Logo no background bold

GDPR privacy policy

INTRODUCTION

Harvey Sutton specialises in the identification and placement of individuals within the legal, accounting and consultancy sectors.

Harvey Sutton Ltd. is committed to protecting your privacy and takes the privacy and security of personal data very seriously.

In this privacy notice, we set out how we collect and use your personal data before, during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR).This policy applies to all individuals, service users, clients, and suppliers and does not form part of any employment or other services contract with us.

We may update this notice at any time, and we may provide you with additional privacy notices from time to time.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Our ICO registration reference is ZA422226

DATA PROTECTION PRINCIPLES

We will comply with data protection law, including the 6 principles of GDPR which are:

  1. To process your personal data lawfully, fairly and in a transparent way.
  2. To collect your personal data only for valid purposes that we have advised you about and to not use your personal data in any way that is incompatible with those purposes (unless we have notified you and explained the lawful ground that allows us to do so).
  3. To only process your personal data to the extent necessary for the purposes we have advised you about.
  4. To keep your personal data accurate and kept up to date.
  5. To keep your personal data only as long as necessary for the purposes we have told you about.
  6. To keep your personal data secure.

PERSONAL DATA THAT WE PROCESS

INDIVIDUALS AND SERVICE USERS DATA

Personal data means any information about an individual from which that person can be identified. It does not include anonymous data where the identity has been removed.

We may collect, store, and use the following categories of personal data about you:

  • Personal contact details such as name, title, addresses, telephone numbers, and email.
  • National Insurance number.
  • Tax reference number.
  • Nationality/citizenship/place of birth.
  • Registration information and a copy of your Driving Licence and/or Passport/Identity card/Birth Certificate.
  • Immigration status (whether you need a work permit).
  • Salary, annual leave, pension and benefits information.
  • Location of employment or workplace.
  • Recruitment information (including copies of right-to-work documentation, references and other information included in a CV or cover letter or as part of the application process).
  • Employment records (including job titles, work history, working hours, training records and professional memberships).
  • Details of your existing and previous salary.
  • Information about your use of our information and communications systems.
  • Extra information that you choose to tell us.
  • Extra information that your referees choose to tell us about you.
  • Extra information that our clients may tell us about you or that we find from other third-party sources such as job sites.
  • IP address.
  • The dates, times, and frequency with which you access our services.

Please note that the above list of categories of personal data we may collect is not exhaustive.

CLIENT DATA: We collect and use information about our clients or individuals at your organisation in the course of providing a service to you. We usually only require your contact details or the details of individual contacts at your organisation (such as their names, telephone numbers and email addresses) to enable us to ensure that our relationship runs smoothly. We will let you know if we need additional personal data for any reason.

SUPPLIER DATA: We collect a small amount of information from our suppliers during the course of our contract. We require details of relevant individuals at your organisation so that we can communicate with you. We also require other information, such as your bank details, so we can pay for the services you provide (if this is part of our contractual arrangements).

WEBSITE USERS: We may collect a limited amount of data from our website users, which we use to improve your experience and manage the services we provide. This includes information such as how you use our website, the frequency with which you access our website, and the times our website is most popular. If you would like to learn more about what data we collect about you when you visit our website.

HOW WE COLLECT YOUR PERSONAL DATA

INDIVIDUALS AND SERVICE USERS DATA

We collect and use certain types of information about the Individuals or Service Users who come into contact with the company to carry out our work. We collect personal data about you, either directly from you, sometimes from a background check provider, from the client/site you are currently working with, or from third parties, including former clients, employers, credit reference agencies, or other background check agencies.

There are numerous ways you can share your information with us. It all depends on what suits you. These may include:

  • Entering your details on our website via the registration process.
  • Emailing your CV and Cover letter to us.
  • Personal data we receive from other sources.

We also receive personal data about you from other sources. Depending on the relevant circumstances and applicable local laws and requirements, these may include personal data received in the following situations:

  • Your referees may disclose personal information about you.
  • Our clients may share personal information about you with us.
  • Through our social media marketing sites that you have interacted with.

We may collect further personal data about you in the course of our relationship.

CLIENT DATA

We collect personal data about you either directly from you or a third party.

SUPPLIER DATA

We collect your personal data during the course of our work with you.

INTERNET OF THINGS (IoT) USERS

When you access our website, open or click on an email, or interact with a WhatsApp message from us, we may collect certain data automatically or through the information you provide, where appropriate and in compliance with applicable laws and regulations.

