Privacy Notice
-Introduction
-What is the purpose of this privacy notice?
-The legislation
-Who or what is a Data Controller or Data Processor?
-Personal data
-What is personal data?
-What is sensitive personal data?
-What is not personal data?
-Data protection principles
-What does ‘processing’ of personal data mean?
-Who will we process personal data about?
-How do we collect personal data?
-Purposes for which we will process your personal data and our lawful bases for doing so
-Your informed consent
-Using personal data for new purposes
-Our business functions
-Recruitment
-Skills management and job performance
-Internal administration and fulfilling statutory and other obligations
-What pieces of personal data will we process?
-What happens when we receive unsolicited personal data?
-How will we protect your personal data?
-Who will we share your personal data with?
-Automated decision making and direct marketing
-International transfers
-Your rights
-Third party links on our website
-The use of cookies on our website
-For how long will we retain your personal data?
-Complaints
-Updates to this Privacy Notice
Introduction
Our privacy policy makes it clear that we will comply with data protection legislation and that we are fully committed to respecting people’s privacy and protecting their personal data; this privacy notice provides you with details regarding how we will implement our policy with respect to your personal data. Therefore, please read this privacy notice carefully in order that you may understand our practices regarding our processing of your personal data.
Within this privacy notice the terms ‘we’, ‘us’ or ‘our/ours’ refer to RJD Technology Limited. Our registered and trading address is at 8 The Green, Rowlands Castle, Hampshire, PO9 6BN.
What is the purpose of this privacy notice?
The purpose of this privacy notice is to provide you with the information you are entitled to under data protection legislation and to explain your rights with regards to your personal data. It describes how we aim to deal with personal data about you which we may collect and process for our various business purposes or to fulfil statutory, regulatory, contractual or other obligations.
The legislation
There are three pieces of legislation which apply to the protection of personal data:
Regulation (EU) 2016/679, known as the General Data Protection Regulation (GDPR) (https://publications.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en) is the overarching data protection legislation within the European Union’s (EU) member states – this includes the United Kingdom (UK) even after the UK leaves the EU in 2019.
Directive (EU) 2016/680, known as the Law Enforcement Directive (LED) (https://publications.europa.eu/en/publication-detail/-/publication/182703d1-11bd-11e6-ba9a-01aa75ed71a1/language-en) relates to the processing of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
The Data Protection Act 2018 (DPA 2018) (http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf).
The above legislation gives more rights to you as an individual and imposes more obligations upon organisations like us that hold your personal data than was previously the case. One of these obligations is that we must provide you with easily accessible and fully transparent information about why we collect your personal data and how we process it. However, notwithstanding the enormous significance attached to the protection of personal data, please be aware that, as stated in the GDPR – ‘The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality’.
Who or what is a Data Controller or Data Processor?
A data controller is the person or organisation who/which determines the purposes for which, and the manner in which, personal data are to be processed and has ultimate responsibility for ensuring that such processing is in compliance with legislation. This means that a data controller exercises overall control over the ‘why’ and ‘how’ of data processing activities.
A data processor is any person or organisation who/which processes personal data on behalf of, and under the direction of, a data controller though it may make decisions on certain technical functions underlying the processing (what IT systems will be used, how the data will be stored and details of the security procedures used to protect it, etc).
We are the data controller for all personal data that we hold and we do not use any other person or organisation/entity to process personal data on our behalf.
When we share personal data with third parties (see Note 1 below), eg our accountant, HM Revenue and Customs, or organisations with which we have, or are arranging, contractual obligations, then these third parties will act as the data controller for that personal data upon receiving it as they will, essentially, then be exercising control of the purposes for which and the manner in which the data is processed within or on behalf of their own organisation.
Note:
The term ‘third party’ refers to any entity that is not (a) us, or (b) you (individual persons, companies, organisations, government departments/agencies, etc).
Personal data
What is personal data?
The current data protection legislation defines ‘personal data’ as information about a natural person (see Note 1 below) which can subsequently be used to uniquely identify that person when used either on its own or in combination with any other information which is already held by a data controller or which could be discovered by any means ‘reasonably likely (see Note 2 below) to be used by any person, organisation or entity.
Notes:
The term ‘natural person’ is defined in the legislation as an individual human being. The person about whom the personal data are associated is also referred to in the data protection legislation as a ‘data subject’.
