Data Processing Policy
WHAT IS GDPR?
The EU General Data Protection Regulation (GDPR) is an EU regulation that came into force on 25 May 2018. It strengthens current rules under the Data Protection Act (1998) by introducing new obligations for organisations and rights for individuals.
The GDPR applies also to businesses that are outside of the EU but continue to provide services to individuals from EU Member States, so will be applicable even after Brexit. Businesses will need to comply with the GDPR from 25 May 2018 or face steep penalties.
WHERE WE GET YOUR DATA FROM
We obtain candidate data both over the phone and from Curriculum Vitae submitted to us via several methods. These methods include: –
· Direct email to a member of staff employed
· Submission via a Job Board (e.g. Indeed, Vetclick)
· Registration on our website forms
· Delivery of a physical copy via hand at a trade show or exhibition
· During an unrecorded conversation with an employee via our landline or mobile phone
As a candidate, it is your responsibility to ensure that all data provided is accurate and true, as Medicus will assume this to be the case.
HOW WE STORE CANDIDATE INFORMATION AND WHERE IT GOES
When we receive a CV via direct email, an EU based hosted email provider transmits your information to us. It is then accessed by an employee and uploaded to an Applicant Tracking System (known as ATS) system hosted in the EU. Your CV is then replicated to a secure cloud-based data repository (operated by Apple Inc. and hosted in the EU). These are the only locations that your personal information will be held. Each of these partner suppliers have been audited and display their own data security and GDPR compliance policies and certifications (where applicable).
Where Medicus receives a CV from a third party (Job Board or otherwise), the third party sends us an email containing your CV via direct email whereby the process described above is replicated.
Where Medicus receives a physical copy of a CV, it is scanned to a PC and then shredded on site. The resulting electronic document is processed in the same manner as described above.
Where Medicus receives a CV and personal information via the forms on our website, or via an application you make to a job posting on our website, your CV is automatically uploaded to an ATS system hosted in the EU. This is the only locations that your personal information will be held. Each of our partner suppliers have been audited and display their own data security and GDPR compliance policies and certifications (where applicable).
WHAT DATA WE HOLD AND WHY
Medicus requires your data for a number of reasons.
Why we require your name, telephone number and email address: –
1. To contact you regarding either your initial application for a job vacancy advertised by Medicus or about a job vacancy that we believe you may find of interest
2. To relay your name to the client owner of such a vacancy
3. To relay to a client once an employment offer has been accepted by you, and only then with your express permission, to enable an electronic copy of an employment letter to be sent to you directly
Why we require your address: –
1. To gauge suitability of a vacancy (i.e. if a vacancy is of a commutable distance)
2. To relay to a client once an employment offer has been accepted by you, and only then with your express permission, to enable a physical copy of an employment letter to be sent to you directly
Why we require your employment history: –
1. To gauge suitability of a vacancy (i.e. if a vacancy is of a compatible skillset requirement)
Why we require your education history: –
1. To gauge suitability of a vacancy (i.e. if a specific qualification/certification may be required to conduct a role)
Other information held about you: –
· Electronic notes about any interaction between you, Medicus and its clients
· Electronic notes about interview feedback from you and its clients
YOUR RIGHT TO ACCESS THE DATA WE HOLD
You have the right to view any of your data that Medicus holds. To access this report, please email email@example.com with ‘GDPR Request’ in the subject line. We are committed to reply to your request within two working days.
HOW LONG WE HOLD YOUR DATA AND YOUR RIGHT TO ITS DELETION
We believe that there are unlimited points in your career that they may want or need a new job. With this in mind, we retain candidate data for a period of 7 years, at which point we contact you to check the accuracy of the data held and update any inaccurate data. You will also be given the option to request us to delete every item of your data we hold.
You have the right to request us to delete your data at any point, of which we shall adhere to within two working days.
THE DATA THAT WE SHARE AND WHO WITH
After obtaining your express permission to be submitted for consideration for a role, Medicus sends an email containing an edited copy of your CV. We remove your contact details, including your phone numbers, email addresses and postal address.
This in-house CV contains: –
· Your name
· The remainder of the information you detailed on your CV in your own words.
Once an offer of employment has been made by an employer and accepted by a candidate, Medicus will send the following to the employer to allow direct communication to take place: –
· Your address
· Your email address
· Your telephone numbers
SENDING YOU INFORMATION ABOUT VACANCIES
Our aim is to keep potentially interested candidates to be informed of job vacancies that we are made aware of by our clients.
To do this we send emails, text messages and make telephone calls. Upon registering your data on our website, you will be asked to confirm your permission for us to send you details by email. If you apply for a position via email, you will be sent an email requesting your permission to process your information. Only once you have replied to this email granting permission, can we consider and process your application.
You are able to opt out of receiving information at any time.
We will not utilise any contact data we hold about you for any other reason than to make you aware of a potentially suitable vacancy.
We’ll only collect and use your information where we have lawful grounds and legitimate business reasons / Interests to do so.
We rely on legitimate interests, which means that we have a business interest in providing you with information to help you acquire a job or further your career, or contract, in order to provide you with the service you have requested, as the lawful bases for processing personal data.
We’ll be transparent in our dealings with you and tell you how we’ll collect and use your information.
If we collect your information for a particular purpose we’ll only use it for that purpose, unless you’ve been otherwise informed and given your permission where relevant.
We won’t ask for more information than we need for the purposes for which we’re collecting it. We’ll update our records when you tell us that your details have changed. We’ll periodically review your personal information to ensure we don’t keep it for longer than is necessary.
