We appreciate the trust you place in us when sharing your personal data. The security of that data is very important to us. In this document we will explain how we collect, process, use and protect your personal data.
We will also explain what rights you have with regards to your personal data and how you can exercise those rights.
UK organisations that process personal data are currently bound by two laws: the General Data Protection Regulation (Regulation (EU) 2016/679) (‘EU GDPR’) and the UK Data Protection Act 2018 (‘UK DPA’). With Brexit now underway, both laws continue to apply until the end of the transition period (31 December 2020).
The EU GDPR will no longer apply directly in the UK at the end of the transition period. However, UK organisations must still comply with its requirements after this point.
First, the UK DPA enacts the EU GDPR’s requirements in UK law. Second, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which amends the UK DPA and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit. This new regime will be known as ‘the UK GDPR’.
There is very little material difference between the EU GDPR and the proposed UK GDPR
Your rights under the EU GDPR are set out in this notice. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
Who we are
We are WHITEHALL RESOURCES LIMITED.
Our Group means our subsidiaries, our ultimate holding company and its subsidiaries, our associated companies as defined in section 1159 of the UK Companies Act 2006.
For the purposes of data protection legislation in force from time to time the data controller is us. Our registered office is 350 The Crescent, Colchester, Essex, CO4 9AT. You are the data subject.
If you have any questions about how we process personal data or would like to exercise your data subject rights, please email us as DPO@whitehallresources.co.uk
What we do and websites within scope
We are a recruitment agency and recruitment business as defined in the Employment Agencies and Employment Businesses Regulations 2003 (our business).
Our core business is the introduction of candidates to our clients for the purpose of temporary or permanent engagement. However, our services expand to supporting individuals throughout their career and to supporting businesses’ resourcing needs and strategies.
This policy also includes data that is collected by telephone, through Livechat, e-mail or otherwise.
Collection of personal data
We collect the personal data from the following entities to allow us to undertake our core business and ancillary activities:
- prospective and placed candidates/consultants and temporary workers for permanent or temporary roles;
- prospective and live client contacts;
- supplier and/or any other third party contacts to support our services.
We collect personal data from you for one or more of the following purposes:
- to provide you with information about the services we offer including information that you have requested or we think may be of interest to you;
- to initiate and complete an engagement for a permanent or temporary role;
- to fulfil a contract that we have entered into with you or with the entity that you represent.
- To ensure the security and safe operation of our websites and underlying business infrastructure;
- To manage communications between you and us.
You provide your personal data when you register to use our site, to enter our database, subscribe to our services, attend our events, participate in discussion boards or other social media functions on our site, enter a competition, promotion or survey, and when you report a problem with our site.
The personal data you give us or we collect about you may include your name, address, private and corporate e-mail address and phone number, financial information, compliance documentation and references verifying your qualifications and experience and your right to work in the United Kingdom or other countries, curriculum vitae and photograph, links to your professional profiles available in the public domain e.g. LinkedIn, Twitter, Xing, business Facebook or corporate website.
To ensure that each visitor to any of our websites can use and navigate the site effectively, we also collect the following:
- technical information, including the IP address used to connect your device to the internet;
- your login information, browser type and version, time zone setting, browser plug in types and versions;
- operating system and platform;
- information about your visit, including the URL (Uniform Resource Locators) to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs).
Personal data we collect from other sources
We may collect your personal data from other sources such as LinkedIn, corporate websites, job board websites, online CV libraries, your business card, personal recommendations, and other public sources. In this case we will inform you, by sending you this privacy notice, within a maximum of 30 days of collecting the data of the fact we hold personal data about you and for what purpose we intend to retain and process your personal data.
How we use your data
In order to introduce candidates to clients, as well as supporting our candidates’ career aspirations and supporting our clients’ resourcing needs, we require a database of candidate and client personal data containing historical information as well as current resourcing requirements. The personal data in that database is used to maintain, expand and develop our business; exchange of this personal data between our candidates and clients is paramount to our business.
We may also use your data:
- to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our site to ensure that content is presented in the most effective manner for you and for your computer;
- to notify you about changes to our service;
- to allow you to participate in interactive features of our service, when you choose to do so;
- as part of our efforts to keep our site safe and secure;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
- to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
We do not undertake automated decision making or profiling. We do use our computer systems to search and identify personal data in accordance with parameters set by a person. A person will always be involved in the decision-making process.
Lawful basis for processing of personal data
Our business architecture, accounting and systems infrastructure and compliance organisation means that all personal data is processed on common, group wide platforms. We have processes in place to make sure that only those people in our organisation who need to access your data can do so. A number of data elements are collected for multiple purposes as discussed below. Some data may be shared with third parties.
