May 2021 / Version 1
This Privacy Notice may be updated from time to time, and you can check www.workgaps.com/privacy regularly so that you can read the most up-to-date version.
WorkGaps HR Ltd (“WorkGaps”) and its subsidiary companies (see Annex 1) acts as both a recruitment agency and recruitment business as defined under The Conduct of Employment Agencies and Employment Businesses Regulations 2003 (“Conduct Regs”).
1. Information about us
Data protection queries can be sent to us via our Contact Us page (www.workgaps.com/contact-us):1.
(2) Prospective Candidate,
(3) Person with whom we contact to provide us with assistance in relation to one of our Candidates (e.g. referees and emergency contacts),
(6) Temporary Worker,
(7) Permanent Worker, or
(8) You are visiting our Website
3. What is Personal Data?
Personal data is defined by the UK GDPR and EU GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier’.
In simpler terms, personal data is any information about you that enables you to be identified (either on its own or when combined with other data we may hold on you). Personal data covers obvious information such as your name and contact details, but it also covers information such as identification numbers, electronic location data, and other online identifiers.
4. Our Legal Bases for processing your data
Depending on the type of personal data in question and the grounds on which we are processing it, should you decline to provide us with such data or ask us to stop processing it, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue with our relationship or may have to bring that relationship to a close (i.e. because we cannot continue it without personal data about you).
In the course of providing work-finding services to our clients and work-seekers, where WorkGaps acts as a Data Controller, it will be necessary, and in our legitimate interest to process personal data, as defined under article 6(1)(f) UK GDPR and EU GDPR.
Establishing, Exercising or Defending Legal claims
Sometimes it will be necessary for us to process personal data and, where appropriate and in accordance with our legal obligations and regulatory requirements, sensitive personal data in connection with exercising or defending legal claims.
Article 9(2)(f) of the UK GDPR and EU GDPR allows this where the processing “is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity“.
This will arise for example where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process.
To Exercise our Rights or Carry out our Employment and Social Security Legal Obligations
For some Candidates, Temporary Workers and individuals it will sometimes be necessary for us to process your sensitive/special category personal data, for the purpose of ensuring compliance with our legal obligations and regulatory requirements.
For example, we may process your medical data to enable us to provide you with adequate support if you suffer from a health condition or disability, for example by sharing medical information about you with an occupational health specialist, in order to determine prognosis and return to work arrangements, and to assess your working capacity more generally.
Article 9(2)(b) of the UK GDPR and EU GDPR allows us to do this where the processing is “necessary for the purposes of carrying out the obligations and exercising [our or your] specific rights… in the field of employment and social security and social protection law“, as long as this is allowed by law.
Where processing your personal data is necessary for us to carry out our obligations under our Contract with you, to ensure that you are properly fulfilling your obligations to us, and to ensure that we are fulfilling our obligations to others.
Article 6(1)(b) of the GDPR applies where processing of personal data “is necessary for the performance of a contract to which [you are] party or in order to take steps at [your] request … prior to entering into a contract”.
Where processing your personal data is necessary for us to carry out our Legal Obligations
In relation to the employment or engagement of Temporary Workers directly by us, as well as our obligations to you under our contract, we also have other legal obligations that we need to comply with. Article (6)(1)(c) of the UK GDPR and EU GDPR states that we can process your personal data where this processing “is necessary for compliance with a legal obligation to which [we] are subject”.
An example of a legal obligation that we need to comply with is our obligation to co-operate with tax authorities, including providing details of your remuneration and tax paid.
In addition to the UK GDPR and EU GDPR requirement for a lawful basis, where we send unsolicited electronic marketing to you we may also require either an opt-in consent or opt-out consent under the Privacy and Electronic Communication Regulations 2003 (“PECR”). That means we are permitted to market products or services to you which are related to the recruitment services we provide to you as long as you do not actively opt-out from these communications.
In certain circumstances, we are required to obtain your consent to the processing of your personal data in relation to certain activities. Depending on exactly what we are doing with your information, this consent will be opt-in consent under article 6 (1) (a) (UK GDPR and EU GDPR), or soft opt-in consent (PECR).
