We have tried to write the following policy in a user-friendly format and language to aid the understanding of our service and systems to our end users. It draws reference and is also binding to all of our policies and terms:
Introduction- GRB and Data Protection
The General Data Protection Regulation (or GDPR) is the framework for data protection laws in Europe. Due to increasingly technologically driven and globalised data communications, the GDPR addresses personal data transfers for EU citizens to ensure greater data control and security, within and outside the EU.
Graduate Recruitment Bureau Ltd, also referred to as GRB, also operates under its sister company names:
- Cortex IT Recruitment
- Metrica Recruitment
- Quota Recruitment
We are registered with the Information Commissioner’s Office (ICO), number z7502403. We take data privacy very seriously and we are strictly compliant with data protection legislation. We have carefully complied with the Data Protection Directive 1995, Data Protection Act 1998 and now the General Data Protection Regulation.
We have strong data security measures in place, and we have never sold or exchanged work-seeker or client data, and we never will.
Our Service – Why we store personal data
- Website functionality
- Internal administration
- Candidate selecting and screening
- Advertising and marketing relevant employer opportunities
- Internal research to improve our services
Your Data - What Do We Collect and Why?
Our recruitment service for graduates, students and employers consists of, but not exclusively:
- Screening CVs and contacting candidates to assess suitability
- Matching candidates to employers that meet their requirements
- Organising some or every stage of the recruitment process
- Advertising and marketing relevant job and career or training related opportunities
- Research projects
So that we can accurately carry out our recruitment service, we collect the following compulsory and optional information:
- First Name and Surname
For employer requirements and location
- Course Subject
For employer requirements and skill assessment
- Email Address
For job contact purposes, confirmations and website functionality
- Course Type
For employer requirements, skill assessment and graduating month
- Course Grade
For skill assessment
For security clearance and additional language skills
- IP Address
For abuse claims and location information
- Contact Phone Number
For job contact purposes, confirmations and interviews
- CV and Cover Letter
For employer requirements and skill assessment
- Personal Statement
For employer requirements and skill assessment
- Industry Career Choices
For insight into the industries you would consider working in
- Region Career Choices
For insight into the geographical locations you would consider working in
- Driving Licence and Car Status
For roles where this is a requirement
- Qualifications before university e.g. A-levels or equivalent
For employer requirements and skill assessment
If you are in communication with any member of staff at GRB via telephone, we may store the call as a recording for training or reference.
Your Privacy Notice - What happens with your data
When you register with GRB, we will issue an official privacy notice within one month, normally in the welcome email, depending on how you registered with us. This will outline the following important GDPR compliance factors as to what we do with your data:
- We have a purpose and legal basis to process
- We have legitimate interest to process
- If we will or will not use a third-party to process
- This is dependent on how you registered. If you registered on a paper form at an event, we use a GDPR compliant third party to process the paper registration forms
- If your data will go outside the EU
- How long we will retain your data
- Your data protection rights
Please preview the full Privacy Notice you will receive when registering here - GDPR Privacy Notice
Data Storage - Where we safely store your data
In terms of storage and website functionality, your data will never leave the EU. Your personal information is being stored in one or more of the following secure UK based locations either temporarily or until your account is deleted:
- Our website server
- Our internal database
- Our backup server
- Our cloud storage account
- A data entry service
- A cloud based document processor
- A cloud based call recording system
For security reasons the providers will only be named on legitimate requests.
The Data Protection Principles – The care we take when handling your personal data
GRB lawfully process their data in a fair and transparent manner and we do not discriminate by gender, ethnicity or any other protected characteristic or social background. The data collected is exclusively for legitimate work-finding purposes and limited to only what is necessary in relation to it.
Every reasonable step is taken to keep data accurate and up to date, including by the use of email requests or in some cases telephone calls, to ensure that any personal data stored is valid and still relevant to the purposes of which it was collected. GRB do not intend to keep data for longer than is necessary to the services we offer in student, graduate and experienced recruitment. If you decide to create an account, add your personal information and upload a CV or other similar documents then we will keep that information until you request for us to delete it.
We ensure that appropriate security of personal data is in place to protect against unauthorised or unlawful access, accidental loss and destruction or damage. We do so by using, amongst others, the following technical, cyber security and organisational measures:
- Secure Socket Layer (SSL) certificates installed on the GRB and sister websites
- Separate non-public access servers to store candidate data
- Enterprise level secure managed hosting
- Enforced strong passwords and password change lockouts
- Encrypted backups for all systems
- Regular auditing of internal computers and laptops
- Password or user permissions protected documents and folders
- Industry leading anti-virus and firewall software
- All staff trained in safely handling data
- All third party services used are GDPR compliant with supplied statements
- Appointed Data Protection representative
Legal Bases for Processing – We store personal information the correct and legal way
GRB only process your personal data where it has a legal basis for doing so that is with the requirements of the service we offer. Before transferring personal data to any third party (such as past, current or prospective employers, suppliers, customers and clients, intermediaries such as our sister companies, persons making an enquiry or complaint and any other third party (such as software solutions providers and back office support)), we will establish prior legal consent either before entering it onto our systems or before making the transfer.
GRB take every possible step to implement measures and procedures that protect your privacy and we ensure that data protection is integral to all processing activities. This includes implementing measures such as:
- Data minimisation
Only completely necessary data is requested and stored
Personal information is anonymised if it is not required for the purpose of use. Individuals who request their personal data to be removed will have their records anonymised.
Anonymisation (of data) is a type of information sanitisation whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.
