What is the purpose of this notice?
We are providing you this notice because you are applying for work with Ondra LLP or are otherwise being considered for a role (whether as an employee, worker, member, partner or contractor). During this process, Ondra LLP will hold data about you and will be a “data controller” for the purposes of the General Data Protection Regulation (GDPR).
This notice will make you aware of how and why your personal data will be used and how long it will usually be retained.
What are the data protection principles?
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
Who will hold my data?
Ondra LLP is the “data controller” in respect of your personal data. This means that we are responsible for deciding how we hold and use personal information. In the event that you have data concerns you should address them to the individual handling your recruitment or the Ondra LLP COO.
What data do you envisage collecting?
We may collect, store, and use the following categories of personal information about you:
- Personal contact details such as name, title, address, telephone numbers, and personal email address.
- The information you may have provided on our application form, including name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications and date of birth.
- Information you provide during any interviews which may take place
- National Insurance number.
- Bank account details, payroll records and tax status information.
We may also collect, store and use the following “special categories” of more sensitive personal information:
- Copy of passport.
- Information about your health, including any medical condition, health and sickness records.
- Information about criminal convictions and offences.
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able (or required) to do so.
What happens to data which is particularly personal to me?
UK law recognises that “special categories” of particularly sensitive information require a higher level of protection (see list above).
If we collect information of this type we will ensure that it is processed lawfully, fairly and in a transparent manner and collected for a specific purpose. We will endeavour to keep such information up to date and to not hold it for longer than necessary. If you are not offered a role, we would normally expect to delete the information we hold about you six months from the recruitment decision. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way.
If you are offered a role, further details of retention periods will be provided to you. Data may be retained for longer if there are good reasons for us to hold such data for an extended period (such as circumstances where there is envisaged or ongoing litigation). At any point you may request that such data is erased or amended.
Given the sensitivity of the data, we will also take steps to protect the data against accidental loss, destruction or damage.
How will my data be collected?
We will typically collect your data through the application and recruitment process, either directly from you or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.
We will collect additional personal information in the course of job-related activities throughout the period that you work for us.
When will my data be used?
We need all the categories of information in the list above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. We may, on rare occasions, also use your personal information where we need to protect your interests (or someone else's interests) or where it is needed in the public interest.
The situations in which we will process your personal information are listed below:
- Making a decision about your recruitment or appointment.
- Determining the terms on which you work for us.
- Checking you are legally entitled to work in the UK.
- Assessing qualifications for a particular job or task.
- If applicable, liaising with referees.
- Ascertaining your fitness to work.
- Complying with health and safety obligations.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information
The situations in which we will process your particularly sensitive personal information are listed below:
- To comply with employment and other laws.
- To assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
- To provide appropriate workplace adjustments.
- To ensure meaningful equal opportunity monitoring and reporting.
What if I fail to provide personal information?
If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we may not be able to process your application successfully.
Who will receive my data?
We will endeavour to keep the circulation of your personal data to a minimum. However, your data may be provided to third parties where required by law, where it is necessary to administer the recruitment process or where we have another legitimate interest in doing so.
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
If we intend to transfer your personal data outside of the European Economic Area, then either:
- we will enter into the relevant safeguard clauses with the recipient of the data; or
- we will transfer based on an appropriate adequacy decision (under the Privacy Shield for transfers to the US or a decision by the European Commission that the jurisdiction in question has appropriate safeguards)
How long will my data be retained?
If you are not offered a role, we would normally expect to delete the information we hold about you six months from the recruitment decision. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. If you are offered a role further details of retention periods will be provided to you. Data may be retained for longer if there are good reasons for us to hold such data for an extended period (such as circumstances where there is envisaged or ongoing litigation). At any point you may request that such data is erased or amended.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
What rights do I have relating to personal data?
If you have any questions about the way we use your data, you should in the first instance address your concerns to the individual handling your recruitment or the Ondra LLP COO. It might be that there are steps we can take to explain or amend our processes.
You also have a qualified right under UK law to: (i) request access to your personal data; (ii) request the correction or deletion of certain personal data; (iii) object to us processing your data; (iv) that we restrict the processing of data concerning you or; (v) that we transfer certain data to other organisations.
We may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Please also note that, if we have requested that you consent to the processing of your personal data you may withdraw this consent at any time by providing notice to us.
Do you use automated systems to make decisions which might impact me in a significant way?
We do not use automated systems to make major decisions about recruitment. If we ever do so we will seek to provide you with suitable warning and explanation.
Will my data be kept securely?
We have put in place appropriate security measures to protect the security of your information.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
- ‘Session based’ cookie. This is essential for parts of the website to operate and has already been set. It is used to maintain the state of a user’s actions so as not to constantly request the same information from them within a ‘session’.
- ‘Analytics’ cookie. This is used to collect information about how you use our site, such as where you have come to the site from and which website pages you have visited. We use the information to help us improve the website.
Who do I contact if I have a complaint?
Data protection compliance is supervised by the Information Commissioners Office (or "ICO"). In the event that the individual handling your recruitment or the Ondra LLP COO is not able to assist with your queries or you otherwise have a complaint you should contact the ICO.
If you have any questions about this privacy notice, please contact the individual handling your recruitment or the Ondra LLP COO.