1. Introduction
Carpmaels & Ransford respects your privacy and is committed to protecting your personal data. We are similarly committed to being transparent about how that data is collected and used and to meet our data protection obligations.
This privacy notice was last updated on 15 May 2018 and reflects the changes to data protection law in the UK due to GDPR which came into force on 25 May 2018. It sets out how the firm complies with GDPR and the legal basis under which we process your data in various instances.
2. Purpose of this Privacy Notice
The purpose of this privacy notice is to inform you about how Carpmaels & Ransford collects and processes your personal data when you use our application tracking system and/or interact with members of the firm; this includes any data you may provide to us when you apply for a role at the firm via our applicant tracking system.
To help you understand the meaning of some of the terms used in this privacy notice, we have provided a Glossary.
Please note that this application tracking system is not intended for children and we do not knowingly collect data relating to children.
3. Data Protection Governance at Carpmaels & Ransford
This privacy notice is issued on behalf of the Carpmaels & Ransford Group so when we mention “Carpmaels & Ransford”, “we”, “us” or “our” in this privacy notice, we are referring to the relevant corporate entity in the Carpmaels & Ransford Group responsible for processing your data.
We have appointed a Data Protection Team (reporting into the Chief Operating Officer) to oversee compliance with data protection regulations. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please use the contact details below.
Data Protection Team
Carpmaels & Ransford
One Southampton Row, London, WC1B 5HA
Tel: +44 (0)207 242 8692
data.protection@carpmaels.com
4. What we collect, how we use it, and supplementary privacy notices
We will only use your personal data when the law allows us to. So that you are fully aware of how and why we are using your data, it is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you.
5. Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
6. Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, as listed below:
Further details of your rights can be found in the glossary at the end of this policy. The Information Commissioner's website also provides more detail on the legal rights of individuals in relation to the processing of their personal data (www.ico.org.uk). If you wish to exercise any of the rights set out above, or have any queries or concerns about our use of your data please contact our Data Protection Team using the details at section 3.
7. Your right to make a complaint
In addition to your legal rights set out above, you also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), which is the UK supervisory authority for data protection issues (www.ico.org.uk). We are committed to protecting your personal data and would appreciate the opportunity to address any concerns or complaints you may have before you approach the ICO so that we can remedy them. Any concerns or complaints should be raised with the Data Protection Team in the first instance.
8. Your duty to inform us of changes to your personal data
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
9. Data security and data breaches
We take data and information security seriously and both we and our applicant tracking system provider are ISO27001 accredited. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know; they will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data security incident. We will notify you and any applicable regulator of a suspected breach where we are legally required or it is appropriate to do so.
10. Job Applicants
As part of our recruitment process, Carpmaels & Ransford LLP and Carpmaels and Ransford Services Limited (‘we’), as data controllers, collect and process personal data relating to job applicants. We are responsible for deciding how we hold and use personal data about you. This notice sets out how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under the General Data Protection Regulation ((EU) 2016/679) (GDPR).
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect, store and use a range of information about you in connection with your application for work with us. This includes:
To ensure meaningful equal opportunity monitoring and reporting, we may invite you to share other personal data such as information about your race or national or ethnic origin; religious, philosophical or moral beliefs; or your sexual orientation; or your gender; or marital status; or age. Such information will be held separately from your application and will be collected and held on an anonymous basis.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose (this includes equality and/or diversity data). Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.
10.2. What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.
10.3. How your personal data is collected and stored
We may collect your personal data in a variety of ways and from a variety of sources.
We collect personal data about candidates from the following sources:
10.3.2. The recruitment agency through which you applied, namely your CV and cover letter.
10.3.3. Your academic institutions and named referees, from whom we obtain a standard reference. We will seek this information from third parties only once we have made you a job offer and we will inform you that we are doing so.
We will store your personal data in a range of different places, including on your application record, in our applicant tracking system, in HR management systems and on other IT systems (including email).
10.4. How we use your personal data and the legal basis for doing so
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Please refer to the ICO website (www.ico.org.uk) or refer to the Glossary to find out more about the types of lawful basis that we will rely on to process your personal data.
10.5. Purposes for which we will use your personal data
We need to process data to take steps at your request prior to entering into a contract with you. We may also need to process your data to enter into a contract with you.
In some cases, we may need to process data to ensure that we are complying with our legal obligations. For example, we are required to check a successful applicant's eligibility to work in the UK before employment starts.
We have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.
We may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics and to ensure meaningful equal opportunity monitoring and reporting; this will be collected and held on an anonymous basis.
We may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. We would process such information to carry out our obligations and to exercise specific rights in relation to employment law.
We do not add the data of job applicants to our marketing lists.
Your information may be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.
It may be necessary from time to time for us to disclose your personal data to third parties or agents, including without limitation to the following:
(a) referees, academic institutions and external employment check providers to assist in the administration, processing and management of certain activities pertaining to prospective employees including external reference agencies (such as employee vetting and screening agencies); and
(b) regulatory bodies to whom we are obliged or required to disclose information including, Courts and Court-appointed persons, and relevant government departments and agencies.
We will not share your data with third parties other than our applicant tracking solution provider where relevant, unless your application for employment is successful and we make you an offer of employment. We will then share your data with former employers and academic institutions to obtain references for you and with third party providers. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We do not currently transfer your personal data outside the European Economic Area (EEA). Were we to do so, transfer would always be made subject to appropriate technical and legal measures.
a) Successful applicants
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The purposes and periods for which your data will be held and processed will be provided to you in a new privacy notice which relates to employees.
b) Unsuccessful applicants
If your application for employment is unsuccessful, we will hold your data on file for 12 months after the end of the relevant recruitment process so that we can consider you for any other opportunities that may arise. In addition, your personal data is retained for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal data in accordance with our data retention policy.
It is likely that we may wish to retain your personal data on file for further periods on the basis that a further opportunity may arise in future and we may wish to consider you for that. If so, we will write to you separately, seeking your explicit consent to retain your personal data for a further fixed period on that basis.
You can ask us to delete your data at any time. Please contact the HR team at careers@carpmaels.com if you have any queries.
10.11. Candidate Responsibilities
You should use all reasonable endeavours to keep us informed of any changes to your personal data. If you become aware of a data breach or a potential data breach in respect of personal data please report the matter immediately to the Data Protection Team (see 3.)
GLOSSARY
11. Lawful basis
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
12. Third parties
Internal third parties: Other companies in the Group acting as controllers or processors.
External third parties:
13. Your legal rights
You have the right to: