1 Privacy Notice for recruitment
For the purpose of the General Data Protection Regulation ("GDPR") the Data Controller for your application is Adaptavist UK Services LTD.
Where you apply for a job opening via the application function on a job site or similar online service provider ("Partner"), you should note that the relevant Partner may retain your personal data and may also collect data from us in respect of the progress of your application. Any use by the Partner of your data will be subject to the Partner’s privacy notice.
2 Your Personal Information
2.1 Information we collect from you
We collect and process some or all of the following types of information from you:
- Information that you provide when you apply for a role. This includes information provided through an online job site, via email, in person, at interviews and/or by any other method.
- In particular, we process personal details such as name, email address, address, telephone number, date of birth, qualifications, experience, information relating to your employment history, skills experience that you provide to Us, as well as your video in case you conduct your interview using the video interview feature.
- If you contact us, we may keep a record of that correspondence.
- A record of your progress through any hiring process that we may conduct.
- Details of your visits to third party service providers including, but not limited to, traffic data, location data, weblogs and other such communication data, the site that referred you to the third party service provider, and the resources that you access.
2.2 Information we collect from other sources
We may use our own technology or a third party service provider to link the data you provide to us with other publicly available information about you that you have published on the Internet ("Public Sources").
We may receive your personal data from a third party who recommends you as a candidate for a specific job opening or for our business more generally.
Certain third party service providers allow us to search various databases. Some of these are publicly available and others not. These databases may include your personal data (such as your CV or Resumé), and we search such databases to find possible candidates to fill our job openings. When we find you in this way, we obtain your personal data from these sources.
3 Why and how we use your information
3.1 Lawful basis for processing
We rely on legitimate interest as the lawful basis on which we collect and use your personal data. Our legitimate interests are the recruitment of staff for our business.
Where you apply for a job opening through the a third party service provider, we rely on your consent, which is freely given by you during the application process, to disclose your personal data to that third party service provider on the basis described below.
3.2 Purposes of processing
We use information held about you in the following ways:
- To consider your application in respect of a role for which you have applied.
- To consider your application in respect of other roles.
- To communicate with you in respect of the recruitment process.
- To enhance any information that we receive from you with information obtained from third party data providers.
- To find appropriate candidates to fill our job openings.
- To help our service providers and Partners (such as the job sites through which you may have applied) improve their services, which in turn helps us improve our processes.
3.3 Automated decision making/profiling
We may use a third party service provider's technology to select appropriate candidates for us to consider based on criteria expressly identified by us, or based on what is typical in relation to the role for which you have applied. The process of finding suitable candidates is automatic. However, any choice to initiate discussions with a candidate will be made by our staff.
4 Disclosure of Your Information
We pass your information to our third party service providers, who use it only in accordance with our instructions and as otherwise required by law.
4.1 Third party provider: Lever
4.2 Other third party service providers
Where you have applied for a job opening through a third party provider, and where you have consented to this disclosure, we may disclose to that third party provider certain personal data that we hold, including but not limited to a unique identifier used by that provider to identify you, and information about your progress through our hiring process for the applicable job opening, as well as tangible, intangible, visual, electronic, present, or future information that we hold about you, such as your name, contact details and other information involving analysis of data relating to you as an applicant for employment (collectively “Disposition Data”). The service provider shall be the data controller of this data and shall therefore be responsible for complying with all applicable law in respect of the use of that data following its transfer by us.
Other third party providers may include (but are not limited to):
Partners may include services such as:
- Indeed.com (see above).
5 Public Sources
Public sources may include sources such as LinkedIn and other social media profiles. Public sources may also include Partners.
6 Security and data retention
6.1 Security measures
We employ security measures based on ISO 27001 to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction, damage and unauthorised alteration. How long we keep information we collect about you depends on the type of information. After such time, we will either delete or anonymise your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible. Only authorised employees have access to the information you provide us.
While we cannot guarantee that loss, misuse or alteration to data will never occur, we take necessary precautions to prevent such unfortunate occurrences and have measures in place to detect any such breaches of security.
In the event of a security breach, we will notify anyone whose personal data may have been compromised as well as the law enforcement authorities in the United Kingdom and other countries as applicable.
You are ultimately responsible for the security of any usernames and passwords we supply to you. Please take care when using and storing them. Adaptavist recommends that you do not divulge your password to anyone. You should log out of your browser at the end of each computer session to ensure that others cannot access your personal information and correspondence, especially if several people have access to your personal computer or you are using a computer in a public place.
As part of the requirements of the General Data Protection Regulation (GDPR), Adaptavist have registered with the Data Commissioner in the United Kingdom and you can see our notification report on their website.
6.2 Transferring data
Data on our systems is stored within UK / EU / USA data centres. Adaptavist relies upon GDPR standard contractual clauses and / or accredited compliance frameworks applicable to a country to transfer data across geographies among its corporate group affiliates.
6.3 How long we keep your personal data
The length of time we hold your personal data will vary depending on the outcome of our interaction with you. Some specific scenarios include:
- You become a candidate, but not an employee: In this case, we will hold your information by default for up to 12 months in order to have record of your application, and for any further follow-up discussions we may have with you.
- You become an employee: In this case, we may hold personal data you submit for the duration of your tenure as an employee, and quite possibly beyond this period in order to maintain record of your employment.
7 Your Data Protection Rights Under GDPR
Under the General Data Protection Regulation (and UK DPA 2018) you have a number of important rights free of charge.
You are entitled to see the information held about you and you may ask us to make any necessary changes to ensure that it is accurate and kept up to date. If you wish to do this, please contact us. Please note that we will require proof of your identity and, because we are a small company, your request may take up to 30 working days to process. Your rights under GDPR are:
7.1 Right to access
You have certain rights under the GDPR, for instance, you can ask to be told what information we hold about you in our databases. We will provide you with all the details that we hold about you, both online and offline, upon request.
7.2 Right to erasure
Under certain conditions, you have the right to request that we erase your personal data.
7.3 Right to restrict and object processing
You also may restrict or object the processing of your personal data, in some circumstances.
7.4 Right to update
You are entitled to see the information held about you and you may ask us to make any necessary changes to ensure that it is accurate and kept up to date. If you wish to do this, please contact us.
7.5 Right to rectify
We want to make sure your personal information is correct and up to date. You may ask us to correct or remove information you think is inaccurate.
7.6 Right to data portability
You have the right to have your personal data transmitted to another controller, where technically feasible and if it does not adversely affect the rights and freedoms of others.
7.7 Right to withdraw
You have the right to withdraw your consent where consent is relied upon as the lawful basis for processing. The withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
7.8 Notification Obligation
If you have exercised your right of rectification, erasure or restriction against us, we are obliged to notify all recipients whom we have disclosed your personal data, of the rectification, erasure or restriction of the processing of your data, unless this proves impossible or involves a disproportionate effort.
7.9 Exercising these Rights
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please:
- contact us using our Contact details below,
- provide us with information to identify you,
- provide us with proof of your identity and address, and
- let us know the information to which your request relates.
7.10 Right to complain to a regulatory authority
We hope that we can resolve any query or concern you raise about our use of your information.
The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live in or where any alleged infringement of data protection laws occurred.
The supervisory authority in the UK is the Information Commissioner who may be contacted at http://ico.org.uk/concerns or telephone: 0303 123 1113.
All questions, comments and requests regarding this Privacy Notice should be addressed to firstname.lastname@example.org.