Privacy Policy

Whitelist Talent GDPR Policy

Publish Date: 03/04/2018

Written By: Daryl Hughes

The most recent version of this document can be found online at:


Term Definition
The Company Whitelist Talent
The Client A third party that has contracted The Company to recruit on their behalf
The Candidate Any individual in contact with or identified by Whitelist Talent for the purpose of providing employment at a client site
The Processor JobAdder

Every effort has been made to make this policy clear and concise. If anything is unclear, please contact the Data Protection Officer (here on referred to as the DPO) whose details are outlined below.

For clarity under the regulations The Company are acting as a Data Controller.

Data Protection Officer

For all enquiries related to the Company’s GDPR policy please contact the Company’s DPO:

Name: Daryl Hughes

Your Rights

This applies to anybody whom has personable identifiable data held by the Company. Under GDPR regulations and the Company’s own policy you have the following key rights:

  1. To at any stage request where your data is held and how it is being processed, formally known as a Subject Access Request.
  2. To request for your information to be forgotten and completely erased from the company’s records
  3. To request a copy of information being held and for any of it to be updated with correct information you supply
  4. To at any stage change the level of permission you have given to the Company:
    1. e. If you had initially subscribed to all forms of communications including marketing but would now only like to be contacted regarding employment opportunities

These are just a few of the key rights under GDPR, others may also exist. As standard any request to the above rights should be fulfilled within 30 days of request.

The Company’s Commitment

The Company is committed to fair and clear processing of all data. No engagement is made with third party controllers or processors (other than the Client) with the aim of selling or profiting in any way from data held on record.

If a breach of data happens this will be promptly communicated to affected parties within 48 hours by email and for any serious breach that could lead to significant impact on the individual a phone call will be made within 24 hours of the Company being made aware of any breach.

A significant impact is defined as data being targeted on a specific and individual basis where the individual has been identified as the sole target of the breach.


How Permission is Obtained

Permission must be obtained by unambiguous and explicit means. In plain English this means the permission must be specific to The Company and not just implied by a lack of action. Alternatively, affirmative action by a Candidate that implies they are looking for employment is taken as Legitimate Interest to process their data and contact them.

  1. When a Candidate applies for a job being advertised, the Company take this to be explicit permission to contact them for that position and that position only and the data will be erased within 30 days of the position being filled. However, during this time, the Company also take this to provide consent by Legitimate Interest to contact the Candidate for similar positions during which time Explicit Consent to consider them for future opportunities will also be sought.
  2. When a Candidate advertises their CV on a job board website, this is taken to be Legitimate Interest to contact the candidate for 12 months from the date the CV is downloaded. If no reciprocal contact is made during this time the data will be erased.
  • When a Candidates details are found via Social Media or any other source that doesn’t specify they are looking for employment opportunities then the data will not be collected and hence will not need to have permission obtained. This data will only be collected upon explicit permission being obtained by the Candidate to store their details upon which part “i” will be used for guidance.

For the avoidance of doubt the Company takes explicit consent to be usually obtained via a written email or verbal permission over the phone. There is also the option for them to click a “Opt-In” button in communications usually by email.

What Data is Collected

Candidate data is collected from several sources. These include but are not limited to:

  1. LinkedIn Job Adverts
  2. LinkedIn (Recruiter License) Searches
  3. Advert and Database Searches from various job board websites
  4. Recommendations from existing candidates
  5. Recommendations from clients
  6. Information found on a candidate’s personal website

How Data is Stored

The Company uses a Processor to store and manage all candidate data. The Processor uses a highly secure, encrypted connection to a cloud-based service to access this data.

Information will only be held outside of the Controller in the following circumstances:

  1. Upon the point of an application being made to the Client, the Client becomes responsible for legal processing. The Company will record this information and can be made available to The Candidate upon request
  2. When the Candidate becomes employed by the Company to provide contractor services, payroll information will be held on a local machine and a third-party payroll management system


How Data is Processed

Automated processing decisions are made on the following basis:

  1. Prominence of key words in CVs and all communications held with The Candidate related to the appropriate job
  2. Proximity to The Client
  3. Salary expectations in relation to the salary being offered by The Client
  4. Team and personality fit with The Client
  5. A skillset predefined as an area of interest
    1. e. Software Development, Project Management, Financial Positions…etc.

How Data is Erased

A monthly audit takes place, when data has fallen outside of GDPR it will be erased. Data will also be erased within 30 days when requested by the Candidate or other applicable source.

When this happens a 5-stage process takes place, outlined below:

  1. The Data is archived from the Processors records meaning it cannot be used. Within 30 days all archived data will fully deleted
  2. Hard copies should not exist but where this has happened the hard copies shall be shredded
  3. An internal check of all email accounts will identify any mail logs that need to be deleted
  4. A hard drive check will identify any local machines that need to have the data deleted
  5. Confirmation of this will be sent to the source of the request upon completion if applicable


The Company has taken and will continue to take all reasonable steps to go above and beyond the GDPR regulations. It is committed to the fair and legal processing of all data and will conduct annual reviews to ensure all staff are fully trained on compliance and that this document is fully up to date and processes are in place to ensure its full adherence.

If you believe you have been the subject of unfair data processing please contact the DPO outline above, alternatively you may also wish to make your complaint to the Information Commissioners Office who can be contacted here:


Get in touch today

    Attach a CV or Job Spec (Accepted file types: pdf, doc, docx, rtf.)