PRIVACY NOTICE
 

1. Introduction

Carpmaels & Ransford respects your privacy and is committed to protecting your personal data.  We are similarly committed to being transparent about how that data is collected and used and to meet our data protection obligations.

This privacy notice was last updated on 15 May 2018 and reflects the changes to data protection law in the UK due to GDPR which came into force on 25 May 2018.  It sets out how the firm complies with GDPR and the legal basis under which we process your data in various instances.
 

2. Purpose of this Privacy Notice

The purpose of this privacy notice is to inform you about how Carpmaels & Ransford collects and processes your personal data when you use our application tracking system and/or interact with members of the firm; this includes any data you may provide to us when you apply for a role at the firm via our applicant tracking system.  

To help you understand the meaning of some of the terms used in this privacy notice, we have provided a Glossary.

Please note that this application tracking system is not intended for children and we do not knowingly collect data relating to children.
 

3. Data Protection Governance at Carpmaels & Ransford

This privacy notice is issued on behalf of the Carpmaels & Ransford Group so when we mention “Carpmaels & Ransford”, “we”, “us” or “our” in this privacy notice, we are referring to the relevant corporate entity in the Carpmaels & Ransford Group responsible for processing your data. 

We have appointed a Data Protection Team (reporting into the Chief Operating Officer) to oversee compliance with data protection regulations.  If you have any questions about this privacy notice, including any requests to exercise your legal rights, please use the contact details below.

Data Protection Team
Carpmaels & Ransford
One Southampton Row, London, WC1B 5HA
Tel: +44 (0)207 242 8692
data.protection@carpmaels.com
 

4. What we collect, how we use it, and supplementary privacy notices

We will only use your personal data when the law allows us to.  So that you are fully aware of how and why we are using your data, it is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you. 
 

5. Change of purpose 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. 

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
 

6. Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data, as listed below:

  • request access to your personal data;
  • request correction of your personal data; 
  • request erasure of your personal data;
  • object to processing of your personal data;
  • request restriction of processing your personal data;
  • request transfer of your personal data; and
  • right to withdraw consent.

Further details of your rights can be found in the glossary at the end of this policy. The Information Commissioner's website also provides more detail on the legal rights of individuals in relation to the processing of their personal data (www.ico.org.uk).  If you wish to exercise any of the rights set out above, or have any queries or concerns about our use of your data please contact our Data Protection Team using the details at section 3. 

    6.1 What we may need from you when you exercise your legal rights

When exercising your legal rights above, we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that requests are made by the individual themselves and that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.
 
6.2.Fees and refusal to comply with requests
 
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, if your request is clearly unfounded, repetitive or excessive we may charge a reasonable fee and/or refuse to comply with your request.
 
6.3. Time limit to respond

We will respond to all legitimate requests within one month. If your request is particularly complex or you have made a number of requests and it is likely to take us longer than a month to respond, we will notify you of that and keep you updated as to progress.
 

7. Your right to make a complaint 

In addition to your legal rights set out above, you also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), which is the UK supervisory authority for data protection issues (www.ico.org.uk). We are committed to protecting your personal data and would appreciate the opportunity to address any concerns or complaints you may have before you approach the ICO so that we can remedy them.  Any concerns or complaints should be raised with the Data Protection Team in the first instance.

8. Your duty to inform us of changes to your personal data

It is important that the personal data we hold about you is accurate and current.  Please keep us informed if your personal data changes during your relationship with us.

9. Data security and data breaches 

We take data and information security seriously and both we and our applicant tracking system provider are ISO27001 accredited.  We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know; they will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data security incident. We will notify you and any applicable regulator of a suspected breach where we are legally required or it is appropriate to do so.                                                                                       

10. Job Applicants

As part of our recruitment process, Carpmaels & Ransford LLP and Carpmaels and Ransford Services Limited (‘we’), as data controllers, collect and process personal data relating to job applicants.  We are responsible for deciding how we hold and use personal data about you.  This notice sets out how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for.  It provides you with certain information that must be provided under the General Data Protection Regulation ((EU) 2016/679) (GDPR).

10.1. The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We collect, store and use a range of information about you in connection with your application for work with us. This includes:

  • your title, name, address and contact details, including email address and telephone number;
  • details of your qualifications, skills, experience and employment history;
  • information about your current level of remuneration, including benefit entitlements (where specifically requested as part of the application process);
  • whether or not you have a disability for which we need to make reasonable adjustments during the recruitment process; 
  • information about your entitlement to work in the UK; and
  • any other personal data held within your CV and/or cover letter or provided to us during an interview.

To ensure meaningful equal opportunity monitoring and reporting, we may invite you to share other personal data such as information about your race or national or ethnic origin; religious, philosophical or moral beliefs; or your sexual orientation; or your gender; or marital status; or age.  Such information will be held separately from your application and will be collected and held on an anonymous basis.  

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose (this includes equality and/or diversity data).   Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.

10.2. What if you do not provide personal data?

You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

10.3. How your personal data is collected and stored 

We may collect your personal data in a variety of ways and from a variety of sources. 

We collect personal data about candidates from the following sources: 
 

10.3.1. You, the candidate, including data in application forms, CVs or resumes (collected via our applicant tracking system where relevant); obtained from your passport or other identity documents; or collected through interviews or other forms of assessment.

10.3.2. The recruitment agency through which you applied, namely your CV and cover letter. 

10.3.3. Your academic institutions and named referees, from whom we obtain a standard reference. We will seek this information from third parties only once we have made you a job offer and we will inform you that we are doing so.

We will store your personal data in a range of different places, including on your application record, in our applicant tracking system, in HR management systems and on other IT systems (including email). 
 

10.4. How we use your personal data and the legal basis for doing so

We will only use your personal data when the law allows us to.  Most commonly, we will use your personal data in the following circumstances:

  • where we need to perform the contract we are about to enter into or have entered into with you;
  • where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests; and/or
  • where we need to comply with a legal or regulatory obligation.

Please refer to the ICO website (www.ico.org.uk) or refer to the Glossary to find out more about the types of lawful basis that we will rely on to process your personal data.

10.5. Purposes for which we will use your personal data 

We need to process data to take steps at your request prior to entering into a contract with you. We may also need to process your data to enter into a contract with you.

In some cases, we may need to process data to ensure that we are complying with our legal obligations. For example, we are required to check a successful applicant's eligibility to work in the UK before employment starts.

We have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.

We may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics and to ensure meaningful equal opportunity monitoring and reporting; this will be collected and held on an anonymous basis. 

We may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability.  We would process such information to carry out our obligations and to exercise specific rights in relation to employment law.
 

10.6. Automated decision-making

Minor aspects of our recruitment processes incorporate automated decision-making. 

 

10.7. Marketing


We do not add the data of job applicants to our marketing lists.
 

10.8. Who can access your data 


Your information may be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

It may be necessary from time to time for us to disclose your personal data to third parties or agents, including without limitation to the following:

(a) referees, academic institutions and external employment check providers to assist in the administration, processing and management of certain activities pertaining to prospective employees including external reference agencies (such as employee vetting and screening agencies); and

(b) regulatory bodies to whom we are obliged or required to disclose information including, Courts and Court-appointed persons, and relevant government departments and agencies.

We will not share your data with third parties other than our applicant tracking solution provider where relevant, unless your application for employment is successful and we make you an offer of employment. We will then share your data with former employers and academic institutions to obtain references for you and with third party providers. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with our policies.  We do not allow our third-party service providers to use your personal data for their own purposes.  We only permit them to process your personal data for specified purposes and in accordance with our instructions.
 

10.9. International transfers 


We do not currently transfer your personal data outside the European Economic Area (EEA). Were we to do so, transfer would always be made subject to appropriate technical and legal measures.

10.10. How long we retain and use personal data of job applicants 
 

a) Successful applicants

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The purposes and periods for which your data will be held and processed will be provided to you in a new privacy notice which relates to employees.

b) Unsuccessful applicants

If your application for employment is unsuccessful, we will hold your data on file for 12 months after the end of the relevant recruitment process so that we can consider you for any other opportunities that may arise. In addition, your personal data is retained for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal data in accordance with our data retention policy.

It is likely that we may wish to retain your personal data on file for further periods on the basis that a further opportunity may arise in future and we may wish to consider you for that.  If so, we will write to you separately, seeking your explicit consent to retain your personal data for a further fixed period on that basis. 

You can ask us to delete your data at any time.  Please contact the HR team at careers@carpmaels.com if you have any queries.

10.11. Candidate Responsibilities

You should use all reasonable endeavours to keep us informed of any changes to your personal data.  If you become aware of a data breach or a potential data breach in respect of personal data please report the matter immediately to the Data Protection Team (see 3.)  
 

GLOSSARY

11. Lawful basis

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

12. Third parties

Internal third parties: Other companies in the Group acting as controllers or processors. 

External third parties:

  • Service providers acting as processors based who provide IT and system administration services.
  • Professional advisers and government bodies including lawyers, foreign associate, Intellectual Property Offices, law firms, bankers, auditors and insurers based who provide consultancy, banking, legal, insurance and accounting services.
  • HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.

13. Your legal rights 

You have the right to:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
     
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
     
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
     
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
     
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
     
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
     
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.