Article 4(11) of the UK GDPR and EU GDPR states that (opt-in) consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“. In plain language, this means that:
– you have to be in a position to give us your consent freely, without us putting you under any type of pressure to give or refuse that consent;
– you have to know what you are consenting to – so we will make sure we give you enough information;
– where consent is required, you should have control over which processing activities you consent to and which you don’t; and
– you need to take positive and affirmative action in giving us your consent – we are likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion. We will keep records of the consents that you have given in this way.
You have the right to withdraw your consent to these activities. You can do so at any time by contacting us to let us know.
5. What Are My Rights?
One of the UK GDPR and EU GDPR main objectives is to protect and clarify the rights of EU and UK citizens and individuals in the EU and UK with regards to data privacy. This means that you retain various rights in respect of your data, even once you have given it to us. These are described in more detail below.
We will seek to deal with any request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we will, where necessary, keep a record of your communications to help us resolve any issues which you raise.
- Right to object:
This right enables you to object to us processing your personal data where we do so for one of the following four reasons:
(i) our legitimate interests;
(ii) to enable us to perform a task in the public interest or exercise official authority;
(iii) to send you direct marketing materials; and
(iv) for scientific, historical, research, or statistical purposes.
If your objection relates to us processing your personal data because we deem it necessary for your legitimate interests, we must act on your objection by ceasing the activity in question unless:
- we can show that we have compelling legitimate grounds for processing which overrides your interests; or
- we are processing your data for the establishment, exercise or defence of a legal claim.
If your objection relates to direct marketing, we must act on your objection by ceasing this activity.
- Right to withdraw consent:
Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition.
- Data Subject Access Requests (DSAR):
You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. We may ask you to verify your identity and for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this unless your request is “manifestly unfounded or excessive”. If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
- Right to erasure:
You have the right to request that we erase your personal data in certain circumstances. Normally, the information must meet one of the following criteria:
– the data are no longer necessary for the purpose for which we originally collected and/or processed them;
– where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing;
– the data has been processed unlawfully (i.e. in a manner which does not comply with the UK GDPR and EU GDPR);
– it is necessary for the data to be erased in order for us to comply with our legal obligations as a data controller; or
– if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with legal obligations or for the performance of a public interest task or exercise of official authority;
- for public health reasons in the public interest;
- for archival, research or statistical purposes; or
- to exercise or defend a legal claim.
When complying with a valid request for the erasure of data we will delete the relevant data.
- Right to restrict processing:
You have the right to request that we restrict our processing of your personal data in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either:
– one of the circumstances listed below is resolved;
– you consent; or
– further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important UK, EU or Member State public interest.
The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
– where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified;
– where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data;
– where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
– where we have no further need to process your personal data but you require the data to establish, exercise, or defend legal claims.
If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
- Right to rectification:
You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
- Right of data portability:
If you wish, you have the right to transfer your personal data between data controllers. In effect, this means that you are able to transfer your WorkGaps account details to another online platform. To allow you to do so, we will provide you with your data in a commonly used machine-readable format that is password-protected so that you can transfer the data to another online platform. Alternatively, we will directly transfer the data for you. This right of data portability applies to:
- personal data that we process automatically (i.e. without any human intervention);
- personal data provided by you; and
- personal data that we process based on your consent or in order to fulfil a contract.
- Right to lodge a complaint with a supervisory authority:
You also have the right to lodge a complaint with the Information Commissioners Office (‘ICO’).
Phone: 0303 123 1113
Information Commissioner’s Office
If you would like to exercise any of these rights, or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), please contact us.
Please note that we will, where necessary, keep a record of your communications to help us resolve any issues which you raise. You may ask to unsubscribe from any alerts or other marketing communications from us at any time by contacting us. It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period for which we hold your data.
6. What Data do you collect about me and how; and how do you use it, share it and retain it?
The short-form information below can be found in more detail in our long-form section by clicking on the link relevant to what type of data subject you are on the website.
