Privacy Notice
PRIVACY NOTICE
The Company is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to processing your data securely and transparently. This privacy notice sets out, in line with GDPR, the types of data that we hold on you. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
This Notice provides information to Candidates, Clients, Suppliers, Website Users and People whose data we receive from work seekers and employees , such as referees and emergency contacts..
The Company is a data controller, meaning that it determines the processes to be used when using your personal data. Our contact details are as follows: 15 Neptune Court, Cardiff, CF24 5PJ
The Company is a child development and recruitment business which provides work-finding services to its clients and work-seekers. The Company must process personal data (including sensitive personal data) so that it can provide these services – in doing so, the Company acts as a data controller.
You may give your personal details to the Company directly, such as on an application or registration form or via our website, or we may collect them from another source such as a jobs board, or third parties such as referees. The Company must have a legal basis for processing your personal data.
Throughout this notice we use terms ‘employer’, ‘employee’, and ‘employment’. This is for ease of reading and applies to all employees, agency workers, consultants, etc whether engaged under a contract of service or contract for services.
- Data Protection Principles
In relation to your personal data, we will:
- process it fairly, lawfully and in a clear, transparent way
- collect your data only for reasons that we find proper for the course of your employment in ways that have been explained to you
- only use it in the way that we have told you about
- ensure it is correct and up to date
- keep your data for only as long as we need it
- process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed
- Collection and use of personal data
Work Seekers
Why we process your data
The Company will collect your personal data (which may include sensitive personal data) and will process your personal data for the purposes of providing you with work-finding services, training to support your work and to manage the employment relationship. This applies to current and former employees, workers and contractors. We need to process your data during recruitment, during your employment with us, and following the termination of your employment.
The law on data protection allows us to process your data for certain reasons only:
- in order to perform the employment contract that we are party to
- in order to carry out legally required duties
- in order for us to carry out our legitimate interests
- to protect your interests and
- where something is done in the public interest.
All of the processing carried out by us falls into one of the permitted reasons. Generally, we will rely on the first three reasons set out above to process your data.
To enter into and perform your contract with us to provide the services (for example, performance and administration of the work-seeking / employment contract, ensuring you have the right skills and qualifications for the role, monitoring performance, ensuring you are paid.)
We also need to collect your data to ensure we are complying with legal requirements (for example, ensuring tax and National insurance is paid, carrying our checking in relation to your right to work in the UK, compliance with employment and equalities legislation)
We also collect data so that we can carry out activities which are necessary for our legitimate business interests and the interests of the work seeker. These include:
- providing and administering the work seeking service that you have requested, including keeping up to date personnel information, deciding on suitability for roles, putting your details forward to prospective employers, making decisions on pay, monitoring conduct and performance
- keeping you up to data with products and services such as training that will enhance your ability to secure work and the services provided by the company
- ensuring we can administratively and strategically run our business, including business planning, disaster recovery, preventing fraud, and dealing with any legal claims made against us.
- ensuring our administrative and IT systems are secure and robust against unauthorised access
We believe that processing your data in this manner is a necessary, proportionate and reasonably expected outcome of your relationship with the Company as it is required to provide the services you have requested and that by processing this data it will have a minimal impact on your privacy and rights.
Special categories of data
Special categories of data are data relating to your:
- health
- sex life
- sexual orientation
- race
- ethnic origin
- political opinion
- religion
- trade union membership
- genetic and biometric data.
We must process special categories of data in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:
- you have given explicit consent to the processing
- we must process the data in order to carry out our legal obligations
- we must process the data in order to carry out the work-finding services / employment contract
- we must process data for reasons of substantial public interest
- you have already made the data public.
We will use your special category data:
- for the purposes of equal opportunities monitoring
- in our sickness absence management procedures
- to determine reasonable adjustments
- assess capacity to work
- ensure statutory payments are made in accordance with the law
We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.