The Internet of Things (IoT) refers to a network of connected devices that communicate with each other and the Internet. This includes devices such as smartwatches, vehicles, and smartphones.

For more details on how we use cookies and manage data collection, please visit our website: https://harveysutton.co.uk/

HOW AND WHY WE USE YOUR PERSONAL DATA

We will only process your personal data if we have a lawful ground for processing such data. Most commonly, we will use your personal information in the following circumstances (Please note this is not an exhaustive list):

  1. To identify suitable vacancies for candidates
  2. To send candidates information about job opportunities
  3. To fulfil client commissions for specific job roles
  4. Where we need to comply with a legal obligation
  5. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  6. We may use your data to improve your experience of using our website. If you are a service user or a client, we may use data from your use of our websites to enhance other aspects of our communications with or service to you.
  7. From time to time, we may send you information that we think may be of interest to you. Our lawful ground for processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely, to grow our business).
  8. Where we need to comply with our contractual obligations with our clients.
  9. Verifying details you have provided, using third-party resources (such as HMRC verification, or request information (such as qualifications and potentially any criminal convictions, to the extent that this is appropriate and in accordance with local laws).
  10. Checking you are legally entitled to work in the UK.
  11. We will store your details (and update them when necessary) in our database so that we can contact you regarding recruitment.
  12. To prevent fraud.
  13. Complying with our legal obligations concerning the detection of crime or the collection of taxes or duties.
  14. Carrying out satisfaction surveys.
  15. To monitor your use of our information and communication systems to ensure compliance with our IT policies.
  16. To ensure network and information security.
  17. Equal opportunities monitoring.

We may also use your personal data in the following situations.

  1. Where we need to protect your interests (or someone else’s interests).
  2. Where it is needed in the public interest or for official purposes.

OUR LEGITIMATE INTEREST – PURPOSES FOR WHICH WE PROCESS YOUR PERSONAL DATA

As a recruitment business and agency, Harvey Sutton introduces candidates to clients for permanent employment, temporary worker placements, or independent professional contracts. The exchange of personal data between our candidates and client contacts is a fundamental and essential part of this process.

To support our candidates’ career aspirations and our clients’ resourcing needs, Harvey Sutton requires a database of candidate and client personal data containing historical information and current resourcing requirements.

To maintain, expand, and develop our business, Harvey Sutton needs to record the personal data of prospective candidates and client contacts.

We have listed the various ways we may process your personal data for this purpose, where appropriate and in accordance with any local laws and requirements. Please note that this list is not exhaustive.

If you decide not to provide us with certain personal data that we have requested, we may be unable to perform the contract obligations between us.

We may occasionally use your personal data without your knowledge or consent where this is required or permitted by law.

CRIMINAL CONVICTIONS

We may only process data relating to criminal convictions where the law allows us to. This will usually be where such processing is necessary to carry out our obligations.

Rarely, we may use your personal data relating to criminal convictions where necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests), and you are not capable of giving your consent, or where you have already made the information public.

AUTOMATED DECISION-MAKING

Automated decision-making occurs when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  1. Where we have notified you of the decision and given you 21 days to request
  2. Where it is necessary to perform the contract with you, and appropriate measures are in place to safeguard your
  3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision based on particularly sensitive personal information, we must have your explicit written consent or justify it in the public interest. We must also put in place appropriate measures to safeguard your rights.

You will not be subject to decisions that will significantly impact you based solely on automated decision-making unless we have a lawful basis for doing so and have notified you.

WHO DO WE SHARE YOUR PERSONAL DATA WITH?

Where appropriate and in accordance with local laws and requirements, we may share your personal data, in various ways and for various reasons, with the following categories of people:

  • Any of our group and connected companies.
  • Individuals and organisations who hold information related to your registration with us, such as current, past or prospective clients, employers, educators, examining bodies and employment and recruitment agencies.
  • Clients to enable them to validate our adherence to our contractual obligations and to assist them with any compliance or legal matters.
  • Tax, audit, or other authorities when we believe in good faith that the law or other regulation requires us to share this data (for example, because of a request by a tax authority or in connection with any anticipated litigation).
  • Third-party service providers who perform functions on our behalf (including external consultants, business associates and professional advisers such as lawyers, auditors and accountants, technical support functions and IT consultants carrying out testing and development work on our business technology systems).
  • Third-party outsourced IT and document storage providers for which we have an appropriate processing agreement (or similar protections) in place.
  • Marketing technology platforms and suppliers.

We may transfer your personal data to other entities for system maintenance support and data hosting.