|Data Subject Type||What kind of personal data do we collect?||How do we collect your personal data?||How do we use your personal data?||Who do we share your personal data with?||How long do we keep your personal data for?|
|Candidates||In order to provide employment opportunities tailored specifically to you, we need to process certain information about you. We will only ask you for details that will assist us, such as your name, age, contact details, education details, employment history, emergency contacts, immigration status, financial information (for the purposes of processing financial background checks), and social security number, and any other relevant information you choose to share with us. Where appropriate and only in accordance with a statutory obligation or to ensure that any employment rights are respected, we will also collect sensitive and special category data related to your health, diversity information or details of any criminal convictions.||From you; or third parties; or we collect it automatically. Data you provide to us may include: 1) submission of your CV either in branch, at a job fair or online; 2) applying for a job via an aggregator that then redirects you to the WorkGaps brand webpage, Data provided by a third party may include: 1) references from referees; 2) clients, suppliers and other candidates may share your data with us; 3) if you like us on Facebook or Twitter we may receive your personal data from those sites; 4) if you were referred to us via an RPO or MSP they may share your personal data with us; 5) the Home Office may provide us with nationality and immigration status data where necessary and required; 6) Government databases may provide us with financial sanction and criminal records checks data where necessary and required||We generally use Candidate data in five ways: 1) Recruitment Activities; 2) Marketing Activities; 3) Equal Opportunities Monitoring; 4) To help us to establish, exercise or defend legal claims; 5) In appropriate circumstances, we may also use Candidate data in psychometric assessments.||Where appropriate and in accordance with our legal obligations and regulatory requirements, we will share your personal data, in various ways and for various reasons. Some services that we provide require the involvement of third parties. We have carefully selected these third parties and taken steps to ensure that your Personal Data is adequately protected. The third parties may include our clients, suppliers of IT services, pay-rolling services or vetting services.||Candidates with whom we have had no contact – 12 months. Candidates whom we have had contact but have not been placed – 2 years from the later of: Candidate registration Consent to represent received for Conduct Regs purposes, which is separate from any data protection consent Last meaningful contact *Exception: 5 years for contacted but not placed SRG Candidates|
|Prospective Candidates||If your information is made available online and we feel we can match it to the services we provide, we will collect and use this information about you to assess how we might be able to help with your job search and to get in touch with us.||We collect your personal data from third parties (for example via social media, professional networking, job aggregators and job site providers, and RPO or MSP suppliers where they refer you to us).||We use Prospective Candidate information in order to work out whether you might be interested in, or might benefit from, our services, and if so, to assess whether and how we may be able to help you out. If we think we can help you, we will use your information to get in touch with you about our services.||Where we have identified you as a Prospective Candidate we may share your information with any of our group companies and associated third parties such as our service providers in order to get in touch with you about our services.||6 months if no contact made, or 1 year from last meaningful contact. *Exception: 5 years for contacted but not placed SRG Candidates|
|Someone who assists us with one of our Candidates||We require a referee’s contact details (name, email address and telephone number) to enable us to confirm certain details provided by the Candidate or prospective employee, to facilitate the employment process. Emergency contact information (a name, email address and telephone number) is required in case of an emergency where we would need to contact someone on your behalf.||We collect your contact details only where a Candidate or a member of our Staff puts you down as their emergency contact or dependent or where a Candidate gives them to us in order for you to serve as a referee.||We use referees’ personal data to help our Candidates to find employment which is suited to them. If we are able to verify their details and qualifications, we can make sure that they are well matched with prospective employers. Where a referee is being asked to give a reference based on their professional experience of a Candidate, and where we think that they may be interested in becoming a Client of ours, we may also use their details to reach out to get in touch in that alternative capacity. We use the personal details of a Candidate or Staff member’s emergency contacts in the case of an accident or emergency affecting that Candidate or member of Staff. We use the personal data of the dependants or other beneficiaries of Staff to allow that Staff member to access certain benefits or employment rights.||Unless you specify otherwise, we will share your information with any of our group companies and associated third parties such as our service providers and organisations to whom we provide services.||6 months if no made, or 2 years from last meaningful contact.|
