Carpmaels & Ransford respects your privacy and is committed to protecting your personal data. We are similarly committed to being transparent about how that data is collected and used and to meet our data protection obligations.
This privacy notice was last updated on 24 March 2021 and describes how we collect and use personal data about you during the recruitment process, in accordance with applicable data protection laws.
2. Purpose of this Privacy Notice
The purpose of this privacy notice is to inform you about how Carpmaels & Ransford collects and processes your personal data when you use our application tracking system and/or interact with members of the firm; this includes any data you may provide to us when you apply for a role at the firm via our applicant tracking system.
To help you understand the meaning of some of the terms used in this privacy notice, we have provided a Glossary.
Please note that this application tracking system is not intended for children and we do not knowingly collect data relating to children.
3. Data Protection Governance at Carpmaels & Ransford
This privacy notice is issued on behalf of the Carpmaels & Ransford Group so when we mention “Carpmaels & Ransford”, “we”, “us” or “our” in this privacy notice, we are referring to the relevant corporate entity in the Carpmaels & Ransford Group responsible for processing your data.
We have appointed a Data Protection Team (reporting into the Chief Operating Officer) to oversee compliance with data protection regulations. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please use the contact details below.
Data Protection Team
Carpmaels & Ransford
One Southampton Row, London, WC1B 5HA
Tel: +44 (0)207 242 8692
4. What we collect, how we use it, and supplementary privacy notices
We will only use your personal data when the law allows us to. So that you are fully aware of how and why we are using your data, it is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you.
5. Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our Data Protection Team using the details at section 3.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
6. Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, as listed below:
Further details of your rights can be found in the glossary at the end of this policy. The Information Commissioner's website also provides more detail on the legal rights of individuals in relation to the processing of their personal data (www.ico.org.uk).
If you wish to exercise any of the rights set out above, or have any queries or concerns about our use of your data please contact our Data Protection Team using the details at section 3. If your request or concern is not satisfactorily resolved by us, you can contact the Information Commissioner.
6.1 What we may need from you when you exercise your legal rights
When exercising your legal rights above, we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that requests are made by the individual themselves and that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.
6.2. Fees and refusal to comply with requests
You will not ordinarily be required to pay a fee to access your personal data (or to exercise any of the other rights), but we may charge a reasonable fee for any additional copies of the materials we provide or where your request is clearly unfounded, repetitive or excessive, in which case we may also refuse to comply with your request.
6.3. Time limit to respond
We will respond to all legitimate requests within one month. If your request is particularly complex or you have made a number of requests and it is likely to take us longer than a month to respond, we will notify you of that and keep you updated as to progress.
7. Your right to make a complaint
In addition to your legal rights set out above, you also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), which is the UK supervisory authority for data protection issues (www.ico.org.uk). We are committed to protecting your personal data and would appreciate the opportunity to address any concerns or complaints you may have before you approach the ICO so that we can remedy them. Any concerns or complaints should be raised with the Data Protection Team in the first instance.
8. Your obligations
8.1 Duty to inform us of changes to your personal data
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
8.2 Duty to inform third parties
If you give us information about other individuals, for example, referees, you must first make sure that the individual knows that you might disclose information about them (either specifically to us or, at least, to potential employers) and you have obtained all relevant consents from that individual to do so on their behalf.
8.3 Duty to inform us of actual or potential breaches
If you become aware of a data breach or a potential data breach in respect of personal data please report the matter immediately to the Data Protection Team.
9. Data security and data breaches
We take data and information security seriously and both we and our applicant tracking system provider are ISO27001 accredited. We have put in place appropriate security measures to try and prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know; they will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data security incident. We will notify you and any applicable regulator of a suspected breach where we are legally required or it is appropriate to do so.
10. Job Applicants
As part of our recruitment process, Carpmaels & Ransford LLP and Carpmaels and Ransford Services Limited (‘we’), as data controllers, collect and process personal data relating to job applicants. We are responsible for deciding how we hold and use personal data about you. This notice sets out how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under applicable data protection.
10.1. The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect, store and use a range of information about you in connection with your application for work with us. This includes:
To ensure meaningful equal opportunity monitoring and reporting, we may invite you to share other special categories of personal data such as information about your race or national or ethnic origin; religious, philosophical or moral beliefs; or your sexual orientation; or your gender; or marital status; or age; or health and disabilities; or criminal or alleged criminal offences. Such information will be held separately from your application and will be collected and held on an anonymous basis.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose (this includes equality and/or diversity data). Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.
10.2. What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.
10.3. How your personal data is collected and stored
We may collect your personal data in a variety of ways and from a variety of sources including:
10.3.1. You, the candidate, including data in application forms, CVs or resumes (collected via our applicant tracking system where relevant); obtained from your passport or other identity documents; or collected through interviews or other forms of assessment.
10.3.2. The recruitment agency through which you applied, namely your CV and cover letter.
10.3.3. Your academic institutions and named referees, from whom we obtain a standard reference. We will seek this information from third parties only once we have made you a job offer and we will inform you that we are doing so.
We will store your personal data in a range of different places, including on your application record, in our applicant tracking system, in HR management systems and on other IT systems (including email).
10.4. How we use your personal data
We may use the information (including any special categories of personal data you provide such as medical conditions or criminal record history) and opinions collected through the recruitment process (including but not limited to setting up and conducting interviews and tests and evaluating and assessing the results):
We may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics and to ensure meaningful equal opportunity monitoring and reporting; this will be collected and held on an anonymous basis.
We may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. We would process such information to carry out our obligations and to exercise specific rights in relation to employment law.
10.5 Our legal basis for processing your data
We will only use your personal data in the ways we have described by relying on one or more of the following legal bases. for processing your personal data:
Please refer to the ICO website (www.ico.org.uk) or refer to the Glossary to find out more about the types of lawful basis that we will rely on to process your personal data.
10.6. Automated decision-making
Minor aspects of our recruitment processes incorporate automated decision-making.
Our automated decision-making process has appropriate technical and organizational measures in place so that we can correct inaccuracies and minimize the risk of errors.
If you are unsatisfied with the information we have provided about automated decision-making, want to request human intervention or want us to provide more information about how the automated decisions are made, please contact our Data Protection Team at the contact detail set out at clause 3 above.
10.7. Direct Marketing
We do not add the data of job applicants to our direct marketing lists.
10.8. Who can access your data
Your information may be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.
It may be necessary from time to time for us to disclose your personal data to third parties or agents, including without limitation to the following:
(a) referees, academic institutions and external employment check providers to assist in the administration, processing and management of certain activities pertaining to prospective employees including external reference agencies (such as employee vetting and screening agencies);
(b) our applicant tracking solution provider, where relevant; and
(c) regulatory bodies to whom we are obliged or required to disclose information including, Courts and Court-appointed persons, and relevant government departments and agencies.
We will not share your data with any other third parties, unless your application for employment is successful and we make you an offer of employment. We will then share your data with former employers and academic institutions to obtain references for you and with third party providers.
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
10.9. International transfers
In limited circumstances, your personal data may be transferred outside of the UK. Where we or our permitted third parties, transfers your information outside the UK, we will always put in place appropriate safeguards to ensure that your personal data remains adequately protected. Requests for more details about the safeguards we rely on should be directed to the Data Protection Team.
10.10. How long we retain and use personal data of job applicants
a) Successful applicants
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The purposes and periods for which your data will be held and processed will be provided to you in a new privacy notice which relates to employees.
b) Unsuccessful applicants
If your application for employment is unsuccessful, we will hold your data on file for 12 months after the end of the relevant recruitment process so that we can consider you for any other opportunities that may arise. In addition, your personal data is retained for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal data in accordance with our data retention policy.
It is likely that we may wish to retain your personal data on file for further periods on the basis that a further opportunity may arise in future and we may wish to consider you for that. If so, we will write to you separately, seeking your explicit consent to retain your personal data for a further fixed period on that basis.
You can ask us to delete your data at any time. Please contact the HR team at firstname.lastname@example.org if you have any queries.
11. Lawful basis
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
12. Third parties
Internal third parties: Other companies in the Group acting as controllers or processors.
External third parties:
13. Your legal rights
You have the right to: