Data Protection Policy
In this policy the following terms have the following meanings:
‘consent’ means any freely given, specific, informed and unambiguous indication of an individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘data controller’ means an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘data processor’ means an individual or organisation which processes personal data on behalf of the data controller;
‘personal data’* means any information relating to an individual who can be identified, such as by a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;
‘processing’ means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to an individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual;
‘sensitive personal data’* means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, data concerning health, an individual’s sex life or sexual orientation and an individual’s criminal convictions.
*For the purposes of this policy we use the term ‘personal data’ to include ‘sensitive personal data’ except where we specifically need to refer to sensitive personal data.
‘Supervisory authority’ means an independent public authority which is responsible for monitoring the application of data protection. In the UK the supervisory authority is the Information Commissioner’s Office (ICO).
All of these definitions are italicised throughout this policy to remind the reader that they are defined terms.
The Company processes personal data in relation to its own staff, work-seekers and individual client contacts and is a data controller for the purposes of the Data Protection Laws. The Company has registered with the ICO and its registration number is Z9239544.
The Company may hold personal data on individuals for the following purposes:
- Staff administration;
- Advertising, marketing and public relations;
- Accounts and records;
- Administration and processing of work-seekers’ personal data for the purposes of providing work-finding services, including processing using software solution providers and back office support;
- Administration and processing of clients’ personal data for the purposes of supplying/introducing work-seekers.
1. The data protection principles
The Data Protection Laws require the Company acting as either data controller or data processor to process data in accordance with the principles of data protection. These require that personal data is:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept for no longer than is necessary for the purposes for which the personal data are processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and that
- The data controller shall be responsible for, and be able to demonstrate, compliance with the principles.
2. Legal bases for processing
The Company will only process personal data where it has a legal basis for doing so (see Annex A). Where the Company does not have a legal reason for processing personal data any processing will be a breach of the Data Protection Laws.
The Company will review the personal data it holds on a regular basis to ensure it is being lawfully processed and it is accurate, relevant and up to date and those people listed in the Appendix shall be responsible for doing this.
Before transferring personal data to any third party (such as past, current or prospective employers, suppliers, customers and clients, intermediaries such as umbrella companies, persons making an enquiry or complaint and any other third party (such as software solutions providers and back office support)), the Company will establish that it has a legal reason for making the transfer.
3. Privacy by design and by default
The Company has implemented measures and procedures that adequately protect the privacy of individuals and ensures that data protection is integral to all processing activities. This includes implementing measures such as:
- data minimisation (i.e. not keeping data for longer than is necessary);
- cyber security.
For further information please refer to the Company’s Information Security Policy.
The Company shall provide any information relating to data processing to an individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. The Company may provide this information orally if requested to do so by the individual.
- Privacy notices
Where the Company collects personal data from the individual, the Company will give the individual a privacy notice at the time when it first obtains the personal data.
Where the Company collects personal data other than from the individual directly, it will give the individual a privacy notice within a reasonable period after obtaining the personal data, but at the latest within one month. If the Company intends to disclose the personal data to a third party then the privacy notice will be issued when the personal data are first disclosed (if not issued sooner).
Where the Company intends to further process the personal data for a purpose other than that for which the data was initially collected, the Company will give the individual information on that other purpose and any relevant further information before it does the further processing.
- Subject access requests
The individual is entitled to access their personal data on request from the data controller.
The individual or another data controller at the individual’s request, has the right to ask the Company to rectify any inaccurate or incomplete personal data concerning an individual.
If the Company has given the personal data to any third parties it will tell those third parties that it has received a request to rectify the personal data unless this proves impossible or involves disproportionate effort. Those third parties should also rectify the personal data they hold – however the Company will not be in a position to audit those third parties to ensure that the rectification has occurred.
The individual or another data controller at the individual’s request, has the right to ask the Company to erase an individual’s personal data.
