The Di Bridges Partnership LLP is dedicated to protecting the personal data and privacy of our clients and candidates. The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom, including the EU general data protection regulation (the “GDPR”), the Data Protection Act 1998 (as amended) and other legislation relating to personal data and rights, such as the Human Rights Act. As you may be aware, the law on data privacy in the UK (and across the EU) is changing on 25 May 2018, pursuant to the GDPR. We have therefore updated our policy and are further upgrading our already sophisticated systems and practices to ensure we maintain a high standard of privacy and data protection in accordance with the latest legal requirements.
The contact details, email and postal address of the data controller are set out at the foot of this policy.
The company will comply with the General Data Protection Regulation 2018. This says that the personal data we hold about you as Data Controller must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect your personal data to protect personal data from loss, misuse, unauthorised access and disclosure.
We will ensure that the information you submit to us via our website or through any of our offices is only used for the purposes (and on the lawful bases) set out in this policy.
It is important that you read this Policy together with any updates to our fair processing note set out below from time to time so that you are fully up-to-date and aware as to how we are using your data. We also work and share your data with third parties, notably prospective employers, for the purposes of delivering our first-class professional search services to you. When you leave our website we encourage you to read the privacy notice of every website you visit.
The company will collect (and hold, as Data Controller) some or all of the following personal data (from customers, website visitors, employees, suppliers and contractors) where necessary to perform its tasks:
- Names, titles, and aliases, photographs;
- Contact details such as telephone numbers, addresses, and email addresses;
- Where they are relevant to the services provided by a company, or where you provide them to us, we may process information such as gender, age, marital status, nationality, education/work history, academic/professional qualifications, salary details, [photographs?] hobbies, family composition, and dependants;
- Where you pay for activities or services, financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers;
- [marketing and communications data, including marketing preferences, customer feedback and survey responses];
- [data from third-party and public sources, including LinkedIn; and
- [Automated technology] [or is this all captured above?]
How, why and for what purposes do we use your personal data?
- Please see our fair use policy, which summarises our fair uses of the personal data we collect and the legitimate basis for our use.
- Generally we do not rely on consent as a legal basis for processing your personal data by Di Bridges Partnership, other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
- We require all third parties with whom we share personal data to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. We have entered into specific data sharing agreements with each of these parties for these purposes.
Do we need your consent to process your sensitive personal data?
- In limited circumstances, we may approach you for your written consent to allow us to process certain sensitive personal data. If we do so, we will provide you with full details of the personal data that we would like, the reason we need it and why we consider this purpose to be lawful, so that you can carefully consider whether you wish to consent.
Curriculum vitae (‘CV’)
We give you the option of submitting your CV via our website or by providing your CV to one of our consultants. You can do this either to apply for a specific advertised job or for consideration by our recruitment consultants for positions as they come up. Your CV will be stored in our database and will be accessible by our team of consultants. You can update your CV at any time, simply by following the same procedure to submit a new CV. Your old CV will automatically be archived providing the submission details remain the same (for example you submit both CVs using the same email address, or you advise the relevant contact of your new submission).
In particular, whenever you provide us with or upload to your website account with us a copy of your latest CV you will have to option to tick a box to confirm that you consent to our sharing this with prospective employers with a view to putting your credentials forward for consideration in respect of appropriate opportunities.
Sharing your personal data
This section provides information about the third parties with whom the company may share your personal data. These third parties have an obligation to put in place appropriate security measures and will be responsible to you directly for the manner in which they process and protect your personal data.
Please visit our website for a list of the data controllers that your personal data may be shared with.
Your personal information may also be shared with any company that is a member of our group of companies, where necessary for internal administrative purposes, corporate strategy, auditing and monitoring and research and development. We may also share your personal information with our group companies where they provide products and services to us that help us to provide products and services to you as our customer.
- HR teams and relevant individuals (on a strictly ‘need to know’ basis) from within prospective employers we represent, in order to connect you with high quality opportunities best suited to your CV and professional profile; ;
- Our agents, suppliers and contractors. For example, we may ask a commercial provider to publish or distribute newsletters on our behalf, or to maintain our database software;
- On occasion, other companies with which we are carrying out joint ventures
- Dispute and complaints services, should we need to resolve a complaint with you;
- IT service providers (e.g. Mailchimp, for e-marketing purposes, and MicroDec for managing our contacts database), to enable us to manage and host our IT platforms;
- Social media platforms and management tools, to enable us to respond to any communications with you via our social media channels;
- Marketing and advertising agencies, to help us develop our marketing communications so that they are relevant for you.
We will also disclose your personal data to third parties:
- where it is in our legitimate interests to do so to run, grow and develop our business:
- if we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets;
- if Di Bridges Partnership LLP or substantially all of its assets are acquired by a third party, in which case personal data held by us will be one of the transferred assets;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;
- to enforce our contract with you, to respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity; or
- to protect the rights, property or safety of Di Bridges Partnership, our employees, customers, suppliers or other persons.
