Privacy notice for job applicants

Overview
As part of any recruitment process, the BDRC Group (the ‘Company’) collects and processes personal data relating to job applicants. The Company is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

Data Protection Principles
Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:

  • be processed fairly, lawfully and transparently;
  • be collected and processed only for specified, explicit and legitimate purposes;
  • be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
  • be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
  • not be kept for longer than is necessary for the purposes for which it is processed; and
  • be processed securely.

The Company is accountable for these principles and must be able to show that it is compliant.

How the Company defines personal data
‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data. This policy applies to all personal data whether it is stored electronically, on paper or on other materials.

How the Company defines special categories of personal data
‘Special categories of personal data’ are types of personal data consisting of information as to:

  • your racial or ethnic origin;
  • your political opinions;
  • your religious or philosophical beliefs;
  • your trade union membership;
  • your genetic or biometric data;
  • your health;
  • your sex life and sexual orientation; and
  • any criminal convictions and offences.

We may hold and use any of these special categories of your personal data in accordance with the law.

How the Company defines processing
‘Processing’ means any operation which is performed on personal data such as:

  • collection, recording, organisation, structuring or storage;
  • adaption or alteration;
  • retrieval, consultation or use;
  • disclosure by transmission, dissemination or otherwise making available;
  • alignment or combination; and
  • restriction, destruction or erasure.

This includes processing personal data which forms part of a filing system and any automated processing.

What information does the Company collect?
The Company will collect a range of information about you during the recruitment process. This includes:

  • your name, address and contact details, including email address and telephone number;
  • details of your qualifications, skills, experience and employment history;
  • information about your current level of remuneration, including benefit entitlements;
  • whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process; and
  • information about your entitlement to work in the UK.

The Company may collect this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment. The Company may also collect personal data about you from third parties, such as references supplied by former employers. The Company will seek information from third parties only once a job offer has been made to you and will inform you that it is doing so. Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email). Personal data will not be transferred outside the UK or the European Economic Area except in compliance with the law and authorisation of the Security Committee.

Why does the Company process personal data?
The Company needs to process data to take steps at your request prior to entering into a contract with you. The Company may also need to process your data to enter into a contract with you. In some cases, it needs to process data to ensure that it is complying with its legal obligations. For example, it is mandatory to check a successful applicant’s eligibility to work in the UK before employment starts.

The Company has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the Company to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decide to whom to offer a job. The Company may also need to process data from job applicants to respond to and defend against legal claims.

The Company may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics. It may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. The Company processes such information to carry out its obligations and exercise specific rights in relation to employment. If your application is unsuccessful, the Company may keep your personal data on file in case there are future employment opportunities for which you may be suited. The Company will ask for your consent before it keeps your data for this purpose and you are free to withdraw your consent at any time.

Who has access to data?
Your information may be shared internally for the purposes of the recruitment exercise. This includes members of the HR team, interviewers involved in the recruitment process, managers in the team with a vacancy and IT staff if access to the data is necessary for the performance of their roles. The Company will not share your data with third parties, unless your application for employment is successful and you are offered employment. Your data would then be shared with former employers to obtain references for you, and employment background check providers to obtain necessary background checks.

How does the Company protect data?
The Company take the security of your data seriously. The Company has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. BVA BDRC is certified to the international standard for Information Security – ISO 27001:2013 and the rest of the Group companies work to the same standards.

For how long does the Company keep data?
If your application for employment is unsuccessful, the Company will hold your data on file for 6 (six) months after the end of the relevant recruitment process. If you agree to allow the Company to keep your personal data on file, the Company will hold your data on file for a further 6 (six) months for consideration for future employment opportunities. At the end of that period, or once you withdraw your consent, your data is deleted or destroyed. You will be asked when you submit your
CV whether you give the Company consent to hold your details for the full 12 months in order to be considered for other positions or not. If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your Human Resources file (electronic and paper based) and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

How to deal with data breaches
The Company has robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur and if the breach is likely to result in a risk to the rights and freedoms of individuals then the Company must also notify the Information Commissioner’s Office within 72 hours.
If you are aware of a data breach you must contact the Security Committee: ISOCompliance@bva-bdrc.com immediately and keep any evidence you have in relation to the breach.

Subject access requests
Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information the Company holds about them. This request must be made in writing to the BVA BDRC Security: ISOCompliance@bva-bdrc.com or the Data Protection Officer: DPO@bva-bdrc.com. The Company must respond within one month unless the request is complex or numerous in which case the period in which the Company must respond can be extended by a further two months. There is no fee for making a SAR. However, if your request is manifestly unfounded or excessive the
Company may charge a reasonable administrative fee or refuse to respond to your request.

Your data subject rights
You have the right to information about what personal data we process, how and on what basis as set out in this policy. You have the right to access your own personal data by way of a subject access request (see above).

You can correct any inaccuracies in your personal data. To do you should contact the Security Committee (as above).

You have the right to request that the Company erases your personal data where it is not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. To do so you should contact the Security Committee (as above).

While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made. To do so you should contact the Security Committee (as above).

You have the right to object to data processing where the Company are relying on a legitimate interest to do so and you think that your rights and interests outweigh that of the Company and you wish to stop it. You have the right to object if the Company processes your personal data for the purposes of direct marketing.

You have the right to receive a copy of your personal data and to transfer your personal data to another data controller. The Company will not charge for this and will in most cases aim to do this within one month.

With some exceptions, you have the right not to be subjected to automated decision-making.

You have the right to be notified of a data security breach concerning your personal data.

In most situations the Company will not rely on your consent as a lawful ground to process your data. If it does however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact the Security Committee (as above).

You have the right to complain to the Information Commissioner. You can do this be contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on your rights and our obligations.

Document Owner
The Information Security Committee is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with the requirements.

For the purpose of this policy the BDRC Group incorporates: BVA BDRC; Alligator Research; Perspective Research Services Limited; Viewpoint; ESA Retail

Last updated: August 2023

Get in touch

Let’s talk about you

Be better