If the Company receives a request to erase it will ask the individual if s/he wants his personal data to be removed entirely or whether s/he is happy for his or her details to be kept on a list of individuals who do not want to be contacted in the future (for a specified period or otherwise). The Company cannot keep a record of individuals whose data it has erased so the individual may be contacted again by the Company should the Company come into possession of the individual’s personal data at a later date.
If the Company has made the data public, it shall take reasonable steps to inform other data controllers and data processors processing the personal data to erase the personal data, taking into account available technology and the cost of implementation.
If the Company has given the personal data to any third parties it will tell those third parties that it has received a request to erase the personal data, unless this proves impossible or involves disproportionate effort. Those third parties should also rectify the personal data they hold – however the Company will not be in a position to audit those third parties to ensure that the rectification has occurred.
- Restriction of processing
The individual or a data controller at the individual’s request, has the right to ask the Company to restrict its processing of an individual’s personal data where:
- The individual challenges the accuracy of the personal data;
- The processing is unlawful and the individual opposes its erasure;
- The Company no longer needs the personal data for the purposes of the processing, but the personal data is required for the establishment, exercise or defence of legal claims; or
- The individual has objected to processing (on the grounds of a public interest or legitimate interest) pending the verification whether the legitimate grounds of the Company override those of the individual.
If the Company has given the personal data to any third parties it will tell those third parties that it has received a request to restrict the personal data, unless this proves impossible or involves disproportionate effort. Those third parties should also rectify the personal data they hold – however the Company will not be in a position to audit those third parties to ensure that the rectification has occurred.
- Data portability
The individual shall have the right to receive personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller in circumstances where:
- The processing is based on the individual’s consent or a contract; and
- The processing is carried out by automated means.
Where feasible, the Company will send the personal data to a named third party on the individual’s request.
- Object to processing
The individual has the right to object to their personal data being processed based on a public interest or a legitimate interest. The individual will also be able to object to the profiling of their data based on a public interest or a legitimate interest.
The Company shall cease processing unless it has compelling legitimate grounds to continue to process the personal data which override the individual’s interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
The individual has the right to object to their personal data for direct marketing
- Enforcement of rights
All requests regarding individual rights should be sent to the person whose details are listed in the Appendix.
The Company shall act upon any subject access request, or any request relating to rectification, erasure, restriction, data portability or objection or automated decision making processes or profiling within one month of receipt of the request. The Company may extend this period for two further months where necessary, taking into account the complexity and the number of requests.
Where the Company considers that a request under this section is manifestly unfounded or excessive due to the request’s repetitive nature the Company may either refuse to act on the request or may charge a reasonable fee taking into account the administrative costs involved.
- Automated decision making
The Company will not subject individuals to decisions based on automated processing that produce a legal effect or a similarly significant effect on the individual, except where the automated decision:
- Is necessary for the entering into or performance of a contract between the data controller and the individual;
- Is authorised by law; or
- The individual has given their explicit consent.
The Company will not carry out any automated decision-making or profiling using the personal data of a child.
Reporting personal data breaches
All data breaches should be referred to the persons whose details are listed in the Appendix.
- Personal data breaches where the Company is the data controller:
Where the Company establishes that a personal data breach has taken place, the Company will take steps to contain and recover the breach. Where a personal data breach is likely to result in a risk to the rights and freedoms of any individual the Company will notify the ICO.
Where the personal data breach happens outside the UK, the Company shall alert the relevant supervisory authority for data breaches in the effected jurisdiction.
- Personal data breaches where the Company is the data processor:
The Company will alert the relevant data controller as to the personal data breach as soon as they are aware of the breach.
- Communicating personal data breaches to individuals
Where the Company has identified a personal data breach resulting in a high risk to the rights and freedoms of any individual, the Company shall tell all affected individuals without undue delay.
The Company will not be required to tell individuals about the personal data breach where:
- The Company has implemented appropriate technical and organisational protection measures to the personal data affected by the breach, in particular to make the personal data unintelligible to any person who is not authorised to access it, such as encryption.
- The Company has taken subsequent measures which ensure that the high risk to the rights and freedoms of the individual is no longer likely to materialise.