Criminal conviction data
We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment. We use criminal conviction data to assess suitability for a role in line with our legal obligations. The level of the criminal convictions check will be dependent on the type of role being undertaken and will be conducted in line with legal requirements
If you do not provide your data to us
One of the reasons for processing your data is to allow us to carry out our duties in line with your contract of employment. If you do not provide us with the data needed to do this, we will unable to perform those duties, e.g. ensuring you are paid correctly. We may also be prevented from confirming, or continuing with, your employment with us in relation to our legal obligations if you do not provide us with this information, e.g. confirming your right to work in the UK or, where appropriate, confirming your legal status for carrying out your work via a criminal records check.
Types of Data that we process
The personal data, including sensitive personal data, that we collect includes:
- Your name and date of birth
- Your address, telephone number and personal email address
- Your identification documents and information about your immigration status / right to work
- Your national insurance number and details of your tax status
- Information about your previous employment history and experience
- Your qualifications and professional memberships
- Your job title and locations of work.
- Information about your contract with us, including start date, working hours, assignment details, pay rates
- Details of any training received
- Your gender, marital status and details of any dependants
- Contact details for your emergency contact / next of kin
- Information about your performance
- Details of any grievances, complaints, or safeguarding issues raised or in with which you were involved
- Disciplinary records including investigations and warnings
- DBS Criminal Records Information (where required to meet our legal obligations and regulatory requirements)
- References
- Bank Details so we can pay you
- Financial information (including but not limited to payroll details and terms, HMRC data, pension scheme details, court orders and statutory payments)
- Relevant Health Information required to assess capacity to work, manage statutory payment, make reasonable adjustments to comply legal obligations
- Records of any correspondence between you and the Company about your employment
- Recordings of telephone conversations between you and the Company for the provision of work-finding services and to manage the employment relationship
- Equality details to ensure compliance with relevant equalities legislation and employment law.
- Images of you from our on-site CCTV systems if you attend at our offices.
- IP addresses
- Other information relevant to assessing suitability for the role.
This list is not exhaustive.
Sharing your data
The Company will process your personal data and/or sensitive personal data with the following recipients:
- Colleagues within SuperStars where it is necessary for them to undertake their duties
- Clients, for the provision of work finding services
- Local Authorities
- National Procurement Service
- Selected 3rd party processors, including those utilised to maintain internal software / hardware, for communications purposes or where we outsource any of our business functions under which we collect or store your data, in which case we will ensure that any such service provider adheres to at least the same obligations of security with regard to your data as undertaken by us
- Pension Providers
- HMRC
- Disclosure and Barring Service
- Any law enforcement agency, court, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights if a third party
- Internal Accountants and Professional Advisors
- Referees
- Relevant Safeguarding Authorities
- Relevant External Training Providers
We may also share your data as part of a Company sale or restructure, or for other reasons to comply with legal obligations upon us.
We will never sell your data to third parties for the purposes of marketing. Where your data is transferred to a third party acting as a data processor, the Company will:
- Ensure that the third party has sufficient security measures in place to protect the processing of data
- Have in place a written contract establishing what personal data will be processed and for what purpose
Clients / Customers
Why we process your data
The Company will collect your personal data and will process your personal data for the purposes of providing you with work-finding services, meeting your recruitment requirements and keeping you up to data with our products and services. We may also require this information to help us to establish, exercise or defend legal claims.
The law on data protection allows us to process your data for certain reasons only:
- in order to perform the contract that we are party to
- in order to carry out legally required duties
- in order for us to carry out our legitimate interests
- to protect your interests and
- where something is done in the public interest.
All the processing carried out by us falls into one of the permitted reasons. Generally, we will rely on the first three reasons set out above to process your data.
To enter into and perform your contract with us to provide the services (for example, contacting you to provide work finding / recruitment service and ascertain requirements, to send you details of workers, invoices and other documents to fulfil the service.)