We’ll ensure that your information is securely disposed of at the end of the appropriate retention period.
We’ll observe your rights under applicable privacy and data protection laws and will ensure that queries relating to privacy issues are dealt with promptly and transparently.
We’ll train our staff on their privacy obligations. We’ll ensure we have appropriate physical and technological security measures to protect your information regardless of where it’s held.
If you do not agree to our processing of your data in the manner outlined in the Policy, please do not submit any personal data to us.
INFORMATION WE HOLD ABOUT YOU
We will collect data about you, both personal data (such as your name and contact details) and special categories (such as information in your CV), as well as information on how you use this website (such as your IP address and browser information).
INFORMATION YOU GIVE US
You may give us information about yourself by filling in forms on our website, sending us your CV, applying for jobs, registering for job alerts, providing feedback or corresponding with us by phone, email or otherwise. This includes, for example, information you provide when you do any of the following:
register to use, or visit our website provide feedback on the website or our services, or report a problem with our website search for services enter survey(s) or participate in research project(s)
HOW WE WILL USE YOUR DATA
• To provide our recruitment services to you and to facilitate the recruitment process
• To assess data about you against vacancies which we judge may be suitable for you
• To send your information to clients in order to apply for jobs or to assess your eligibility for jobs – Please note each submission we make in this regard will be transparent and at no time will we submit your details to a specific client or a specific role without your prior consent.
• To enable you to submit your CV, apply online for jobs or to subscribe to alerts about jobs we think may be of interest to you
DISCLOSURE OF YOUR PERSONAL DATA
We may disclose your personal data:
To third parties, regulatory or law enforcement agencies if we believe in good faith that we are required by law to disclose it in connection with the detection of crime, the collection of taxes or duties, in order to comply with any applicable law or order of a court of competent jurisdiction, or in connection with legal proceedings to a third party in the event of a sale, merger, liquidation, receivership or transfer of all or substantially all of the assets of our company, when we have a legal obligation to do so, to our third party suppliers in connection with the services we provide to you.
SECURITY AND SAFE STORAGE OF YOUR PERSONAL INFORMATION
Once we’ve received your information, we’ll use appropriate procedures and security features to try to prevent unauthorised access. Unfortunately, the transmission of information via the internet isn’t completely secure. Although we endeavour to protect your personal data, we can’t guarantee the security of data transmitted over the internet. Any transmission of data is at your own risk.
Information supplied by you to us, or that we collect about you, may be transferred, and stored by us, our agents or contractors for the purpose of providing services to you or for research purposes, outside the European Economic Area. We will use appropriate safeguards when transferring your data.
We may monitor the use and content of emails, calls and secure messages sent from and received by us so that we can identify and take legal action against unlawful or improper use of our systems, training and quality control purposes or dispute resolution.
Under GDPR legislation effective from May 25th 2018 – the following rights are relevant to your dealings with Medicus and relate to the you having rights under the following 5 areas relating to your personal data.
The right of access
The right to rectification
The right to erase
The right to restrict processing
The right to object
THE RIGHT OF ACCESS
You have the right to obtain confirmation that your data is being processed, and have a copy of your personal data. We will provide a copy of this information free of charge. Information will be provided without delay and at the latest within one month of receipt.
THE RIGHT TO RECTIFICATION
You are entitled to have personal data rectified if it is inaccurate or incomplete.
If the personal data has been disclosed to third parties, we will inform them of the rectification where possible. We will inform you about the third parties to whom the data has been disclosed where appropriate. We will respond to a request for rectification within one month.
THE RIGHT OF ERASURE
The right of erasure is also known as ‘the right to be forgotten’. You can request the deletion or removal of personal data in specific circumstances. The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have personal data erased:
1) Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
2) When you withdraw consent.
3) When you object to the processing and there is no overriding legitimate interest for continuing the processing.
4) The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
5) The personal data has to be erased in order to comply with a legal obligation.
6) The personal data is processed in relation to the offer of information society services to a child.
7) We will review any request for erasure on a case by case basis.
THE RIGHT TO RESTRICT PROCESSING
You have a right to restrict processing of your personal data. When processing is restricted, we can store the personal data, but not further process it. We will keep just enough information about you to ensure that the restriction is respected in future.
If we have disclosed the personal data in question to third parties, we will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
If we decide to lift a restriction on processing, we will tell you.
THE RIGHT TO OBJECT
You have the right to object to us processing your personal data where the processing is:
1) based on legitimate interests of the business
2) for direct marketing
Where we process personal data for our organisation’s legitimate interests, you can object to this.
We use a combination of legitimate interest and consent when collecting your data dependent on the data collection scenario and the extent of data and level of sensitivity of the data that you share with us.
Our data collection is always in line with the provision of our recruitment services or in line with applying for specific job roles advertised on our site or handled by our organisation. In applying for jobs or registering for use of our services you recognise that subsequent communications about our job search services associated material and specific opportunities, are of a service nature and not defined as marketing communications. This does not affect you rights to tailor your preferences in terms of the channels you receive service based messages or opt out of receiving such messages.
Where using consent as the basis for processing special category data you should be aware that opting out or not providing consent may compromise your ability to use our service fully.
UPDATES TO THIS POLICY
This policy is effective from March 28th 2019. Future revisions and updates will be made available here. If you wish to be notified when this policy is updated, please let us know by emailing firstname.lastname@example.org