- It would involve disproportionate effort to tell all affected individuals. Instead, the Company shall make a public communication or similar measure to tell all affected individuals.
All individuals have the following rights under the Human Rights Act 1998 (HRA) and in dealing with personal data these should be respected at all times:
- Right to respect for private and family life (Article 8).
- Freedom of thought, belief and religion (Article 9).
- Freedom of expression (Article 10).
- Freedom of assembly and association (Article 11).
- Protection from discrimination in respect of rights and freedoms under the HRA (Article 14).
If you have a complaint or suggestion about the Company’s handling of personal data then please contact the person whose details are listed in the Appendix to this policy.
Alternatively you can contact the ICO directly on 0303 123 1113 or at https://ico.org.uk/global/contact-us/email/
The Company’s Data Protection representative is Michael Allen.
The Data Protection representative is responsible for:
- adding, amending or deleting personal data;
- responding to subject access requests/requests for rectification, erasure, restriction data portability, objection and automated decision making processes and profiling;
- reporting data breaches/dealing with complaints.
a) The lawfulness of processing conditions for personal data are:
- Consent of the individual for one or more specific purposes.
- Processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual to enter into a contract.
- Processing is necessary for compliance with a legal obligation that the controller is subject to.
- Processing is necessary to protect the vital interestsof the individual or another person.
- Processing is necessary for the performance of a task carried out in the public interestor in the exercise of official authority vested in the data controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the individual which require protection of personal data, in particular where the individual is a child.
b) The lawfulness of processing conditions for sensitive personal data are:
- Explicit consent of the individual for one or more specified purposes, unless reliance on consent is prohibited by EU or Member State law.
- Processing is necessary for carrying out data controller’s obligations under employment, social security or social protection law, or a collective agreement, providing for appropriate safeguards for the fundamental rights and interests of the individual.
- Processing is necessary to protect the vital interests of the individual or another individual where the individual is physically or legally incapable of giving consent.
- In the course of its legitimate activities, processing is carried out with appropriate safeguards by a foundation, association or any other not-for-profit body, with a political, philosophical, religious or trade union aim and on condition that the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without the consent of the individual.
- Processing relates to personal data which are manifestly made public by the individual.
- Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
- Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law which shall be proportionate to the aim pursued, respects the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the individual.
- Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or a contract with a health professional and subject to the necessary conditions and safeguards.
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of EU or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the individual, in particular professional secrecy.
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard fundamental rights and interests of the individual.
At Indotronix Avani we are dedicated to safeguarding and preserving your privacy when you visit our site or when communicating electronically with us.
The Data Controller
Indotronix Avani UK, Ltd is the data controller for any personal information you supply to us in relation to enquiries about our services and when registering as a client or candidate. Our full postal address and contact details are:
Indotronix Avani UK, Ltd
3 Magdalene Street, Glastonbury, England, BA6 9EW
Telephone Number: 07514 806522
Email Address: email@example.com
Our nominated representative is Michael Allen.
Who we are and what we do
We are a recruitment agency and recruitment business as defined in the Employment Agencies and Employment Businesses Regulations 2003. We collect the personal data of the following types of people to allow us to undertake our business;
- Prospective and placed candidates for permanent or temporary roles.
- Prospective and live client contacts.
- Supplier contacts to support our services.
- Employees, consultants, temporary workers.
We collect information about you to carry out our core business and ancillary activities.
Information you give to us or we collect about you
This is information about you that you give us by filling in forms on our site www.iic.com/uk or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you register to use our site, to enter our database, subscribe to our services, attend our events, participate in discussion boards or other social media functions on our site, enter a competition, promotion or survey, and when you report a problem with our site.
The information you give us or we collect about you may include your name, address, private and corporate e-mail address and phone number, financial information, compliance documentation and references verifying your qualifications and experience and your right to work in the United Kingdom, curriculum vitae and photograph, links to your professional profiles available in the public domain e.g. LinkedIn, Twitter, business Facebook or corporate website.