To meet our legal obligations, (for example ensuring we comply with employment and equalities legislation, to prevent fraud)
We also collect data so that we can carry out activities which are necessary for our legitimate business interests and the interests of Client or Work Seeker. These include:
- providing and administering the work seeking service / recruitment service that you have requested, including obtaining information on recruitment needs, role requirements, providing you with worker details, invoicing and payments
- providing you with updates to our products and services, such as offers and training opportunities
- ensuring we can administratively and strategically run our business, including business planning, disaster recovery, preventing fraud, and dealing with any legal claims made against us.
- ensuring our administrative and IT systems are secure and robust against unauthorised access
We believe that processing your data in this manner is a necessary, proportionate and reasonably expected outcome of your relationship with the Company as it is required to provide the services you have requested and that by processing this data it will have a minimal impact on your privacy and rights.
Where one of these reasons applies we may process your data without your consent.
If you do not provide your data to us
You may choose not to give us certain data, but you should be aware that this may prevent us from entering into a contract with you or complying with our legal obligations and this may in term affect our ability to provide the service to you.
Types of Data we process
The personal data that we collect includes:
- Name, telephone number, email address, roles of key contacts within your organisation
- Any other information you provide necessary to provide the services to you
This list is not exhaustive.
Sharing your data
The Company will process your personal data and/or sensitive personal data with the following recipients:
- Colleagues within SuperStars where it is necessary for them to undertake their duties
- Candidates, for the provision of work finding services
- Local Authorities
- National Procurement Service
- Selected 3rd party processors, including those utilised to maintain internal software / hardware, for communications purposes or where we outsource any of our business functions under which we collect or store your data, in which case we will ensure that any such service provider adheres to at least the same obligations of security with regard to your data as undertaken by us
- Any law enforcement agency, court, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights if a third party
- Internal Accountants and Professional Advisors
- Recruitment and Employment Confederation
- Relevant Safeguarding Authorities
- Relevant External Training Providers
We may also share your data as part of a Company sale or restructure, or for other reasons to comply with legal obligations upon us.
We will never sell your data to third parties for the purposes of marketing. Where your data is transferred to a third party acting as a data processor, the Company will:
- Ensure that the third party has sufficient security measures in place to protect the processing of data
- Have in place a written contract establishing what personal data will be processed and for what purpose
Suppliers
Why we process your data
The Company will collect your personal data and will process your personal data for the purposes of offering services to you or obtaining support, products and services from you. We require this information in relation to our agreements with you to contact you and administer the services. We may also require this information to help us to establish, exercise or defend legal claims.
The law on data protection allows us to process your data for certain reasons only:
- in order to perform the contract that we are party to
- in order to carry out legally required duties
- in order for us to carry out our legitimate interests
- to protect your interests and
- where something is done in the public interest.
All of the processing carried out by us falls into one of the permitted reasons. Generally, we will rely on the first three reasons set out above to process your data.
To enter into and perform your contract with us to provide the services (For example, to contact you to procure / provide services and products, administration of the service, invoicing and payment).)
To meet our legal obligations, (for example ensuring we comply with employment and equalities legislation, to prevent fraud)
We also collect data so that we can carry out activities which are necessary for our legitimate business interests. These include:
- contacting you to procure or provide the services and products from you and the future administration of any products or services provided.
- providing you with updates to our products and services,
- ensuring we can administratively and strategically run our business, including business planning, disaster recovery, preventing fraud, and dealing with any legal claims made against us.
- ensuring our administrative and IT systems are secure and robust against unauthorised access
We believe that processing your data in this manner is a necessary, proportionate and reasonably expected outcome of your relationship with the Company as it is required to provide the services you have requested and that by processing this data it will have a minimal impact on your privacy and rights.
Where one of these reasons applies we may process your data without your consent.
If you do not provide your data to us
You may choose not to give us certain data, but you should be aware that this may prevent us from entering into a contract with you or complying with our legal obligations and this may in term affect our ability to provide the service to you.
Types of data we process
The personal data that we collect includes:
- Name, telephone number, email address, roles of key contacts within your organisation
- Any other information you provide necessary to provide / receive the services to you
This list is not exhaustive.
Sharing your data
The Company will process your personal data and/or sensitive personal data with the following recipients:
- Colleagues within SuperStars where it is necessary for them to undertake their duties
- Selected 3rd party processors, including those utilised to maintain internal software / hardware, for communications purposes or where we outsource any of our business functions under which we collect or store your data, in which case we will ensure that any such service provider adheres to at least the same obligations of security with regard to your data as undertaken by us
- Any law enforcement agency, court, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights if a third party
- Internal Accountants and Professional Advisors
- Relevant Safeguarding Authorities
We will never sell your data to third parties for the purposes of marketing. Where your data is transferred to a third party acting as a data processor, the Company will:
- Ensure that the third party has sufficient security measures in place to protect the processing of data
- Have in place a written contract establishing what personal data will be processed and for what purpose
Website Users
We collect a limited amount of data from our Website Users which we use to help us to improve your experience when using our website and to help us manage the services we provide. This includes information such as how you use our website, the frequency with which you access our website, your browser type, the location you view our website from, the language you choose to view it in and the times that our website is most popular. If you contact us via the website, for example by using the enquiry function, we will collect any information that you provide to us, for example your name and contact details.
When you visit our website there is certain information that we may automatically collect, whether or not you decide to use our services. This includes your IP address, the date and the times and frequency with which you access the website and the way you browse its content.
We process your data through our websites:
- In order to enter into and / or administer the contract the services requested
- In order for us to carry out our legitimate interests, including to provide / administer work finding or recruitment services to our candidates and clients and ensuring we can administratively and strategically run our business.
We believe that processing your data in this manner is a necessary, proportionate and reasonably expected outcome of the use of our websites and that processing your data in this manner will have a minimal impact on your privacy and rights.
More specifically, we will process your data in the following ways:
Client and Candidate Registration
Registering as either a client or candidate with SuperStars requires that the registrant supply sufficient data for us to provide the required service to the registrant. This data will out of necessity include personally identifiable information, and may be used by us in order to obtain further information about a registrant (e.g. when conducting DBS checks). Please see the sections on clients and candidates in this Notice for further information.
Enquiry Forms
Visitors who use the mail forms to contact SuperStars are required to enter a valid email address, and may also be required to enter their name. This information is required to enable the recipients of messages to be able to identify the sender(s) and to permit them to provide a response. Any visitor that does not wish to disclose this information must not use the mail forms. Responsibility and/or liability for their use remains with the sender.
Emails sent via these forms, along with those sent via a standard email client, may be held on our email systems indefinitely, and may be accessible by other parties than the intended recipient (including systems administrators, managers and directors).
Visitor Statistics
When someone visits this web site we collect standard server log information and some details relating to visitor behaviour (pages and files viewed, entry and exit pages, country, browser type, etc.). We do this to find out things such as the number of visitors to the various parts of the site and how they found that information which we use in order to help improve the web site. We collect this information in a way which does not identify anyone and we do not make any attempt to find out the identities of those visiting our web sites. We will not associate any data gathered from this site with any personally identifying information from any source. If we do want or need to collect personally identifiable information through our website, we will be clear about when and why we are collecting this information. In addition to the server log files we also use Google Analytics in order to assess how our web sites are being used, and this data is treated in the same manner as that from the server logs.
To opt out of being tracked by Google Analytics across all websites visit https://tools.google.com/dlpage/gaoptout.
People whose data we receive from work seekers and employees, such as referees and emergency contacts
Why we process your data
The Company will collect your personal data and will process your personal data for the following purposes:
- Emergency Contacts – to contact you in the event of an accident or emergency affecting the individual who provided your details
- Referees – if you were put down as a referee by a candidate or prospective employee. We will contact you to take up a reference
The law on data protection allows us to process your data for certain reasons only:
- in order to perform the contract that we are party to
- in order to carry out legally required duties
- in order for us to carry out our legitimate interests
- to protect your interests and
- where something is done in the public interest.
All of the processing carried out by us falls into one of the permitted reasons.