In determining whether means are ‘reasonably likely’ to be used, proper account needs to be taken of factors such as the costs of and the amount of time required for such identification, the available technology at the time of processing, and technological developments.
The term ‘personal data’ encompasses a very wide spectrum of information; under the legislation, separate individual pieces of personal data are known as ‘identifiers’. Some of the most common identifiers are: name, home address, date of birth, gender, home/mobile telephone numbers, email addresses, and employment history (but please note that these are but a few examples and there are a great many more, some of which are detailed more fully later in this privacy notice.
What is sensitive personal data?
The legislation also defines ‘sensitive personal data’ and places it in a separate category for which additional safeguards are required. This category comprises identifiers such as an individual’s: race or ethnic origin; political opinions; religious, philosophical or other beliefs of a similar nature; trade union membership; economic history, physical or mental health, sexual orientation and sex life; or genetic and biometric data where these are being processed in such a way as to enable identification of the individual. It also includes information about any actual or alleged offences or about legal proceedings associated with such and to any convictions or sentences. Information about children and vulnerable adults also falls under the definition of sensitive personal data.
What is not personal data?
The following is not personal data:
any information concerning a non-human ‘legal person’, ie any entity that has legal rights and is subject to obligations, for example a limited company or government agency;
information about deceased persons (unless it can also be used to identify living persons); or
fully anonymised data which cannot be used to identify any living person.
Data protection principles
We will comply with the six data protection principles; these state that the personal information we hold about you must be:
used lawfully, fairly and in a transparent way;
collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and kept up to date;
kept in a form that identifies you for only as long as necessary for the purposes we have told you about; and
kept securely.
What does ‘processing’ of personal data mean?
When associated with personal data, the term ‘processing’ means carrying out an operation or set of operations on the data, including:
obtaining, collecting, recording and holding;
organising, adapting or altering;
retrieving and using for legitimate business purposes;
using in compliance with statutory, regulatory, contractual or other obligations
disclosing by transmission, disseminating, or otherwise making it available; and/or
aligning, combining, blocking, erasing or destroying.
Processing can be carried out by automated means (eg a computer) or by non-automated means (eg a manual filing system).
Who will we process personal data about?
We may process personal data in the course of our legitimate business activities about the following categories of persons:
current, former and prospective employees
actual or prospective customers, suppliers, sub-contractors, freelance consultants, and associate consultancies with whom/which:
we currently have business dealings
we have had business dealings in the past, or
we wish to have business dealings with in the future
those who contact us on a speculative basis for employment or for other reasons through our website contact forms or via any other medium
How do we collect personal data?
Much of the personal data that we hold is collected when individuals correspond or interact with us directly via our website or social media, or via other media such as postal correspondence, telephone, or email. Means of collection include (but are not limited to):
information contained in curriculum vitae that individuals send to us
in forms that we may ask individuals to complete to enable us to fulfil various legal or other obligations we have towards other agencies or organisations (eg for tax, pension or security vetting reasons)
in forms that we may ask individuals to fill out to enable us to complete our standard business administrative processes
notes taken during recruitment interviews
from referees nominated by individuals during our recruitment process or during security vetting procedures
from social and professional media platforms
from company/third-party websites
from recruitment agencies
from other agencies, for example those that we may elect to use for basic disclosure or other checks made during our recruitment process
notes taken during appraisal or other formal interviews
feedback from our customers
any other information that you may volunteer about yourself
Purposes for which we will process your personal data and our lawful bases for doing so
We will only process your personal data if we have a lawful basis to do so. The legislation provides for six lawful bases and the one we choose will vary depending upon the information itself, the means by which it was originally collected, the purpose(s) for which it was originally collected, and the purposes for which we now wish or need to process it.
Essentially, there are three lawful bases governing the vast bulk of our personal data processing activities:
where it is necessary and appropriate to fulfil our legitimate interests (this means using personal data in ways that the data subjects would reasonably expect and which have a minimal privacy impact or where there is an otherwise compelling reason)
to fulfil a contractual obligation (this includes those actions we may take within the context of the intention to enter into a contract whether or not such intention comes to fruition)
where it is necessary for us to comply with a statutory, common law or regulatory obligation
Your informed consent
The informed consent of the data subject is provided for in the legislation as a lawful basis for processing. However, we only use this basis for making contact with individuals in response to contact requests submitted by the individuals themselves on the interactive forms on our website or via other media. Once initial contact has been made under the basis of informed consent of the individual, either all personal data collected up to that point will be destroyed (if it is decided that no further contact is to be made) or one of the lawful bases detailed above will be used thereafter for all future personal data processed; the lawful basis chosen will be determined by the nature of the emerging relationship between us and the individual.