Privacy Notices – We’ll always tell you and make it clear
It is important that you know exactly what data is being collected and what it is used for. GRB ensure that whenever personal data is collected the individual is clearly notified as to what is going to happen with the data. You will be given at least one of the following notices and will be required to confirm with us that you accept before we process and store your information for our services:
- For paper forms from live events, a clear message will be provided on the form that refers to agreeing to a statement of consent for GRB, or our third-party GDPR approved supplier, to process the data.
All new user registrations will receive an email containing our terms of consent depending on how their data was acquired and guidelines on our data policy. This will normally arrive in the welcome email.
GRB does not intend to further process personal data for any purpose other than that for which the data was initially collected. If this should change in the future for a reason that would benefit the users of GRB’s service, then full consent will be requested from the affected individuals before they carry out any further processing.
Data Processors – Who handles your personal information
We process the majority of our data internally, but additionally GRB use third-party data processors who meet GDPR requirements when necessary. For physical registrations that are collected at events, GRB use a third-party data entry company. The companies and their GDPR statements with details of how they process data on behalf of GRB are available by request.
Personal Data Request – Take a look at what we have
If we hold any of your personal data then you or a representative of your behalf can request a copy from GRB. A full copy of your data will be supplied in a Microsoft Excel file within one month. GRB would also be happy to assist if you would like to rectify any inaccurate or incomplete personal data. See Making Requests at the end of this document.
Data Changes and Deletion – Your right to be forgotten
GRB strongly believe in your right to be forgotten. This is both good for the autonomy and respect of our users, and business efficiency. This is at the core of GRB’s values as a company and GDPR.
If you would like your personal data removed then please email your request to GRB (See Making Requests at the end of this document) with confirmation that you would like to be removed entirely, or whether you are happy to remain as a user that does not get contacted in the future (for a specified period or otherwise). You can also achieve this yourself by editing your settings, deactivating for a period or fully deactivating. Please visit your Account Settings.
If you would like to be completely removed then a full anonymisation of your record will be put into motion. This process ensures that all personally identifiable data is removed and the profile cannot be identified under any circumstances. If you have given prior consent for your information to be passed on to a recruiter or another third party then we will attempt to reach out and request they follow the same procedure however we can’t enforce or follow-up to prove action from them.
This initial process will be completed within one month of the request made. The GRB system encrypted backups date back three months, so after this period the full process will be complete and no record will be left.
Please note that you will be able to re-summit your data again in the future should you wish to. It is also possible to be re-registered via another route that you may not be aware of such as opting-in while registering with one of our partners. As we will not keep a record of people we have removed, we can’t avoid this, so you may be contacted again.
Deletion and the Conduct Regulations
Employment businesses such as GRB must keep records that are sufficient to show that we have complied with the legal Acts and the Conduct Regulations of our industry. This includes a regulation that requires us to retain work-seeker and client records for at least one year following the date we last provided services. What this means is that if you request to be deleted, certain information will be stored in a separate location for a year before we can completely delete it.
Restriction of Processing – When and why data processing might be restricted
You have the right to ask us to stop using your data if you know it to be inaccurate, unlawful or against legitimate interest where the grounds of use override those of yours. In these cases GRB will revert to the anonymisation of your data once you agree. Please see Making Requests at the end of this document.
Data Portability – How you can move your data
You have the right to a copy of your data, and where feasible, GRB will send your personal data to a named third party on the individual’s request. We supply your data in Microsoft Excel format which is considered as a good choice for data portability. We can also supply it in other formats on request. Please see Making Requests at the end of this document.
Object to Processing – Your right to ask us to stop
You have the right to object to your personal data being used or profiled by GRB if you feel it’s of public or legitimate interest. You can also object to your personal data being used for direct marketing. Once we receive a request we shall cease using your data, unless we have legitimate grounds to continue which take precedence over your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. To cease using your data we will revert to full anonymisation of your record in all our systems. Please see Making Requests at the end of this document.
Enforcement of Rights – Our responsibility to action your requests in a given timeframe
GRB will act upon any requests relating to your personal data within one month. This includes personal data requests, requests relating to rectification, erasure, restriction, data portability or objection or automated decision making processes or profiling. We may extend this period for two further months where necessary, when taking into account the complexity and the number of requests. These timeframes meet the GDPR standards.
If GRB considers any requests unfounded or excessive due to the request’s repetitive nature we may either refuse to act on the request or may charge a £10 fee per request taking into account the administrative costs involved.
Reporting personal data breaches – How we are prepared
In the unlikely event of a data breach, GRB will take steps to contain and recover the breach. If a personal data breach is likely to result in a risk to the rights and freedoms of any individual, GRB will notify the ICO. If a personal data breach presents a high risk to the rights and freedoms of any individual then GRB will tell all affected individuals without undue delay. If a personal data breach happens outside of the UK, GRB shall alert the relevant supervisory authority for data breaches in the affected jurisdiction.
Please email your request to GRB providing the following information:
What action you would like to take:
- Account Snoozed
Your data will remain within the GRB systems and contact will not be made until your account is reactivated on a specified date that you set.
- Account Unsubscribed
Your data will remain within the GRB systems but no email contact will be made.
- Account Deactivated
Your data will remain within the GRB systems but contact will not be made without additional prior consent.
- Account Data Request
We will supply a copy of the personal data we hold on your account.
- Account Deleted
Your data will be fully deleted in the form of anonymisation.
- Other Request
- Full Name
- Email address/addresses that may be registered
- Contact phone number
- Your university and year of graduation
You must make your request from the registered email on your account. In the cases where we can’t identify you with certainty we may ask for further identification such as photographic ID.
Please send the above information from your registered email to firstname.lastname@example.org