information is not shared outside Danluker Limited.
- You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
- Examples of Cookies** we use:
* Session Cookies. We use Session Cookies to operate our Service.
* Preference Cookies. We use Preference Cookies to remember your preferences and various settings.
* Security Cookies. We use Security Cookies for security purposes
- Security Of Data – The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
- Analytics – We may use third-party Service Providers to monitor and analyze the use of our Service. E.g. * Google Analytics
- Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.
- For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: http://www.google.com/intl/en/policies/privacy
- Google AdWords remarketing service is provided by Google Inc.
- You can opt-out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: http://www.google.com/settings/ads
- Google also recommends installing the Google Analytics Opt-out Browser Add-on – https://tools.google.com/dlpage/gaoptout – for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics.
- For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: http://www.google.com/intl/en/policies/privacy/
- We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
- Children’s Privacy – Our Service does not address anyone under the age of 13 (“Children”). We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.
WHERE WE STORE YOUR PERSONAL DATA
- All information you provide to us is stored on our secure servers which are encrypted
- Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
WHAT WE DO WITH YOUR DATA
Data we collate will be used for the purposes of finding you employment and keeping your contract in date in line with the specific requests from our 3rd party vendors/prospective employers.
We use information held about you in the following ways:
- To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
- To carry out our obligations arising from any contracts entered into between you and us.
- To allow you to participate in interactive features of our service, when you choose to do so.
- To notify you about changes to our service.
- Provide and maintain and notify you of changes to our service
- To detect, prevent and address technical issues**
DISCLOSURE OF YOUR INFORMATION
- We may disclose your personal information to third party vendors/prospective employers
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
INVESITGATION AND DUE DILIGENCE
At any time where a breach or potential breach is identified, either internally or in the supply chain, it is reviewed using the Danluker Limited Complaints procedure
Danluker Limited undertakes due diligence when considering taking on new suppliers, and regularly reviews its existing suppliers. Our due diligence and reviews include assessing the supply chain broadly to assess particular product or geographical risks
- reviewing on a regular basis all aspects of the supply chain based on the supply chain mapping
- conducting supplier audits or assessments where general risks are identified
- taking steps to improve substandard suppliers’ practices, including providing advice to suppliers and requiring them to implement action plans to include specific amendments to be made and adhered to. This will be confirmed through a re-auditing process
- Reviewing umbrella processes and payment procedures in line with the Criminal Finance Act
- invoking sanctions against suppliers that fail to improve their performance in line with an action plan or seriously violate our supplier code of conduct, including the suspension or termination of the business relationship and reporting to the authorities as appropriate.
You have the right to ask us not to process your personal data for marketing purposes.
You have the right to be removed from our database (“Right to be forgotten”, see Subject access requests).
ACCESS TO YOUR INFORMATION AND CORRECTIONS
All information given to us should be kept up to date and accurate. Please make sure we are kept up to date, if you need to make any changes to details or you think details are inaccurate please email firstname.lastname@example.org titled “Change of details”. This will be actioned with within 3 working days.
The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. You will need to send an email to email@example.com titled “Subject Access Request”. This will be dealt with within 30 days.
We accept no liability for any loss (whether direct or indirect, for any loss of business, revenue or profits, waste expenditure, corruption or destruction of data) arising from registration with Danluker Limited
All questions and comments regarding these policies should be addressed to our Data Controller at firstname.lastname@example.org