GDPR Privacy Notice
This Privacy Notice tells you what to expect in relation to personal information about you which is collected, handled and processed by TWH Consulting Limited.
TWH Consulting Limited of Brightwire House, 114A Church Ln, Hove BN3 2EB is the Data Controller.
This privacy notice is a public declaration of how TWH Consulting applies the Data Protection Principles and Rights afforded to individuals by the General Data Protection Regulation (GDPR), to the personal data that we process. TWH Consulting is committed to complying to the principles relating to the processing of personal data under the GDPR.
We take care to protect the privacy of our candidates and clients. Set out below is an explanation of how we process this information.
The information we may collect
The information about you we may collect, hold and process is set out below:
(A) Information collected and processed for finding you a suitable role is as follows:
- Your name
- Your address
- Your email address
- Your telephone number
- CV/work history
- Job preferences including role, geographical areas and salary
- Any other work related information you provide, for example, education or training certificates
(B) Information in respect to individuals that have worked for us previously or may work for us is as follows:
- In some cases, permits and visas
- National insurance number
- Full details of job offers and placements
- Outcome of criminal record checks and security clearance for certain roles
- In certain cases, medical information
- Financial information (including but not limited to payroll details and terms, HMRC data, pension scheme details, court orders and statutory payments)
- A log of our communications with you by email and telephone
(C) Information in respect of client contact and sales activities
- Job Title
- Email address
- Phone Number
How we use the information (Candidates)
This information will have been provided, or will be provided, by you or a third party who we work with, such as a Job Board Company. In the case of references, these will be from your previous employer. The outcome of criminal record checks and security clearance checks, where relevant, will be supplied by the Disclosure and Barring Service or other external company applicable to the placement.
The above information is used to provide our services to you in our capacity as an employment business / agency to find you suitable work whether on a temporary or permanent basis based on your requirements as set out below.
The information under A above may be used as follows:
- To match your skill sets with job vacancies to assist in finding you the positions that most suit you
- To put forward your details to our clients and prospective employers for you to be considered for vacancies
- To place you with our clients and prospective employers
- To keep you informed of available opportunities as they arise
- To keep you informed of the services offered by us
The information under B above may be used as follows:
- To establish that you have the right to work
- To undertake relevant security and criminal record checks as required by our clients and prospective employers and as permitted by law
- To deal with any medical and health and safety issues relating to certain positions
- To put in place contractual arrangements and documentation once a role has been secured
- To pay you if placed
How we use the information (Clients)
Sales prospect data is used for contacting relevant prospects with TWH relevant sales messaging. Data is collected from a variety of public facing websites including Linkedin. Internal process is one email to each prospect and if no response, the data is deleted after 30 days from the system.
Sales prospect data is stored for 30 days after uploading to the cloud based CMS and initial contact made. If a request removal is received this is actioned as a priority and is removed within the 30 day period.
Please not that as part of the strategy for GDPR compliance we are working on a 30 day turn around from May 25th 2018 to contact and remove historic data, pre GDPR Regulation.
How we hold the information
All the personal data we have is stored in a Cloud based CMS, hosted on Amazon Web Services (AWS), which provides industry-leading security and has a long list of internationally recognized certifications and accreditations including: ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1 and many others.
All customer data is backed up at regular intervals and stored in two alternative locations within the EU at all times, as per AWS recommended guidelines. Finally, security and performance tests are carried out at regular intervals to ensure the smooth running of the service.
Along with a standard username and password, all customer databases can be secured with additional layers of security including: 2-Step Authentication, Access Control Lists, and use of the in-built comprehensive Permissions System. All customer data can be exported at any time from within the system by an authorised user. Finally, there is a detailed system log which provides an overview of activity on the database for auditing and security purposes.
Disclosure of your information
Your CV and related information will be shared or sent to prospective employers and our clients. Once you have secured a placement additional information will be provided to them to enable the placement to proceed. Such employers and clients will usually be located inside the European Economic Area (EEA) but may be outside of the EEA. Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection or the appropriate safeguards are in place for your rights and freedoms. Before such a transfer takes place outside of the EEA, we will provide you with further information concerning this.
Other trusted third parties that we may share your data with are as follows: HM Revenue and Customs, pension scheme providers, legal advisors and other companies for the purpose of undertaking pre engagement checks for the role or for paying you.
