When you join us a client, you’ll have access to personal data in the form of CVs and application we send over to you. As part of our terms of business, you’ll have seen our ‘data processing agreement’, which explains your obligations when processing this data. Don’t worry about digging around the filing cabinet just yet, you can see the data processing agreement here:
DATA PROTECTION AND DATA PROCESSING NOTICE
In this Notice:
“Agency” means Aardvark Swift Recruitment Limited a limited company registered in England under company number 5481117 and trading as “Aardvark Swift”;
“Applicant” means the person introduced by the Agency to the Client for an Engagement;
“Client” means the person, firm or corporation body together with any subsidiary or associated company as defined by the Companies Act 2006 to whom the Applicant is introduced;
“Data Protection Legislation” means 1) unless and until GDPR is no longer directly applicable in the UK, GDPR and any national implementing laws, regulations, and secondary legislation (as amended from time to time), in the UK and subsequently 2) any legislation which succeeds GDPR;
“Engagement” means the engagement, employment or use of an Applicant by the Client whether part time or full time, with or without a contract;
“GDPR” means EU Regulation 2016/679 General Data Protection Regulation; and
“personal data” means personal data as defined in the Data Protection Legislation.
“Terms” means the Terms and Conditions of Business for Permanent Recruitment.
All personal data that either Agency or the Client (“First Party”) may use will be collected, processed, and held by that First Party in accordance with the provisions of Data Protection Legislation and the rights under the Data Protection Legislation of the other party being, as the case may be, either the Agency or the Client (“Other Party”) and the rights under the Data Protection Legislation of any third party.
All Applicant personal data provided to the Client by the Agency shall be processed by the Client in accordance with the following provisions.
- For the purposes of the Data Protection Legislation and for this Notice, the Agency is the “Data Controller” and the Client is the “Data Processor”.
- The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing are as follows:
Scope, Nature and Purpose
The selection of Applicants Introduced by the Agency
As required for each Introduction leading to an Engagement or decision not to select.
Types of Personal Data (not inclusive)
Curriculum Vitae data – qualifications, and experience, hobbies etc
National Insurance Number
References if provided by Agency
Identification checks and documents
Categories of Data Subject
- The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes of the Terms.
- The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under the Terms:
- Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law.
- Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures.
- Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; and
- Not transfer any personal data outside of the European Economic Area without the prior written consent of the Data Controller and only if the following conditions are satisfied:
- The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data;
- Affected data subjects have enforceable rights and effective legal remedies;
(iii) The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and
- The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data.
- Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office);
- Notify the Data Controller without undue delay of a personal data breach;
- In the event of an Introduction that does not lead to an Engagement or on the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller within 6 months of receipt unless it is required to retain any of the personal data by law; and
- Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 9.4 and to allow for audits by the Data Controller and/or any party designated by the Data Controller.
- The Data Processor shall not sub-contract any of its obligations with respect to the processing of personal data under this Notice.