It is not a condition of any individual’s relationship with us that they are obliged to give their consent to any action we may wish to take regarding their personal data. We do not need an individual’s informed consent to process their personal data provided that we do have another lawful basis for such processing (but see the ‘What are your rights?’ section later in this privacy notice).
Using personal data for new purposes
In the course of our business, we may occasionally need to process your personal data for purposes other than those for which it was originally collected but we will only do this (a) where the legislation permits, and (b) where:
we have a lawful basis for such processing;
we have, where appropriate, informed you of our lawful basis and explained the reason(s) for the new processing;
proper safeguards are in place;
the new purpose is broadly compatible with the original purpose and is, therefore, one which you might reasonably expect; and
there is no adverse impact upon your privacy or your rights.
In very exceptional circumstances, it could become necessary for us to use your personal data in ways in which you might not otherwise reasonably expect in order to protect your (or someone else’s) vital interests. However, in the unlikely event that such a case should ever arise, we will inform you of our actions and the reasoning underlying them.
Our business functions
Our three lawful bases are applied within the following business functions as follows:
In relation to recruitment and subsequent employment of permanent or temporary employees and/or the placing of individuals into specific job roles:
to enable us to contact individuals and maintain a record of such contacts
to assist us to carrying out pre-employment checks, such as: individuals’ identity; their right to work in the UK; and their educational, employment and other relevant history
to assist us to manage job applications and the sifting of candidates for role suitability during recruitment campaigns
to assist us to provide individuals with the best possible employment opportunities tailored to their unique skill sets including allowing us to liaise with appropriate third parties to identify suitable employment openings
to assist us to include the profiles of ‘nearmiss’ candidates from previous recruitment campaigns who we may wish to contact in relation to similar roles in current campaigns
to assist us to maintain a candidate pool of those who have expressed an interest in working for us who we may contact directly during recruitment campaigns
to assist us to attract, develop and retain people with the necessary abilities to meet our current and future business needs
to assist to prepare contractual, non-disclosure and other employment-related documentation
to allow us to set up a company email account for individuals
to allow us to manage the issue of IT equipment to individuals
to assist us to make decisions about individuals’ continued employment and, where necessary, to help us to manage the arrangements for the termination of employment contracts or other working relationships
to allow us to facilitate national security vetting applications where contracting authorities require an individual to be in possession of a security clearance in order that they may access classified information
In relation to skills, experience and qualifications and the monitoring of job performance of all categories of employees:
to help us to maintain a capability database to assist us ensure we have the optimum balance of qualifications, technical skills, experience and knowhow necessary to build a robust pipeline which meets our current and future business needs
to assist us to develop and manage the skills and talent of individuals to meet our current and future business needs
to assist us to determine suitability for associate consultancy affiliation
to assist us to plan and implement role succession
to enable us to liaise with potential customers regarding the placement of persons with the appropriate skill-sets into new or existing job roles or contracts
to assist us to reposition individuals into new Company roles
In relation to our internal administrative functions and our statutory and other obligations as a limited company, as an employer and otherwise:
to enable us to contact individuals or other persons they may nominate to be contacted in the event of an emergency
to assist us to carry out the ongoing management of national security vetting clearances and in determining the need for and/or the implementation of security aftercare actions
to assist us to conduct appraisal reporting
to assist us to comply with employment law
to assist us to manage our payroll processes (including tax and national insurance contributions) and to comply with our obligations regarding workplace pension schemes
to assist us to determine the need for and/or to implement Company disciplinary procedures and to enable us to gather evidence for such
to assist us to monitor staff wellbeing and enable us to gather evidence in support of grievances about harassment, bullying or other incidents
to assist us to make decisions regarding termination of employment contracts
to assist us to carry out our invoicing procedures
to assist us to prevent fraud, theft, money laundering or other illegal activities
to enable us to comply with all legal or regulatory obligations that we are subject to
to assist us to manage other human resource functions as necessary (hours worked, holidays, sickness and absences, etc)
to assist us to manage the performance or implementation of a contract to which you are a party (or where such is intended)
to assist us to defend legal claims
to assist us to monitor your use of our information technology equipment and networks to: ensure compliance with our IT policies; maintain network and information security; maintain the integrity of our intellectual property; and prevent or detect malware compromises
to assist us to prove we have fulfilled our obligations to data subjects
Where it may be necessary to prevent discrimination in employment or for diversity monitoring
to allow us to join contractual framework agreements or teaming agreements etc
What pieces of personal data will we process?