Where we do not already have your valid consent in place in accordance with the law, we will obtain your express OPT-IN consent before we share your personal data with any third party for marketing purposes. To re-emphasise, we will only share a copy of or extract from your CV with third parties where and to the extent we have your OPT-IN consent to do so.
How long do we keep your personal data?
We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 5 years to support HMRC audits or provide tax information. We may have legal obligations to retain some data in connection with our statutory obligations. The company is permitted to retain data in order to defend or pursue claims we will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim.
In general, we will endeavour to keep data only for as long as we need it. This means that we will delete it when it is no longer needed. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Controlling Access to your Data
Wherever you are required to submit Data, you will be given options to restrict our use of that Data. This will expressly seek your OPT-IN consent to the following:
- the use of Data for direct marketing purposes and also for market research purposes; and
objecting to us sharing Data with third parties. Keeping your data secure
Specifically, the personal data which we collect from you is stored:
- in all cases, on our behalf by a third party provider in a managed database maintained within the Cloud; and
- in some cases, also in Excel documents maintained by our staff
Data security is of great importance to Di Bridges Partnership and to protect your Data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure Data collected by us in relation to your use of the Web Site and any Services or Systems therein.
These measures are designed and deployed in order to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. We limit access to those employees, agents, contractors and other third parties who have a legitimate reason for accessing such data and/or where your explicit consent has been obtained in advance.
We have put in place procedures to deal with any suspected personal data breach (e.g. accidental release or disclosure or authorized access) and will notify you and any applicable regulator of a breach where we are legally required to do so.
Your rights and your personal data
You have the following rights with respect to your personal data:
When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.
- The right to access personal data we hold on you – SUBJECT ACCESS REQUESTS
At any point you can contact us to request the personal data we hold on you as well as why we have that personal data, how we process it (and that we are doing so lawfully), who has access to the personal data and where we obtained the personal data from. Once we have received your request we will respond within 30 days.
There are no fees or charges for the first request but additional requests for the same personal data or requests which are manifestly unfounded or excessive may be subject to an administrative fee.
- The right to correct and update the personal data we hold on you
If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated (although we may need to verify the accuracy of the new data you provide to us).
- The right to have your personal data erased
If you feel that we should no longer be using your personal data or that we are unlawfully using your personal data, you can request that we erase the personal data we hold.
When we receive your request we will confirm whether the personal data has been deleted or the reason why it cannot be deleted (for example because we need it in order to comply with a legal or regulatory obligation).
- The right to object to the processing of your personal data or to restrict it to certain purposes only
You have the right to request that we stop processing your personal data or ask us to restrict processing (e.g. because you want to check that the data we hold is accurate before we do so, or because you consider our use of the data is unlawful but you nevertheless wish us to retain it, or because you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it). Upon receiving the request we will contact you and let you know if we are able to comply or if we have a legal obligation to continue to process your data.
- The right to data portability
You have the right to request that we transfer some of your data to you or to another controller. We will comply with your request, where it is feasible to do so, within 30 days of receiving your request. We will provide to you (or a third party you have chosen), your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- The right to withdraw your consent to the processing at any time for any processing of data to which consent was obtained
You can withdraw your consent easily by telephone, email, or by post (see Contact Details below). This will not affect the lawfulness of any processing carried out before you withdraw your consent. Please also note that if you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
- The right to lodge a complaint with the Information Commissioner’s Office.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
To comply with current legislation, we need to ask for your consent to set cookies on our website.
When you arrive on our website a pop-up message will appear informing you that we would like to place cookies on your device. If you, or another user of your computer, wish to withdraw your consent at any time, you can do so by altering your browser settings otherwise we will assume that you are happy to receive cookies from our website. For more information please visit http://www.allaboutcookies.org/ and http://www.youronlinechoices.com/uk/
Transfer of Data Abroad
Your Data may be transferred outside the European Economic Area (EEA). In the event Data is transferred outside of the EEA, we will take the legally required precautions to ensure it is appropriately protected, and that any such international transfer is carried out only in accordance with the Data Protection Act 1998 and the EU General Data Protection Regulation. Di Bridges Partnership LLP has in place compliant Data Transfer Agreements with all non-EEA third party recipients of your personal data which ensure minimum adequate safeguards of your personal data when it is exported to a location outside of the EEA.
Save as expressly detailed above, we will never share, sell or rent any of your personal data to any third party without notifying you and/or obtaining your consent. Where you have given your consent for us to use your personal data in a particular way, but later change your mind, you should contact us and we will stop doing so.
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Changes to this notice
We keep this Privacy Notice under regular review and we will place any updates on www.thedibridgespartnership.com. This Notice was last updated in [May] 2018.
Please contact us if you have any questions about this Privacy Notice or the personal data we hold about you or to exercise all relevant rights, queries or complaints at:
The Di Bridges Partnership LLP, 14-15 Montpellier Arcade, Cheltenham, GL50 1SU