Information we collect about you when you visit our website
With regard to each of your visits to our site we will automatically collect the following information:
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information if applicable, operating system and platform.
- information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site including date and time, products you viewed or searched for, length of visits to certain pages, page interaction information such as scrolling, clicks, and mouse-overs, methods used to browse away from the page.
Information we obtain from other sources
This is information we obtain about you from other sources such as LinkedIn, corporate websites, job board websites, online CV libraries, your business card and personal recommendations. In this case we will inform you, by sending you this privacy notice, within a maximum of 30 days of collecting the data of the fact we hold personal data about you, the source the personal data originates from and whether it came from publicly accessible sources, and for what purpose we intend to retain and process your personal data.
Purposes of the processing and the legal basis for the processing
We use information held about you in the following ways:
To carry out our obligations arising from any contracts we intend to enter into or have entered into between you and us and to provide you with the information, products and services that you request from us, or we think will be of interest to you because it is relevant to your career or to your organisation.
The core service we offer to our candidates and clients is the introduction of candidates to our clients for the purpose of temporary or permanent engagement. However, our service expands to supporting individuals throughout their career and to supporting businesses’ resourcing needs and strategies.
Our legal basis for the processing of personal data is our legitimate business interests, described in more detail below, although we will also rely on contract, legal obligation and consent for specific uses of data.
We will rely on contract if we are negotiating or have entered into a placement agreement with you or your organisation or any other contract to provide services to you or receive services from you or your organisation.
We will rely on legal obligation if we are legally required to hold information on to you to fulfil our legal obligations.
We will in some circumstances rely on consent for particular uses of your data and you will be asked for your express consent, if legally required. Examples of when consent may be the lawful basis for processing include permission to introduce you to a client (if you are a candidate).
Our Legitimate Business Interests
Our legitimate interests in collecting and retaining your personal data is described below:
As a recruitment business and recruitment agency we introduce candidates to clients for permanent employment, temporary worker placements or independent professional contracts. The exchange of personal data of our candidates and our client contacts is a fundamental, essential part of this process.
In order to support our candidates’ career aspirations and our clients’ resourcing needs we require a database of candidate and client personal data containing historical information as well as current resourcing requirements.
To maintain, expand and develop our business we need to record the personal data of prospective candidates and client contacts.
Should we want or need to rely on consent to lawfully process your data we will request your consent orally, by email or by an online process for the specific activity we require consent for and record your response on our system. Where consent is the lawful basis for our processing you have the right to withdraw your consent to this particular processing at any time.
Other uses we will make of your data
- use of our website.
- to notify you about changes to our service.
- to ensure that content from our site is presented in the most effective manner for you and for your computer.
We will use this information:
- to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
- to improve our site to ensure that content is presented in the most effective manner for you and for your computer.
- to allow you to participate in interactive features of our service, when you choose to do so.
- as part of our efforts to keep our site safe and secure.
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you.
- to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
What information do we collect?
Indotronix Avani UK, Ltd may collect your personal and sensitive personal data such as your name, address, date of birth, contact details, email address and sensitive personal information obtained from your CV such as criminal convictions and ethnic origin.
What do we use your information for?
The information that we collect and store relating to you is primarily used to provide our services to you. In addition, we may use the information for the following reasons:
- Internal record keeping.
- To meet our contractual commitments to you.
- To contact you via email, SMS or phone, about vacancies that we believe you may be interested in.
- Maintain our business relationship, where you are a user of our website as client or candidate.
- To access data about you against vacancies which we believe may be suitable for you.
- To send your information to clients for potential jobs or to access suitability for the role. We will obtain verbal consent before presenting your details to a client.
- Where you have consented, we will directly market our services, and advise you of any updates to our services. Where we do so you will be able to unsubscribe at any time from receiving any further information from us.
- To enable you to submit your CV for general applications, to apply for specific roles or to subscribe to our job alerts which we believe may be of interest to you.
- To fulfil contractual obligations with our clients
- We may periodically send promotional emails about new services, specials or other information (which we think you may find interesting) using the email address which you have provided).