|Client||If you are a client of WorkGaps’ we need to collect and use information about you, or individuals at your organisation, in the course of providing you or offering you services such as: (i) finding the right Candidates for you or your organisation; (ii) providing you with a Managed Service Provider (‘MSP’) programme (or assisting another organisation to do so); (iii) providing you with Recruitment Process Outsourcing (‘RPO’) services (or assisting another organisation to do so).||We collect your personal data either: From you; or From third parties (e.g. our Candidates or Temporary Workers) and other limited sources (e.g. online and offline media).||The main reason for using information about Clients is to enable us to introduce ourselves to you and to ensure that the contractual arrangements between us can properly be implemented so that the relationship can run smoothly. This will involve: identifying Candidates who we think will be the right fit for you or your organisation; providing you with an MSP programme (or assisting another organisation to do so); providing you with RPO services (or assisting another organisation to do so); and/or providing services to your employees, such as training courses. The more information we have, the more bespoke we can make our service.||We will share your data: primarily to ensure that we provide you with a suitable pool of Candidates; to provide you with an MSP programme (or assist another organisation to do so); to provide you with RPO services (or assist another organisation to do so); and/or to provide services to your employees, such as training courses. Unless you specify otherwise, we will share your information with any of our group companies and associated third parties such as our service providers to help us meet these aims.||6 months if no contact made, or 2 years from last meaningful contact.|
|Supplier||We need a limited amount of information from our Suppliers to enable the provision of your services to us and the fulfilment of our contractual obligations between us. Such details may include contact details of relevant individuals at your organisation so that we can communicate with you, and bank details so that we can pay for the services you provide.||We collect your personal data during the course of our work with you.||The main reasons for using your personal data are to ensure that the contractual arrangements between us can properly be implemented so that the relationship can run smoothly, and to comply with legal requirements.||6 months if no contact made, or 2 years from last meaningful contact.|
|Temporary Worker||If we employ or engage you directly as a Temporary Worker, we need to process certain extra information (in addition to the information collected from Candidates). We only collect important information such as start dates, bank details and details of previous remuneration, pensions and benefit arrangements. Where appropriate and in accordance with legal obligations and requirements, we may also collect, by inference, information related to trade union membership, sexual orientation and child care or carer arrangements when you provide us with information about deductions from your salary for trade union membership or childcare vouchers or details about your emergency contact.||We collect your personal data either: From you; or From third parties.||If we employ or engage you directly as a Temporary Worker, the main reason for using your personal details is to ensure the smooth running of our Temp Relationship, and to comply with our contractual and other duties to each other, and to our Clients, as part of our Temp Relationship, and our duties to third parties such as tax authorities and government agencies.||If we employ or engage you directly as a Temporary Worker, we may share your personal data with a number of additional parties in order to ensure the smooth running of our Temp Relationship. For example, we may share your personal data with appropriate colleagues within WorkGaps (this may include colleagues in overseas offices), with a Client and, if appropriate, medical professionals such as your GP or an occupational health specialist.||6 years from the later of: End of last assignment, or 1 year after last meaningful contact.|
|Permanent Workers||As per Temporary Workers above||As per Temporary Workers above||As per Temporary Workers above||As per Temporary Workers above||2 years from the later of: Placement date, or 1 year after last meaningful contact *Exception: 5 years for placed SRG Permanent Workers|
7. How do we store and transfer your personal data internationally?
In order to provide you with the best service and to carry out the purposes described in this Privacy Notice, your data will be transferred:
- to third parties (such as advisers or other Suppliers to the WorkGaps business);
- to overseas Clients where applicable;
- to Clients within your country, where applicable, who may, in turn, transfer your data internationally;
- to a cloud-based storage provider.
We want to make sure that your data are stored and transferred in a way which is secure. We will therefore only transfer data outside of the UK, European Economic Area or EEA (i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example:
– by way of data transfer agreement, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data by data controllers in the EEA to data controllers and processors in jurisdictions without adequate data protection laws; or
– transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country’s levels of data protection via its legislation; or
– where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests for the purposes of that contract (for example, if we need to transfer data outside the EEA in order to meet our obligations under that contract if you are a Client of ours); or
– where you have consented to the data transfer.
To ensure that your personal information receives an adequate level of protection, we have put in place appropriate procedures with the third parties we share your personal data with to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the law on data protection.
We are aware of the recent Schrems II ruling and its implications on the U.S.-E.U. Privacy Shield. We are diligently reviewing our privacy practices in light of this, but nevertheless remain devoted to handling your data in an ethical manner, including:
- Mandating by contract that all sub-processors adhere to data protection legislation requirements;
- Ensuring that any data transfers are encrypted in transit;
- Storing your data on encrypted servers and networks;
- Undergoing yearly security audits;
We will continue to monitor guidance from authorities and stay closely aligned with these developments including adjusting our practices accordingly.