When we process personal data, we do so on the lawful basis of ‘legitimate interest’, although we may also rely on contractual fulfilment (i.e. if we are negotiating or have entered into a contract with you or your organisation) or statutory obligation (i.e. if we are legally required to hold personal data on to you to fulfil our legal obligations). We may in some circumstances rely on consent for particular uses of your data and you will be asked for your express consent, if legally required.
When we process on the lawful basis of legitimate interest, we apply the following test to determine whether it is appropriate:
The Purpose Test: is there a legitimate interest behind the processing?
Necessity Test: is the processing necessary for that purpose?
Balancing Test: is the legitimate interest overridden or not by the individual’s interests, rights or freedoms?
Disclosure of your personal data inside and outside of the EEA
We may share your personal data with:
- Any member of our group both in the EEA and outside of the EEA;
- Selected third parties including:
- clients for the purpose of an introduction;
- candidates for the purpose of arranging interviews and engagements;
- clients, business partners, suppliers and sub-contractors for the performance and compliance obligations of any contract we enter into with them or you;
- advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we will provide them with aggregate information about our users. We may also use such aggregate information to help advertisers reach the kind of audience they want to target. We may make use of the personal data we have collected from you to enable us to comply with our advertisers’ wishes by displaying their advertisement to that target audience;
- analytics and search engine providers that assist us in the improvement and optimisation of our site.
- Credit reference agencies, our insurance broker, compliance partners and other sub-contractors.
We will lawfully disclose your personal data to third parties in the event:
- we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;
- if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets;
- we are under a statutory duty to disclose or share your personal data and/or we are applying our terms and/or other agreements and/or we are required to protect the rights, property, or safety of us or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Storage of Personal Data
The data that we collect from you may be transferred to, or stored at, a destination outside the European Economic Area (”EEA”). It may be transferred to third parties outside of the EEA for the purpose of our recruitment services. It may also be processed by staff operating outside the EEA who work for us. This includes staff engaged in, among other things, our recruitment services and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice.
All personal data you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.
Retention of your data
We understand our legal obligation to retain accurate data and only retain personal data for as long as we need it for our legitimate business interests and that you are happy for us to do so. Accordingly, we have a data retention notice and run data routines to remove data that we no longer have a legitimate interest in maintaining.
We may archive part or all of your personal data or retain it on our financial systems only, deleting all or part of it from our main Customer Relationship Manager (CRM) system. We may pseudonymise parts of your data, particularly following a request for suppression or deletion of your data, to ensure that we do not re-enter your personal data on to our database, unless requested to do so.
For your information, Pseudonymised Data is created by taking identifying fields within a database and replacing them with artificial identifiers, or pseudonyms.
Our current retention notice is available upon request.
Your rights as a data subject
As a data subject whose personal data we hold, you have certain rights. If you wish to exercise any of these rights, please email DPO@whitehallresources.co.uk or use the information supplied in the Contact Us section below. To process your request, we will ask you to provide two valid forms of identification for verification purposes. Your rights are as follows:
The right to be informed
The right of access
You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients to whom the personal data has been disclosed;
- the retention period or envisioned retention period for that personal data;
- when personal data has been collected from a third party, the source of the personal data.
If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.
The right to rectification
When you believe we hold inaccurate or incomplete personal data about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete data is not processed until it is corrected.
The right to erasure (the ‘right to be forgotten’)
Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.
The right to restrict processing
You may ask us to stop processing your personal data. We will still hold the data, but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing
- a) The accuracy of the personal data is contested;
- b) Processing of the personal data is unlawful;
- c) We no longer need the personal data for processing but the personal data is required for part of a legal process;
- d) The right to object has been exercised and processing is restricted pending a decision on the status of the processing.
The right to data portability
You may request your set of personal data be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.
The right to object
You have the right to object to our processing of your data where:
- Processing is based on legitimate interest;
- Processing is for the purpose of direct marketing;
- Processing is for the purposes of scientific or historic research; or
- Processing involves automated decision-making and profiling.
Please note Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Changes to our privacy notice
Any changes we make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy notice.
Alternatively, you can contact us using the following postal address or telephone number:
Whitehall Resources Ltd
350 The Crescent
Colchester Business Park
Should you wish to discuss a complaint, please feel free to contact us using the details provided above. All complaints will be treated in a confidential manner.
Should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority within the European Union. For the UK, this is the ICO (Information Commissioner’s Office), which is also our lead supervisory authority. Its contact information can be found at https://ico.org.uk/global/contact-us/.