E-Crunch Ltd and Crunch Accounting Ltd (the “Company” or “Crunch” or “our” or “us” or “we”) in the context of managing the personal data of external applicants during our recruitment and selection process for our vacancies.
Applicant (For the purposes of this Policy, an external individual who has submitted an application for employment with the above.)
The General Data Protection Regulation (GDPR) 2016 is a regulation in EU law on data protection and privacy for all individuals within the European Union. The GDPR becomes enforceable from 25 May 2018 and supersedes the Data Protection Act 1998 (DPA).
The Company is committed to being transparent about how it collects and uses such data and to meeting its data protection obligations.
How does GDPR apply in relation to recruitment activities?
The GDPR applies to ‘controllers’ and ‘processors’ of personal data of applicants who may or may not be successful for roles applied for in the Company.
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
The GDPR places specific legal obligations on processors, who are required to maintain records of personal data and processing activities.
Who are the Company data controllers and processors?
The data controller is the Company, encompassing the business entities E-Crunch Ltd and Crunch Accounting Ltd, registered Company Address: Telecom House, 125-135 Preston Road, Brighton, BN1 6AF. The Company website address is www.crunch.co.uk and the email address for role applicants is firstname.lastname@example.org
The Company Data Protection Officer is Martin Hesketh, Head of Client Services, and the Company Deputy Data Protection Officer is Jo Pickering, Service Operations and Quality Assurance Manager.
Data processors would be the HR Department of the Company, and hiring managers, using data provided by applicants for roles on CV’s and covering letters to the email@example.com email address, or from third party sources such as jobs boards and recruitment agencies.
What data is collected?
The Company collects a range of data about applicants during the recruitment and selection process for each externally advertised role. This includes:
- Name, address and contact details, including personal email addresses and landline/mobile telephone number(s);
- Details of qualifications, skills, experience and employment history, including start and end dates with previous employers and roles held with the Company;
- Information about current level of remuneration, including benefit entitlements;
- Whether or not an applicant has a disability for which the Company needs to make reasonable adjustments during the recruitment process;
- Nationality and eligibility to work in the UK; and
- Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
How is data collected?
The Company collects this data in a number of ways, including from CVs and covering letters, passport or other identity documents, from general e-mail or other written correspondence, or through interviews, meetings or other assessments conducted by members of the Company management team. There are some roles where online tests of competence are completed, specifically for IT and Software Development type roles that the Company may have.
The Company also collects personal data from third parties with prior consent from successful applicants, such as employment references supplied by former employers.
The Company will seek information from third parties only once a job offer to an external applicant has been made, and they will be informed that we are doing so prior to contact being made.
Where is applicant data stored?
Applicant’s data is stored securely in a number of locations, including in the email box firstname.lastname@example.org, paper files stored in locked filing cabinets, and in our network folder where details of candidates are saved for reference prior to an offer of employment being made.
Data would then be added to the Company HR information system, Cascade HR, following completion of a new starter form after an offer of employment has been made.
All storage systems and facilities have been reviewed to ensure compliance with the provisions of the GDPR.
Why is applicant data processed by the Company?
The Company needs to process this data to take the necessary steps prior to entering into a contract with a prospective employee. It also needs to process data to enter into a contract in the event of an offer of employment being made.
In some cases, the Company needs to process data to ensure that it is complying with its legal obligations. In particular, there is an obligation to check an applicant’s eligibility to work in the UK during the recruitment and selection process before an offer of employment has been made.
The Company has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from applicants allows the Company to manage the recruitment process, assess and confirm an applicant's suitability for employment and decide to whom to offer a job. The Company may also need to process data from applicants to respond to and defend against legal claims.
Where the Company relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of applicants and has concluded that they are not. If the reason of legitimate interests is used, these would be explained to the applicant in the event of a query being raised.
The Company processes health information disclosed by applicants if it needs to make reasonable adjustments to the recruitment process for applicants who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.
Where the Company processes other special categories of data, such as information about ethnic origin, sexual orientation, or religion or belief, this is for equal opportunities monitoring purposes. The Company does not currently use or report on this data.
For some roles, the Company is obliged to seek information about ‘unspent’ criminal convictions and offences from applicants. Where the Company seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment. This information would be required after an offer of employment has been made using the Company’s new starter form documentation.
If an external application for a role is unsuccessful, the Company will keep personal data on file in case there are future employment opportunities for which the applicant may be suited. Such applications will be kept for a period of six months following the date of application for a stated role. The Company will ask for consent before it keeps data for this purpose and applicants are free to withdraw consent at any time.
If a third party recruitment agency has ‘introduced’ a prospective job applicant to us, the Company would adhere to agreed ‘Terms of Business’ when approaching former applicants about subsequent roles that may arise.
Who has access to this data?
Applicant information will be shared internally for the purposes of the recruitment and selection process, specifically with members of the HR team, hiring managers, and/or heads of department based on the hierarchy where the vacancy sits, as set up by the HR team on the Company’s HR information system, Cascade.
The Company will not share applicant data with third parties, unless an application for employment is successful and a conditional offer of employment is made. The Company will then share the relevant personal data with former employers or educational institutions in order to obtain employment or academic references.
Personal data provided by the Company for the purpose of reference requests includes the applicant’s name, job role with former employer(s) or course attended at educational institution(s), and potentially date of birth and national insurance number if additional means of identification is required. It is Company policy to request and obtain factual references including name, job role and dates of employment only.
Where applicable, depending on the type of role(s) applied for, data of successful job applicants will be shared with our assigned employment background check providers. If such background checks are undertaken for the role(s) applied for, the HR department will notify successful job applicants in advance of the checks commencing.
The Company will not transfer applicant data outside the European Economic Area.
How does the Company protect data?
The Company takes the security of applicant data seriously. It has internal policies and controls in place to ensure that such data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our designated employees as already specified in the proper performance of their duties. Our employees adhere to our Company policies and procedures relating to data protection and IT security.
For how long does the Company retain candidate data?
If an application for employment is unsuccessful, the Company will hold this data on file for six months after an application has been received for a stated role, unless a candidate withdraws their consent to the data being held in the meantime.
At the end of that period, or once an applicant withdraws their consent if sooner, their data is deleted and/or destroyed securely.
What are applicant rights?
As a data subject, applicants for roles with the Company have a number of rights and can:
- Access and obtain a copy of personal data held by the Company on request;
- Require the Company to change incorrect or incomplete data;
- Require the Company to delete or stop processing applicant data, for example where the data is no longer necessary for the purposes of processing;
- Object to the processing of applicant data where the Company is relying on its legitimate interests as the legal ground for processing; and
- ask the Company to stop processing data for a period if data is inaccurate or there is a dispute about whether or not an applicant’s interests override the Company's legitimate grounds for processing data.
To exercise any of the above rights, the Company HR Department should be contacted in the first instance, who will advise on the process for submitting a Subject Access Request (SAR). They should be contacted at email@example.com
The Company HR Department and Data Protection Officer will manage the SAR through toconclusion, resolving any queries raised after the initial SAR has been submitted until weconsider it to be closed with no further action needed.
Thereafter, if an employee or former employer still has the belief that the Company has not complied with their data protection rights, and wish to escalate their concerns, they should seek advice from the Information Commissioner's Office at www.ico.org.uk
What if applicants do not provide personal data?
Applicants are under no statutory or contractual obligation to provide data to the Company during the recruitment process. However, if applicants do not provide the requested information, the Company may not be able to process applications for employment properly or at all.
Automated decision making in recruitment processes
The Company recruitment processes are not based on automated decision-making (defined as making a decision solely by automated means without any human involvement.)
The Company will review the policy annually or as a result of relevant legislative updates and reserve the right to make amendments as required, ensuring ongoing compliance with the GDPR. The Company will publish updates to this policy on the careers page of the Company website www.crunch.co.uk
Who do I speak to if I have any questions?
If you have any questions regarding the contents of this Policy, please email firstname.lastname@example.org