We consider it unlikely all the categories of personal data detailed below would be processed for any single individual and, in any case, only when all the legal conditions for processing have been fulfilled will we process any personal data. The following list shows those identifiers that may be processed by us:
full name
all previous names used (if any) and reason for name changes
date of birth
place of birth (city/town and country)
gender
contact details (home address, phone number(s), email address(es))
social and professional media addresses/names
nominated emergency contact (name, relationship, address, phone number(s), etc)
marital status/civil partnership
family details
nationality status
health history
financial status and history
immigration status and proof of eligibility to work in the UK
previous addresses within the UK
time spent living or working abroad and associated addresses and employer details
proof of identity (current passport, birth certificate, driving licence, etc)
data provided by individuals in their curriculum vitae
employment history (current and previous employers, job roles, promotions, working patterns, etc)
references from previous employers and from personal referees
details of and feedback from training courses and skills development activities
educational establishments attended
educational qualifications
foreign language proficiencies
professional qualifications and proficiencies
membership of professional bodies
criminal offences and convictions (to help ensure that employees and others meet the required standards of conduct and integrity and, where applicable, to meet the requirements of security vetting)
motoring offences
National Insurance number, staff number and other unique identity references
salary and pension records
security clearance records
supporting statements (from referees, previous employers, etc)
information from social and professional media (Facebook, Twitter, LinkedIn, etc) and from other publically available sources
written correspondence in relation to employment applications
data supplied or gathered during mail/email or phone call interactions
data supplied or volunteered by you or otherwise gathered during face-to-face meetings (including recruitment interviews, periodic job performance appraisals, disciplinary interviews, other informal or formal interviews/meetings)
bank account details
other information relating to tax, national insurance and healthcare contributions, or benefits
absence (leave and sickness) records
goods or services supplied and dates and other details of such transactions
photographic image (usually in hardcopy obtained from current passport and/or driving licence)
CCTV footage and other electronic images
Information about the use of our information technology equipment and networks
data that is supplied to us by third parties
From the above list, you will see that we may under certain circumstances need to collect some very specific personal data about other persons closely associated to you. We need such information for very precisely defined purposes, for example the person you nominate for us to contact in the event of you suffering an accident at work or another emergency. We will inform you of the reasons why we need such information at the time of its collection.
We may be legally obliged to process some sensitive personal data in relation to diversity monitoring as follows:
disability
ethnicity
religious and philosophical beliefs, or other beliefs of a similar nature
sexual orientation
What happens when we receive unsolicited personal data?
Upon reading our website, individuals often decide to send us unsolicited personal data about themselves; usually this is a curriculum vitae sent on a speculative basis for employment purposes but could be in any other form using any medium and be about subjects other than employment. In all such cases we shall process the personal data sent to us for our legitimate business purposes in ways that would not seem unreasonable to the sender bearing in mind the reason(s) why the sender forwarded the data to us.
How will we protect your personal data?
We shall impose all reasonable and appropriate technical and organisational measures to protect your personal data to prevent it being released to unauthorised persons or from being used for purposes other than those you would reasonably expect. Such measures may include encrypting data when in transit to ensure confidentiality is maintained. Other measures will include storing and processing data only upon IT the use of which is restricted to those persons with a demonstrable need to have access, and robust technical safeguards such as firewalls and anti-virus applications to protect the integrity of IT systems and equipment. Personnel with access to personal data will receive training in the use, care, protection and handling of personal data appropriate to the level of access permitted to them.
Who will we share your personal data with?
Where necessary in compliance with our lawful bases and our obligations, we may share some or all of your personal data with:
you
third parties that you may request us to share your personal data with
our recruitment background check provider(s)
your previous employers and personal referees
HM Revenue and Customs (HMRC) (for tax, national insurance and other regulatory reasons)
pension providers
our health insurance provider
our insurers
our accountants and payroll provider (for payments and auditing purposes)
third parties that manage secure enterprise and supply chain collaboration (including procurement, contracts and invoicing activities)
national security vetting authorities (wherever security clearances are necessary)
our customers or potential customers (where we are carrying out preliminary work to gain contracts that it is intended you will be involved in and also, afterwards, during the management and general administration of such contracts should we be awarded them)
our customers or potential customers (for company-to-company validations, non-disclosure agreements, etc)
trade or professional associations/organisations
our outsourced IT suppliers (for the management and administration of our company email and IT equipment procurement and configuration services)
other suppliers (eg vehicle hire companies, outsourced trainers, online vendors, online payment systems and other online entities)
third parties as mandated by statute or by regulatory or other obligations that we may be subject to
organisers of webinars, industry days or other external events
organisers of meetings at third party sites
software vendors or other vendors (for licensing or warranty purposes)
Automated decision making and direct marketing
We will not subject your personal data to automated decision making and nor will we use it for direct marketing purposes.
International transfers
We will not transfer your personal data outside the European Economic Area.
Your rights
You have the right to withdraw consent to the processing of any personal data you have provided to us via our website at any time provided that it has not subsequently been used to form a contractual or other formal relationship between us. To withdraw your consent, you just need to email enquiries@rjdtechnology.co.uk and include ‘WITHDRAWAL OF CONSENT’ in the subject line or, alternatively, details can be posted in hardcopy to The General Manager, RJD Technology Ltd, 8 The Green, Rowlands Castle, Hants, PO9 6BN – upon receipt we will then cease processing of that personal data you have provided to us via our website provided there is no statutory, regulatory or other obligation placed upon us to do otherwise.
You have the right to request the following:
details of all your personal data that are currently held by us
information about how and for what purpose(s) we process your personal data
that any inaccuracies in your personal data are rectified without delay (this will often require you to first inform us of such inaccuracies)
that any incomplete personal data about you are completed (this will often require you to provide us with the missing data)
that your personal data held by us are erased if there is no longer any justification for us to continue processing them
that the processing of your personal data held by us is restricted (this applies only in certain circumstances, for example, where accuracy is contested)
a copy of any personal data about you held by us be made available to you in a structured, commonly used and machine-readable format
Please note, however, that the above rights are not necessarily absolute in all circumstances and exemptions do apply. There may, therefore, be legal or other valid reasons why we would be unable to comply with such requests.
All such requests regarding details of personal data about you supplied to us via our website should be sent in writing either by email to enquiries@rjdtechnology.co.uk with ‘DATA SUBJECT RIGHTS’ in the subject line or, alternatively, requests can be posted in hardcopy to: The General Manager, RJD Technology Ltd, 8 The Green, Rowlands Castle, Hants, PO9 6BN.
Third-party links on our website
We may include links to third party sites on our website. Where we provide such links, it does not signify that we endorse those organisations’ privacy policies and nor can we give any guarantee regarding how your personal data will be handled by them or what cookies they use. You must review the privacy and cookie policies of all third parties before sending them any personal data.
The use of cookies on our website
In common with most websites, visitors to our website will have certain technical information about their access equipment collected through our use of cookies. For more information about our use of cookies please see the Cookie Notice on our website.
For how long will we retain your personal data?
Personal data about you which you supply to us via our website will normally be kept by us for:
as long as we have reasonable business needs, or
those periods mandated by statutory, regulatory or other obligations, or
those periods which may be advised by the UK regulatory authority in order that we may show we have treated you fairly, or
those periods as we may be instructed by our legal or other advisers in order that we may defend ourselves against complaints or legal actions
Complaints
If you are not satisfied with our response to any request made by you under the terms of the legislation or you believe that we have treated you unfairly, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Find out on the ICO website how to report a concern or make a complaint ( https://ico.org.uk/concerns/ ).
The Information Commissioner can be contacted at:
Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 Website: https://ico.org.uk/make-a-complaint/ Email: casework@ico.org.uk
Updates to this Privacy Notice
Any updates to this Privacy Notice will be posted here on our website
Version 2.0
Last updated: 4 September 2018