8. Who is responsible for processing your personal data when you access the WorkGaps website?
You can find out which WorkGaps entity is responsible for processing your personal data and where it is located below within Annex 1 below.
9. Cookies and similar technologies
A “cookie” is a piece of information that is stored on your computer’s hard drive and which records your navigation of a website so that when you revisit website, it can present tailored options based on the information stored about your last visit. Cookies can also be used to analyse traffic and for advertising purposes.
10. Security of your personal data
We have implemented appropriate technical and organisational controls to protect your personal data against misuse, loss, or unauthorised access. These include measures to deal with any suspected data breach.
If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately by contacting us.
Data Security is of great importance to WorkGaps and to protect your data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure your collected data.
We take security measures to protect your information including:
- Limiting access to our buildings to those that we believe are entitled to be there by use of passes;
- Implementing access controls to our information technology;
- We use appropriate procedures and technical security measures (including strict encryption, anonymization and archiving techniques) to safeguard your information across all our computer systems, websites and offices.
11. Automated Decision Making or Profiling
We do not undertake automated decision making or profiling. We do use our computer systems to search and identify personal data in accordance with parameters set by a person. A person will always be involved in the decision making process. Some of our brands may offer the opportunity for candidates to undertake a psychometric assessment. This is entirely optional and is used solely to help match candidates more closely to suitable job roles.
Candidates – refers to applicants (and those subsequently engaged on temporary assignments, directly or indirectly, by WorkGaps) for any roles advertised by or through WorkGaps, whether permanent or temporary positions, whether as freelancers, contractors, flexible employees or through third parties including Suppliers; as well as people who have submitted a speculative CV to WorkGaps.
Clients – covers organisations which engage with WorkGaps for it to provide recruitment or other services.
Data Controller – is a person, company, or other body that determines the purpose and means of personal data processing.
Data Processor – processes personal data only on behalf of the Data Controller.
Data Protection Act 2018 – updates data protection laws in the UK. It is a national law which complements the European Union’s General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.
Employees – includes employees engaged directly by WorkGaps (or who have accepted an offer to be employed) as well as certain other workers engaged in the business of providing services to WorkGaps and/or one of its subsidiary companies. This includes employees engaged to work on client premises under the terms of managed service agreements or equivalent.
General Data Protection Regulation (GDPR) –
A European Union statutory instrument which aims to harmonise European data protection laws. It has an effective date of 25 May 2018, and any references to it should be construed accordingly to include any related national data protection legislation.
The EU GDPR applies to all 27 member countries https://europa.eu/european-union/about-eu/countries_en of the European Union (EU). It also applies to all countries in the European Economic Area (the EEA), and includes Iceland, Norway, and Liechtenstein.
The UK withdrew from the European Union on 31 December 2020, and the GDPR has now been enshrined under UK GDPR. The UK is expected to substantially follow the GDPR after Brexit but this Policy will be updated to reflect any changes where necessary.
Information Commissioners Office (ICO) – is the UK’s independent body and supervisory authority set up to uphold information rights.
Managed Service Provider (MSP) Programmes – Clients’ outsourcing of the management of external staff (including freelance workers, independent contractors and temporary employees) to an external recruitment provider.
Meaningful Contact – When we refer to “meaningful contact”, we mean, for example, communication between us (either verbal or written), or where you are actively engaging with our online services.
Privacy and Electronic Communication Regulation (PECR) – sit alongside the Data Protection Act and GDPR to give people specific privacy rights in relation to electronic communications.
Prospective Candidates – individuals with whom WorkGaps has not had prior contact but whom WorkGaps reasonably considers would be interested in our services and, in particular, in being considered for any roles advertised or promoted by WorkGaps and/or one of its subsidiary companies, including permanent, part-time and temporary positions and freelance roles with WorkGaps Clients.
Recruitment Process Outsourcing (RPO) Services – full or partial outsourcing of the recruitment process for permanent employees to a recruitment provider.
Special Category or Sensitive Personal Data – the GDPR defines special category data as Personal Data revealing: (1) Racial or Ethnic Origin; (2) Political Opinions; (3) Religious or Philosophical Beliefs; (4) Trade Union Membership; (5) Genetic Data; (6) Biometric Data (where used for identification purposes); (7) data concerning Health; (8) data concerning a person’s Sex Life; (9) data concerning a person’s Sexual Orientation. This does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply.