Data Protection policy

DATA PROTECTION POLICY 

INTRODUCTION 

This Policy sets out how Spartan Recruitment ltd ("we", "our", "us", "the Company") handle the Personal Data of our customers, suppliers, employees, workers and other third parties.  

This Policy applies to all Company Personnel ("you", "your"). You must read, understand, and comply with this Policy when Processing Personal Data on our behalf.  

This Policy details what we expect from Company personnel in order for Spartan Recruitment ltd to comply with applicable law and your compliance with it is mandatory. Any breach of this Policy may result in disciplinary action.   

SCOPE 

We are committed to being transparent about how we collect and use Personal Data, and to meeting our data protection obligations.  

The Company can be fined up to EUR20 million (approximately £18 million) or 4% of total worldwide annual turnover, whichever is higher, for failure to comply with our data protection obligations. Any breach is also likely to result in severe reputational damage. Please note that there can also be personal consequences and liability for you in processing someone’s Personal Data and it is vital therefore that this policy is complied with.  It is as much for your protection as for the Company’s. 

The Data Protection Manager is responsible for overseeing this Policy. That post is held by Chris Jarvis.  

Please contact the Data Protection Manager with any questions about the operation of this policy or the GDPR or if you have any concerns that it is not being followed.  

PERSONAL DATA PROTECTION PRINCIPLES 

We will handle Personal Data in accordance with the following Data Protection Principles: 

• It will be processed lawfully, fairly and in a transparent manner for one of the following specified purposes: 
• The Data Subject has given his or her Consent. 
• The Processing is necessary for the performance of a contract with the Data Subject. 
• To meet our legal compliance obligations. 
• To protect the Data Subject's vital interests. 
• To pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. 

It will be collected only for specified, explicit and legitimate purposes. 

It must not be Processed in any manner that is not compatible with those purposes nor can it be used for a new or different purpose from that which was disclosed when it was first obtained, unless you have approval from the Data Protection Manager.  If in doubt, please ask the Data Protection Manager.  

It will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. 

You may only Process Personal Data when the duties of your role require it and you must only access Personal Data when you have authority to. You must not disclose Personal Data to other individuals whether inside or outside the organisation if they do not have appropriate authorisation. You cannot Process Personal Data for any reason unrelated to your job duties. Again, if in doubt please seek approval from the Data Protection Manager. 

You may only collect Personal Data that you require for your job duties and as approved by the Data Protection Manager. Do not collect excessive Personal Data, it should be limited to what is necessary for the intended purposes. 

You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Company's data retention guidelines.  

It will be accurate and where necessary kept up to date. 

You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. If you discover inaccurate or out-of-date Personal Data you should notify the Data Protection Manager.  

It will be kept only for the period necessary for processing. 

You must not keep Personal Data for longer than needed for the purposes for which it was originally collected, including in order to satisfy any legal, accounting or reporting requirements.  

The Company will set retention guidelines and you must take all reasonable steps to comply with these.  

It will be Processed in a manner that ensures it is secure and protected against unauthorised or unlawful processing and accidental loss, destruction, or damage. 

We will develop, implement, and maintain safeguards appropriate to secure and protect Personal Data. You are responsible for protecting the Personal Data we hold and must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. You must exercise particular care in protecting Sensitive Personal Data from loss and unauthorised access, use or disclosure. 

You may only transfer Personal Data to third-party service providers authorised by the Data Protection Manager. This is because they must agree to comply with our required policies and procedures, have adequate security in place to protect the Personal Data and keep it confidential. 

It will not transfer to another country without appropriate safeguards being in place. 

The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data when you transmit, send, view or access that data in or to a different country, such as sending it by email. If you need to transfer Personal Data outside of the EEA you must speak to the Data Protection Manager before taking any action.  

It will be made available to Data Subjects who will be allowed to exercise certain rights in relation to it.  

These include rights to:  

• Withdraw Consent to Processing at any time (please note that this does not necessarily mean that we must delete the data as we may have another lawful reason for processing it but this decision should be made by the Data Protection Manager). 
• Receive certain information about the Data Controller's Processing activities. 
• Request access to their Personal Data that we hold (known as making a Subject Access Request). 
• Prevent our use of their Personal Data for direct marketing purposes. 
• Ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data. 
• Restrict Processing in specific circumstances. 
• Challenge Processing which has been justified on the basis of our legitimate interests or in the public interest. 
• Request a copy of an agreement under which Personal Data is transferred outside of the EEA. 
• Object to decisions based solely on Automated Processing, including profiling. 
• Prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else. 
• Be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms. 
• Make a complaint to the supervisory authority. 
• In limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used, and machine-readable format. 

Any request made by a Data Subject as listed above should immediately be sent to the Data Protection Manager who will decide how best to respond. 

PRIVACY NOTICE  

We will tell Data Subject’s the reasons for Processing their personal data, how we use it and the legal basis for Processing in our Privacy Notices and will not process Personal Data for any other reason.  

Where we rely on the legitimate interests for justification as the basis for Processing Personal Data we will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.  

REPORTING A PERSONAL DATA BREACH 

We are required to notify any Personal Data Breach to the Information Commissioners Office within 72 hours of discovery and, in certain instances, the Data Subject where it is likely to result in a high risk to the rights and freedoms of individuals.  

If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the Data Protection Manager. Failure to do so is likely to constitute a disciplinary offence. You should keep any evidence relating to the potential Personal Data Breach. We will record all Personal Data breaches, regardless of their effect.  

TRAINING  

We will provide training to all individuals about their data protection responsibilities as part of the induction process. Individuals whose roles require regular access to Personal Data or who are responsible for implementing this policy or responding to Subject Access Requests will receive additional training to help them understand their duties and how to comply with them.  

You must undergo all mandatory data privacy related training. You must regularly review all the systems and processes under your control to ensure they comply with this policy and to ensure proper use and protection of Personal Data.  

CHANGES TO THIS POLICY  

We reserve the right to change this policy at any time without notice to you. 

DEFINITIONS 

Company Personnel: all employees, workers contractors, agency workers, consultants, directors, members and others employed in any format by Spartan Recruitment ltd. 

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them. 

Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. Spartan Recruitment ltd are the Data Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes. 

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data. 

EEA: the 28 countries in the EU, and Iceland, Liechtenstein and Norway. 

Explicit Consent: consent which requires a very clear and specific statement (that is, not just action). 

General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the GDPR. 

Personal Data: any information that relates to a living individual who can be identified from that information.  

Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity, or availability of Personal Data or the physical, technical, administrative, or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure, or acquisition, of Personal Data is a Personal Data Breach. 

Privacy Notices (also referred to as Fair Processing Notices) or Privacy Policies: separate notices setting out information that may be provided to Data Subjects when the Company collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose. 

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. 

Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.