- From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone or mail. We may use the information to customise the website according to your interests.
- To third parties where we have retained them to provide services that we, you, or our client have requested including references, qualifications and criminal reference checking services (as required), verification of the details you have provided from third party sources, psychometric evaluations or skills tests. These third parties comply with similar undertakings of privacy and confidentiality as Indotronix Avani UK, Ltd.
- To trusted third parties who perform functions on our behalf and who also provide services to us, such as professional advisors and IT consultants carrying out testing and development work on our business technology systems. These third parties comply with similar undertakings of privacy and confidentiality as Indotronix Avani UK, Ltd.
- The personal and sensitive personal information you provide us may be sent to clients and third parties located outside the European Economic Area (EEA). When we transfer your personal information outside the EEA we will take reasonable steps with the aim of ensuring that your privacy rights continue to be protected.
- We may also release your personal information to regulatory or law enforcement agencies, if they require us to do so by law.
How long do we keep it for?
We will only retain your data for as long as there is either a statutory requirement for us to do so or to be able to provide a service to you. This will usually require us to retain your personal data after any business relationship has ended for accounts and records purposes and to deal with any account support questions.
For further information please see our Retention Policy.
We may on occasion gather information regarding your computer whilst you are on our website. This enables us to improve our services and to provide statistical information regarding the use of our website.
Such information will not identify you personally it is statistical data about our visitors and their use of our site. This statistical data does not identify any personal details whatsoever.
Similarly to the above, we may gather information about your general internet use by using a cookie file. Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer as cookies contain information that is transferred to your computer’s hard drive. They help us to improve our website and the service that we provide to you.
All computers have the ability to decline cookies. This can be done by activating the setting on your browser which enables you to decline the cookies. Please note that should you choose to decline cookies, you may be unable to access particular parts of our website.
What Cookies do we use?
How secure is your Personal Data?
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.
We may transfer data that we collect from you to locations outside of the European Economic Area for processing and storing. Also, it may be processed by staff operating outside the European Economic Area who work for us or one of our suppliers.
Data that is provided to us is stored on our secure servers. Details relating to ay transactions entered into on our site will be encrypted to ensure its safety.
The transmission of information via the internet is not completely secure and therefore we cannot guarantee the security of data sent to us electronically and transmission of such data is therefore entirely at your own risk.
Third Party Links
You may find links to third party websites on our website. These should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you before collecting your data if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes and we will collect express consent from you if legally required prior to using your personal data for marketing purposes.
You can exercise your right to accept or prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at firstname.lastname@example.org
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
The GDPR provides you with the following rights to:
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party in certain formats, if practicable.
- Make a complaint to a supervisory body which in the United Kingdom is the Information Commissioner’s Office. The ICO can be contacted through this link: https://ico.org.uk/concerns
Access to information
The Data Protection Act 1998 and the GDPR give you the right to access information held about you. We also encourage you to contact us to ensure your data is accurate and complete.
Your right of access can be exercised in accordance with the Act and the GDPR.
A subject access request should be submitted to email@example.com. No fee will apply.
You can object or withdraw your consent to the use of your personal information at any time. This may affect the services we are able to supply you.
For more information on your rights please visit the ICO website https://ico.org.uk
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required to do so by law.
Under the Data Protection Act 1998 and the General Data Protection Regulations (GDPR), Indotronix Avani UK, Ltd will, upon request and within one month, provide you with details of personal information we hold about you.
If you would like a copy please submit your request in writing to:
Indotronix Avani UK, Ltd
3 Magdalene Street
If you have any questions about this policy or about your personal information then please contact our Data Protection Officer – Michael Allen on 07514 806522 or email firstname.lastname@example.org.
Information Security & Data Protection Policy
Indotronix Avani UK, Ltd processes personal data in relation to its own staff and individual client member/potential member contacts. It is vitally important that we abide by the principles of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 set out below.
Indotronix Avani UK, Ltd holds data on individuals for the following general purposes:
- Staff Administration.