We may have to share your personal data with third parties, including third-party service providers, for example, because it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Third-party providers may provide Accounting, CRM, and IT services.

We may share data with other agencies such as the local authority, HMRC and the Home Office. The Individual/Service User will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows the company to disclose data (including sensitive data) without the data subject’s consent. These are:

a) Carrying out a legal duty or as authorised by the government.

b) Protecting vital interests of an Individual/Service User or other person.

c) The Individual/Service User has already made the information public.

d) Conducting any legal proceedings, obtaining legal advice or defending any legal rights.

e) Monitoring for equal opportunities purposes – e. race, disability or religion.

We may send your information to Clients to demonstrate our compliance processes. This includes information on your file to ensure you are engaged correctly with our business. It also includes any call logs to demonstrate that your registration and status have been evaluated correctly and that information on opportunities is in accordance with local laws and agreed-upon terms of business.

Where required, we may also share your personal data with our client (and their advisors) in relation to any requests necessary to deal with any challenges regarding your contractual and employment status. This includes sharing information regarding HMRC and Employment Tribunal issues.

We require third parties to respect the security of your data and treat it in accordance with the law. They must act only in accordance with our instructions and agree to keep your personal data confidential and secure. We have non-disclosure agreements in place and hold on file Privacy Policy documents for them.

TRANSFERS OUTSIDE OF THE EEA

We may transfer your personal information outside the EEA (European Economic Area) with your prior written consent. If we do, you can expect a similar degree of protection.

Where we transfer your personal data to countries where the European Commission has not made an adequacy decision with respect to that country, we will put in place certain measures to ensure that your personal data receives an adequate level of protection, such as contractual clauses that the European Commission has approved.

DATA SECURITY

We have implemented appropriate security measures to prevent your personal information from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed.

We have implemented procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

DATA RETENTION

We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it, including satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once you are no longer an employee, client or contractor of the company, we will retain and securely destroy your personal information in accordance with applicable laws and regulations.

DATA DESTRUCTION

We ensure that all personal data is securely and permanently destroyed when no longer required. Physical documents are shredded using appropriate methods to prevent reconstruction. For electronic devices such as laptops, PCs, and mobile phones, we engage professional data destruction services to ensure complete and irreversible data removal.

Server data is securely deleted within the CRM software in accordance with the provider’s data retention and deletion policies.

RIGHTS OF ACCESS, CORRECTION, AND RESTRICTION

The personal data we hold about you must be accurate and current. Please let us know if your personal information changes.

Under certain circumstances, by law, you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information we hold about you. This enables you to have any incomplete or inaccurate information corrected.
  • Request the erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing your personal information where we rely on a legitimate interest (or those of a third party), and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct, or request the erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us.

You will not have to pay a fee to access your personal data or exercise any other rights under data protection laws. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

RIGHT TO WITHDRAW CONSENT

In the limited circumstances where you may have provided your consent to collecting, processing and transferring your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please get in touch with us. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

WHAT ARE COOKIES AND HOW DO WE USE THEM

 A "cookie" is a piece of information stored on your computer's hard drive that records how you move around a website so that when you revisit that website, it can present tailored options based on the information stored about your last visit. Cookies can also be used to analyse traffic and for advertising and marketing purposes. Please see our cookie policy for more details about this.

TRAINING AND COMMUNICATION

To ensure a high level of understanding and commitment to securing data privacy, new employees, consultants, and contractors are provided with a copy of this policy and must comply with it as part of their relationship with us.

We ensure we stay abreast of changes in relevant laws and regulations related to GDPR and will adapt our practices to remain compliant. Any changes are communicated, and this policy is reviewed, redistributed and updated at the time of the change.

Training is provided to new employees and consultants and is revised at least every 2 years.

BREACH OF THE POLICY

Any employee who breaches this policy will face disciplinary action, up to and including summary dismissal for gross misconduct.

The Company may terminate its commercial relationship with suppliers, contractors, and other business partners if they breach this policy.

REVIEW AND MANAGEMENT

This policy and process will be reviewed periodically to ensure they remain effective and compliant with relevant legislation. Employees will be notified of any changes to the policy in a timely manner.

PRIVACY MANAGER

We have appointed a Privacy Manager who is in charge of privacy-related matters for us. If you have any questions about this privacy notice, please contact the Privacy Manager using the details set out below.

 

Name:                  Ben Jackson                       Position:   Director

 

Signature:                                                         Date:  8/3/2024

Email: bjackson@harveysutton.co.uk