We collect data so that we can carry out activities which are necessary for our legitimate business interests and the interests of our candidates. These include:
- If you have been put down by a Candidate or a prospective member of Staff as one of their referees, we use your personal data in order to contact you for a reference. This is a part of our quality assurance procedure and so we deem this to be necessary for our legitimate interests as an organisation offering recruitment services and employing people ourselves.
- If a Candidate or Staff member has given us your details as an emergency contact, we will use these details to contact you in the case of an accident or emergency. This is also in the legitimate interests of both the candidates and the emergency contact.
We believe that processing your data in this manner is a necessary, proportionate and reasonably expected outcome of the legitimate interests and activities of the Company and benefits all parties involved whilst having a minimal impact on your privacy and rights.
Where one of these reasons applies we may process your data without your consent.
Types of data we process
The personal data that we may collect includes:
- Your Name, telephone number, email address, job title, place of work, relationship to work seeker / employee
- Any other information you provide us in the reference
This list is not exhaustive.
Sharing your data
The Company will process your personal data and/or sensitive personal data with the following recipients:
- Colleagues within SuperStars where it is necessary for them to undertake their duties
- Selected 3rd party processors, including those utilised to maintain internal software / hardware, for communications purposes or where we outsource any of our business functions under which we collect or store your data, in which case we will ensure that any such service provider adheres to at least the same obligations of security with regard to your data as undertaken by us
- Any law enforcement agency, court, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights if a third party
- Internal Accountants and Professional Advisors
- Work-Seeker for whom the reference is provided
- Clients where it is necessary for the work seekers role.
We will never sell your data to third parties for the purposes of marketing. Where your data is transferred to a third party acting as a data processor, the Company will:
- Ensure that the third party has sufficient security measures in place to protect the processing of data
- Have in place a written contract establishing what personal data will be processed and for what purpose
- Overseas Transfers
We do not share your data with bodies outside of the European Economic Area.
- How long we keep your data for
In line with data protection principles, we only keep your data for as long as we need it for. Retention periods can vary depending on why we need your data. Different laws require us to keep different data for different periods of time.
For example:
The Conduct of Employment Agencies and Employment Businesses Regulations 2003, require us to keep work-seeker records for at least one year from (a) the date of their creation or (b) after the date on which we last provide you with work-finding services.
We must also keep your payroll records, holiday pay, sick pay and pensions auto-enrolment records for as long as is legally required by HMRC and associated national minimum wage, social security and tax legislation.
Where the Company has obtained your consent to process your personal data and / or sensitive personal data we will do so in line with our data retention policy. Upon expiry of that period the Company will seek further consent from you. Where consent is not granted the Company will cease to process your personal and / or sensitive data.
The Company will only retain your personal data for periods as set out in our Data Retention Policy, unless otherwise specified by law.
- Automated decision making
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
- Your rights
Please be aware that you have the following data protection rights:
- The right to be informed about the personal data the Company processes on you;
- The right of access to the personal data the Company processes on you;
- The right to rectification of your personal data;
- The right to erasure of your personal data in certain circumstances;
- The right to restrict processing of your personal data;
- The right to data portability in certain circumstances;
- The right to object to the processing of your personal data that was based on a public or legitimate interest;
- The right not to be subjected to automated decision making and profiling; and
- The right to withdraw consent at any time.
Where the Company have relied on your consent for processing your personal data and/or sensitive personal data you have the right to withdraw that consent at any time by contacting recruitment.team@super-stars.org.uk There will be no consequences for withdrawing your consent. However, in some cases we may continue to use data where so permitted by having a legitimate reason for doing so.
- Complaints or queries
If you wish to exercise any of the rights listed in this notice or to complain about this privacy notice or any of the procedures set out in it please write to ‘Data Protection, SuperStars, 15 Neptune Court, Cardiff. CF24 5PJ
You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.
- Data Protection Officer
The Company’s Data Protection Officer can be contacted by emailing or writing to recruitment.team@super-stars.org.uk:
Data Protection, SuperStars, 15 Neptune Court, Cardiff. CF35 5HZ