- Advertising, marketing and public relations.
- Accounts and records.
The data will be processed compliant with the principles of fair processing in Article 5, GDPR. Indotronix Avani UK, Ltd will:
- Be transparent in relation to employees.
- Tell employees what we are collecting the data for and be specific about what our purposes for processing data are.
- Only collect what we need for the stated, legitimate purposes.
- Keep the personal data up to date and accurate – inaccurate data will be deleted or rectified.
- Not keep data in a form that allows identification of the data subject for longer than is necessary for the legitimate purposes notified to the employee.
- Keep the data secure.
Personal data means data, which relates to a living individual who can be identified from the data or from the data together with other information, which is in the possession of, or is likely to come into possession of, Indotronix Avani UK, Ltd. Data will only be processed in compliance with the following legal bases:
- Legitimate interest.
- Legal obligation.
Data will be reviewed on a regular basis to ensure that it is accurate, relevant and up to date.
Employees are responsible for ensuring that any changes to old or inaccurate data takes place in a timely fashion. In addition, all employees should ensure that adequate security measures are in place. For example:
- Computer screens should not be left open by individuals who are accessing personal information.
- Passwords should not be disclosed.
- Personnel files and other personal data should be stored in a place in which any unauthorised attempts to access them will be noticed. They should not be removed from their usual place of storage without good reason.
- Personnel files should always be locked away when not in use and when in use should not be left unattended.
- Care should be taken when sending personal data in the mail.
- Destroying or disposing of personal data counts as processing. Therefore care should be taken in the disposal of any personal data to ensure that it is appropriate.
Data subjects are entitled to obtain access to their data on request. All requests to access data by data subjects i.e., staff or members, should be referred to the Chief Operating Officer, Michael Allen. Where a request is granted, the information will be provided within 30 days of the date of the request.
Any requests for access to a reference given by a third party must be referred to Chief Operating Officer, Michael Allen, and should be treated with caution even if the reference was given in relation to the individual making the request. This is because the person writing the reference also has a right to have their personal details handled in accordance with data protection laws, and not disclosed without their consent.
Data Retention Policy
Indotronix Avani UK maintains records in accordance with the Data Protection Act 1988 and the Information Commissioner’s Office to ensure that our business runs efficiently and in order to comply with statutory requirements.
Any records that are no longer required are destroyed securely.
|Document Description||Retention Period||Relevant Legal Provision|
|Work-seeker records including application form/CV, ID checks, terms of engagement (see also below), details of assignments, opt-out notices and interview notes
Hirer records including client details, terms of business (see below), assignment/vacancy details
|2 years from the last date of providing work-finding services as an Employment Agency or Employment Business
||Conduct of Employment Agencies and Employment Businesses Regulations 2003|
|Terms of engagement with temporary worker and terms of business with clients
||6 years in order to deal with any civil action in the form of contractual claim
||Limitation Act 1980|
|Working time records:
• 48 hour opt out notice
• Annual leave records
|2 years from the time they were created|
|Annual appraisal/ assessment records||5 years||Under the DPA no specific period is detailed so records should only be kept as long as necessary|
|References||1 year following the introduction or supply of a work-seeker to a client||Conduct Regulations|
|Records held relating to right to work in the UK||2 years after employment or engagement has ended|
|Sickness records – statutory sick pay||7 years|
|Statutory maternity, paternity, adoption pay||7 years from the end of the tax year to which it relates|
|Pension auto-enrolment (including auto-enrolment date, joining date, opt in and opt out notices, contributions paid)||7 years except for opt out notices which are kept for 4 years.|
|Staff records including CV, ID, bank details, reference information and other personnel information (e.g. absence & disciplinary records)||2 years from employee termination date|
Company Financial Records
|Document Description||Retention Period||Relevant Legal Provision|
|Company Accounts||7 years|
|Payroll Information||7 years from the end of the year|
|ITEPA (the intermediaries legislation) records||3 years after the tax year to which they relate.|