Privacy notice – job applicants

This privacy notice advises job applicants of CEFM’s data protection responsibilities on the collection and processing of their personal information.

We collect and process your personal data as part of the recruitment process in relation to the role you are applying for.

We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

We are required to explain how and why we collect such data and what we do with that information. This notice will also provide information as to what you can do about your personal information that is held and processed with us.

We have appointed Mr Vincenzo Casamassa as the person with responsibility for ensuring that applicants’ personal information is held and processed in the correct way. He can be contacted at vincenzo.casamassa@cefm.co.uk. Questions about this policy, or requests for further information, should be directed to him.

What is personal information and what does processing mean?

Personal information is any information that relates to you and can be used directly or indirectly to identify you.

Personal information and processing are defined as follows:

  • Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR article 4).
  • Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data (GDPR article 9).
  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR article 4).

Data protection principles

We process personal data about applicants in accordance with the following data protection principles:

  • We process personal data lawfully, fairly and in a transparent way.
  • We collect personal data only for specified, explicit and legitimate purposes.
  • We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  • We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • We keep personal data only for the period necessary for processing.
  • We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.

In our privacy notices, we tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing. We will not process personal data of applicants for reasons other than the stated purpose or purposes.

Where we process special categories of personal data or criminal records data to perform obligations, this is done in accordance with a policy, or for legal reasons. We will update personal data promptly if an applicant advises that his/her information has changed or is inaccurate.

Our legal basis (grounds) for using your personal data

In applying for a role with CEFM you are seeking to enter into an employment contract with us. As such, the legal basis for processing your personal data is contractual as the information we hold, process and share during the recruitment process is in contemplation of entering into the employment contract and it allows CEFM to take steps necessary to recruit you.

In some cases, CEFM will need to process data to ensure that it is complying with its legal obligations. For example, CEFM must check an applicant’s entitlement to work in the UK.

Why do we collect and process applicant’s personal data?

CEFM processes data relating to applicants to assist in the recruitment process, including to:

  • Enable CEFM to manage its recruitment process.
  • Ensure CEFM is complying with its legal obligations in relation to the right to work in the UK.
  • Ensure a candidate is suitable for the role.
  • Enter into an employment contract with you, should you be successful.
  • Enable ethnicity and disability monitoring.
  • Ensure reasonable adjustments can be made for those applicants who have a disability.
  • Ensure a fair recruitment process has taken place.

What data do we hold on you?

The personal data we hold regarding you can include, but is not limited to, information such as:

  • Your name and address.
  • Email address and telephone number.
  • Date of birth.
  • Equal opportunities monitoring information.
  • Your nationality and entitlement to work in the UK.
  • National insurance number.
  • Information about your current salary and benefits.
  • Qualifications and skills.
  • Work experience and employment history.
  • Information about your criminal record.
  • Disability status to enable CEFM to make any reasonable adjustments throughout the recruitment process.

Any applicant wishing to see a copy of the information about them that we hold should contact Mr Casamassa.

How do we obtain personal data?

We may collect this information in a variety of ways. For example, data might be collected through:

  • Application forms, CVs or resumés.
  • Your passport or other identity documents, such as your driving licence.
  • Forms completed by you as part of the recruitment process.
  • Correspondence with you.
  • Interviews, meetings or other assessments as part of the recruitment process.
  • References and information from third parties (such as agencies).

We will not share information about you with third parties without your consent, unless the law or our policies allows us to.

Who has access to your personal data?

Your personal data may be shared internally with other members of staff involved in the recruitment process in order for them to perform their roles. This can include sharing personal data with employees, management and directors of CEFM. We may also share your personal data with third parties such as payroll or our pension provider if you are successful in your appointment.

Throughout these processes we maintain strict confidentiality and only process and retain the personal data for as long as is necessary in accordance with our retention schedule and the processing purposes we state.

Where is your personal data stored?

At CEFM we store data, that may include personal data, in both electronic and non-electronic formats.

Our servers and storage systems are based in the EU or the European Economic Area (EEA) and we have ensured that appropriate safeguards are in place to protect your personal data

Automated decision-making and profiling

We do not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling).

Special categories of personal data

We must also comply with an additional condition where we process special categories of personal data. These special categories include: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric information, health information, and information about sex life or orientation.

Some special categories of personal data, such as information about health or medical conditions, are processed to comply with employment law and health and safety obligations (such as those in relation to employees with disabilities).

Some of the reasons we process such data on applicants include:

  • Legal claims. The processing is necessary for the establishment, exercise or defence of legal claims. This allows us to share information with our legal advisers and insurers.
  • For equal opportunities monitoring.
  • For medical reasons to ensure that we comply with our health and safety obligations to you.

How do we protect applicants’ personal data?

We take the security of your personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure CEFM uses encrypted devices, uses passwords, virus protection and has appropriate firewalls.

How long do we keep your personal data?

We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.

If you are successful in being appointed to the role, all personal data collected by CEFM will be processed and transferred to your personnel file. We are not required to keep certain documents, such as a copy of your passport, for longer than is required to confirm your identity and to establish your right to work in the UK. Details of how long we retain certain documents is contained in our Retention Schedule. A copy of our Retention Schedule is available from the Data Protection Manager.

Ongoing collection and processing of your personal data in relation to your employment with CEFM is explained in our privacy notice for employees, a copy of which will be provided to you during induction.

If you are unsuccessful in your application, CEFM will retain your personal information for a period of 6 months after the end of the recruitment process. With your consent, CEFM will keep your personal data on file for a further 6 month period for consideration of future employment opportunities. Should you withdraw your consent within that time, or once that time period has expired, your data will be deleted or destroyed.

What rights do you have in relation to your information?

You will have the following rights in relation to your personal data. Some of these rights are new since 25 May 2018.

  • The right of access to the personal data and supplementary information. This right is to enable you to be aware of and verify the lawfulness of the personal data we are processing.
  • The right to rectification. This right allows you to have personal data rectified if it is inaccurate or incomplete.
  • The right to erasure. This is also known as the ‘right to be forgotten’. This is not an absolute right and applies in specific circumstances.
  • The right to restrict processing. This right applies in circumstances where, for example, the data subject contests the accuracy of the data or challenges the public interest or legitimate interest basis. Further guidance can be obtained from the ICO’s website.
  • The right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes.
  • The right to object. Individuals have the right to object to:
  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority.
  • Direct marketing.
  • Processing for scientific/historical research and statistics.
  • Rights in relation to automated decision making and profiling.

Further guidance and advice on the above rights can be obtained from the ICO’s website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
If you have a concern about the way CEFM are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting the Data Protection Manager. If you would like to exercise any of the above rights please contact the Data Protection Manager who will send you our Data subject’s rights application form.

Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any issues you have.