What is the legal basis for processing the information? (Candidates)
We will rely on your consent to process the information marked with an * above which is collected at the outset of the recruitment process.
Information and documentation to establish your right to work is processed by us as we are legally obliged to do so.
In respect of medical information, the basis for us processing this will depend on the circumstances, but will usually be for one of the following reasons: it is necessary to protect health and safety or to prevent discrimination on the grounds of disability or where consent has been obtained, if required.
Information in relation to criminal record checks, which are relevant for some roles, will be processed on the basis that it is necessary for us to comply with the law or consent will be obtained, if required.
Once a position has been found for you, we will process your personal data, including financial information, for the purpose of you entering into a contract to fulfil your role and to enable us to pay you, depending on the specific contractual arrangements and circumstances.
For the purposes of paying you, where relevant, we are legally obliged to provide information to HMRC.
Once a placement has been secured, we may also process your data on the basis of our legitimate interests i.e. for administrative purposes. We will hold your data for up to three years after which point if deemed there is no legitimate interest, will be deleted.
What is the legal basis for processing the information? (Clients)
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below
|PURPOSE/ACTIVITY||TYPE OF DATA||LAWFUL BASIS FOR PROCESSING INCLUDING BASIS OF LEGITIMATE INTEREST|
|To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy notice
(b) Asking you to take a survey
(c) Marketing and Communications
|(a) Necessary to comply with a legal obligation
(b) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
|To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) Identity
|(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
|To deliver relevant content to you||(a) Identity
(d) Marketing and Communications
|Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)|
|To use data analytics to improve our website, products/services, marketing, customer relationships and experiences||(a) Technical
|Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations to you about goods or services that may be of interest to you||(a) Identity
(e) Marketing and Communications
|Necessary for our legitimate interests (to develop our products/services and grow our business)|
You currently have the right at any time to ask for a copy of the information about you that we hold. If you would like to make a request for information please email email@example.com
In addition to this right of access, when the GDPR comes into force, you will also have the following rights: erasure, restriction of processing, objection and data portability. We will update you further in connection with these rights when they come into force.
Retention of your data
Your data will be retained for no longer than is necessary and in accordance with our Data Retention Policy.
What rights do I have?
The right to be informed
TWH provides fair processing of information by way of this privacy notice.
The right of access
You have the right to obtain confirmation whether or not we are processing your data and a right to obtain a copy of the data that we hold. This is known as a Subject Access Request. Please contact us at firstname.lastname@example.org to make a request.
The right to rectification
If any information held is inaccurate or incomplete, you have the right to have that information corrected or deleted, if other parties have been passed the information (such as HMRC) we will, where possible, inform them of the rectification undertaken. Please contact your local TWH contact to make this request.
The right to erasure (also known as the “right to be forgotten”)
You have the right for your information to be deleted. We will oblige as long as there are no reasons for us to keep the information. For example, where we have to keep certain pieces of information for minimum periods in line with legislation.
The right to restrict or object to processing
You have the right to block or restrict processing, this won’t affect the processing done so far, but will stop further processing. For example, if you apply for a role, we will have to keep information on file for a certain period; we can however remove you from our active candidate talent pools if you wish not to be contacted about further opportunities.
The right to data portability
You have the right for your information to be provided in a machine readable format to enable easy transfer between processors. This right is available to personal data provided by you.
The right not to be subject to automated decision making
Where we use automated decision making we will inform you how and when this will happen. As applicable where the decision is fully automated we will obtain your consent.
The right to withdraw consent
Where we process information based on the data subject’s (your) consent, you have the right to withdraw consent at any time. Please note where you withdraw your consent this will not affect the lawfulness of processing based on consent before its withdrawal nor further processing of the same data under other legal basis such as contract or compliance with a Capita Resourcing legal obligation
The right to complain
If you wish to discuss your personal data or lodge a concern about the way in which it is handled, please use any of the following details:
If you are unhappy with our response, you have the right to complain to the Supervisory Authority, the details of which are below:
Please address any questions, comments and requests regarding our data processing practices to Alex Higgins at email@example.com
Changes to the Privacy Notice
This Privacy Notice may be changed by us at any time.