General Data Protection Regulations (GDPR) Policy
What is the purpose of this document?
Causidicus LLP is committed to protecting the privacy and security of your personal information.
This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR). It applies to all people that engage with our services and provide us with personal information.
Causidicus LLP is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice applies to people that provide personal information to Causidicus LLP, for those seeking employment or for marketing purposes. It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Data protection principles:
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
The kind of information we hold about you:
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, store, and use the following categories of personal information about you:
- Personal contact details such as name, title, addresses, telephone numbers, and email addresses.
- Date of birth
- Marital status and dependents
- Salary, annual leave, pension and benefits information
- Employment dates
- Location of employment or workplace
- Educational, professional and legal practising certificate evidence
- Copy of driving license and / or passport
- Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
- Employment records (including job titles, work history, working hours, training records and professional memberships)
- Disciplinary and grievance information
We may also collect, store and use the following “special categories” of more sensitive personal information:
- Information about your health, including any medical condition, health and sickness records
- Information about criminal convictions and offences
How is your personal information collected?
We typically collect personal information about candidates, employees and workers through the registration, application and recruitment process, either directly from candidates or from previous employers.
We will collect additional personal information in the course of job-related activities throughout any period where you are employed by a third party through Causidicus.
When your personal information is being used as part of your subscription to our recruitment related educational content and marketing purposes, eg. Newsletters, we will collect your information at the point of subscription; either directly from our website or from social media sites such as Linked-in.
What is our lawful basis for processing your information?
Under GDPR we are only allowed to process your personal information if we have a lawful basis to do so. The ‘lawful bases’ identified in the GDPR are:
- Consent of the data subject
- Performance of a contract with the data subject or to take steps to enter into a contract
- Compliance with a legal obligation
- To protect the vital interests of a data subject or another person
- Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The legitimate interests of ourselves, or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Legitimate interests include:
- Where the data subject is a client or in the service of the controller;
- Transmission within a group of undertakings for internal administrative purposes;
- Processing necessary to ensure network and information security, including preventing unauthorised access;
- Processing for direct marketing purposes, or to prevent fraud; and
- Reporting possible criminal acts or threats to public security.
Our ‘lawful bases’ which we may rely upon are Consent, Performance of a contract and Legitimate Interests.
Situations in which we will use your personal information:
When information is requested or provided, it will be because we need it to perform our services and contract with you and to enable us to comply with legal obligations.
Specific situations where we may use your personal information include:
- Sending you information or content that is of specific interest to you;
- Making a decision about recommending you to prospective employers;
- Making a decision about your recruitment or appointment;
- Determining the terms on which you work for a client;
- Checking you are legally entitled to work in the UK;
- Equal opportunities monitoring.
Change of purpose:
We will only use your personal information for the purposes for which we collected it. If we wish to use your information for a different purpose, we will contact you to gain your explicit consent.
We may have to share your data with third parties, including third-party service providers and other entities in the group. We may transfer your personal information outside the EU.
We are satisfied that any personal data that is shared is fully protected and has the appropriate safeguards in place in accordance with GDPR.
Why might we share personal information with third parties?
We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Which third-party service providers process my personal information?
Third parties include third-party service providers and other entities within our own group. The following activities are carried out by third-party service providers: payroll, pension administration, administration and IT services.
The following providers process personal information on our behalf for the following reasons:
Bond Adapt: database provider that stores personal information securely.
MailChimp marketing platform: provides mailing services, data may be processed in form of email addresses.
Dropbox: file hosting service
Adobe: we send out electronic forms through this service, data will be sent via Adobe but will not be held with them.
How secure is my information with third-party service providers and other entities in our group?
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
When might you share my personal information with other entities in the group?
Your personal information will never be shared by third parties and the only uses will be those that allow us to carry out the services that you have agreed to.
We have put in place measures to protect the security of your information. Details of these measures are available upon request.
Third parties will only process your personal information on our instructions and where they have agreed to treat information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long will you use my information for?
We will only retain your information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Details of retention periods for different aspects of your personal information are available from us at your request.
To determine the appropriate retention period for personal data, we consider the amount, nature, sensitivity of the personal date, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Once you are no longer an association of the company we will retain and securely destroy information in accordance with our data retention policy.
Rights of access, correction, erasure and restriction:
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information
- Request correction of the personal information that we hold about you
- Request erasure of your personal information
- Object to processing of your personal information
- Request the restriction of processing of your personal information
- Request the transfer of your personal information to another party
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information please put your request to us in writing.
No fee usually required:
You will not have to pay a fee to access your personal information. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you:
We may need to request specific information from you to help us confirm your identity and ensure your right to access information. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent:
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for any specific purpose, you have the right to withdraw your consent for the specific processing at any time.
To withdraw your consent please contact us in writing. Once we have received your request your information will no longer be processed.
Data protection officer:
We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the Data Protection Officer – Andrew Love at firstname.lastname@example.org.
You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.
Changes to this privacy notice:
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.