Whitelist Talent GDPR Policy
Publish Date: 03/04/2018
Written By: Daryl Hughes
The most recent version of this document can be found online at:
|The Company||Whitelist Talent|
|The Client||A third party that has contracted The Company to recruit on their behalf|
|The Candidate||Any individual in contact with or identified by Whitelist Talent for the purpose of providing employment at a client site|
Every effort has been made to make this policy clear and concise. If anything is unclear, please contact the Data Protection Officer (here on referred to as the DPO) whose details are outlined below.
For clarity under the regulations The Company are acting as a Data Controller.
Data Protection Officer
For all enquiries related to the Company’s GDPR policy please contact the Company’s DPO:
Name: Daryl Hughes
This applies to anybody whom has personable identifiable data held by the Company. Under GDPR regulations and the Company’s own policy you have the following key rights:
These are just a few of the key rights under GDPR, others may also exist. As standard any request to the above rights should be fulfilled within 30 days of request.
The Company’s Commitment
The Company is committed to fair and clear processing of all data. No engagement is made with third party controllers or processors (other than the Client) with the aim of selling or profiting in any way from data held on record.
If a breach of data happens this will be promptly communicated to affected parties within 48 hours by email and for any serious breach that could lead to significant impact on the individual a phone call will be made within 24 hours of the Company being made aware of any breach.
A significant impact is defined as data being targeted on a specific and individual basis where the individual has been identified as the sole target of the breach.
How Permission is Obtained
Permission must be obtained by unambiguous and explicit means. In plain English this means the permission must be specific to The Company and not just implied by a lack of action. Alternatively, affirmative action by a Candidate that implies they are looking for employment is taken as Legitimate Interest to process their data and contact them.
For the avoidance of doubt the Company takes explicit consent to be usually obtained via a written email or verbal permission over the phone. There is also the option for them to click a “Opt-In” button in communications usually by email.
What Data is Collected
Candidate data is collected from several sources. These include but are not limited to:
How Data is Stored
The Company uses a Processor to store and manage all candidate data. The Processor uses a highly secure, encrypted connection to a cloud-based service to access this data.
Information will only be held outside of the Controller in the following circumstances:
How Data is Processed
Automated processing decisions are made on the following basis:
How Data is Erased
A monthly audit takes place, when data has fallen outside of GDPR it will be erased. Data will also be erased within 30 days when requested by the Candidate or other applicable source.
When this happens a 5-stage process takes place, outlined below:
The Company has taken and will continue to take all reasonable steps to go above and beyond the GDPR regulations. It is committed to the fair and legal processing of all data and will conduct annual reviews to ensure all staff are fully trained on compliance and that this document is fully up to date and processes are in place to ensure its full adherence.
If you believe you have been the subject of unfair data processing please contact the DPO outline above, alternatively you may also wish to make your complaint to the Information Commissioners Office who can be contacted here: