EMPLOYEE, WORKER & CONTRACTOR PRIVACY NOTICE
Who we are?
Xcede Group (Xcede International Group Holdings Limited) a limited company registered in England and Wales under registration number 11996176, with a registered office at First Floor, 3-8 Carburton Street, London, England, W1W 5AJ. The Xcede Group, incorporates Earthstream, Xcede and Etonwood. This Notice is made in representation of the entire Xcede Group.
Xcede Group is a recruitment business which provides work-finding services to its clients and work-seekers. Xcede Group must process Personal Data (and, in some cases, Special Category Personal Data) so that it can provide its recruitment services. All companies under the Xcede Group collect the same Personal Data. The only differences between the companies are the sectors they recruit within.
EarthStream: We source and select top talent across all energy sectors globally. Since 2010, EarthStream has delivered exceptional local talent along with experienced expats across a diverse range of energy companies around the world.
Xcede: We connect companies with exceptional professionals that empower growth. Founded in 2003, our vertical specialists provide global transformational talent in data, digital, technology, cyber and embedded software. Across our key areas, our experts operate with a focus on delivering excellence and expertise for our clients.
Etonwood specialises in infrastructure, development and service now recruitment, providing adaptable talent search that is closely tailored to financial markets, technology consultancy, and service management.
The Xcede Group will process your personal information in accordance with all applicable laws, including the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU General Data Protection Regulation (EU GDPR). The UK GDPR will apply if you are in the UK and the EU GDPR will apply if you are in the EU.
1. What Personal Data is
The term “Personal Data” means any information relating to you that identifies you, or through which you can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier or to one or more factors specific to you physical, physiological, genetic, mental, economic, cultural or social identity.
The term “Special Category Personal Data” is Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying someone, criminal records, data concerning health and data concerning a person’s sex life or sexual orientation.
2. The purpose of this Privacy Notice
The purpose of this Privacy Notice is to let you know how we process your Personal Data when you visit our website or apply for a job. When doing that, we act as the Data Controller.
This Privacy Notice therefore explains what Personal Data we collect from you and how we collect, use, store and disclose it. This Privacy Notice also contains information about your rights under applicable data protection legislation.
We are committed to compliance with data protection laws. We believe that ensuring data protection compliance is the foundation of trustworthy business relationships.
It is important that you read this Privacy Notice together with any other Privacy Notices we provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other Privacy Notices and is not intended to override them.
3. The Data Protection Principles
We will comply with the EU GDPR, UK GDPR and the DPA 2018. Article 5 of the UK GDPR and the EU GDPR contains the data protection principles, which require that Personal Data shall be:
· Processed lawfully, fairly and in a transparent way.
· Collected for specified, explicit and legitimate purposes and not used in any way that is incompatible with those purposes.
· Adequate, relevant and limited to what is necessary.
· Accurate and, where necessary, kept up to date.
· Kept for no longer than is necessary for the purposes we have told you about.
· Kept securely.
We operate according to the principles of the UK GDPR and the EU GDPR.
4. Why we collect your Personal Data and the Type of Data Collected
We collect your Personal Data for the purpose of providing you with Xcede recruitment services. We will collect data about you, both personal data (such as your name and contact details) and, in some cases, Special Category Personal Data (such as information about your health or disability which is needed for the purpose of making reasonable adjustments for you during the recruitment process or to find out whether you would be able to undertake a function which is intrinsic to the job). Depending on the relevant circumstances and applicable local laws and requirements, we may collect:
· CVs, cover letters, and Application forms.
· Date of birth.
· Next of kin details
· Email address.
· Residential address.
· Phone number.
· Visa details and copies of passports.
· Bank or building society account details.
· Details of job role and salary including data held on staff organisation charts.
· Records concerning appraisal and training.
· Sickness and other absence details.
· Contracts or terms and conditions of employment.
· Correspondence between you and Xcede Group
· Correspondence, such as references, between Xcede Group and third parties in relation to your Employment.
· Visual images, for example if CCTV images are used as part of building security
· Investigations into breaches of terms and conditions of employment.
· Records of disciplinary proceedings.
· Health and safety records (including accident reports).
· In some departments, workload and work allocation.
· Where appropriate, audio and/or video recordings of lectures, presentations and workshops and team incentives.
· During our interviews, information about your personal life, including family, place of residence, personal background, education, job experience, views and opinions on situations and the workplace, preferences, life set up.
5. How we collect your Personal Data
We will collect your Personal Data directly from you in the following ways:
· Job application via the Group’s website
When you apply for a job via Xcede Group, you will be required to provide personal data for your application. For example, your contact details and your, right to work and employment history.
· Xcede’s website profile creation
When you create a profile on one of the websites within the Xcede Group, you will be required to provide contact details.
· Job applications via the direct job advert
When you apply for a job directly, you will be required to provide contact details and job history.
· Applicants found on the job board via the CV search function
If we find you on the job board, you will have already provided your contact details in order to apply for prospective jobs.
· Applicants found on LinkedIn
If we find you on LinkedIn, you will have already provided your employment history on your LinkedIn profile.
· Applicants found via Headhunt
This system is used to understand where key hires are placed, so the Xcede Group will contact candidates directly to introduce them to a role and then request more data.
· Applicants found on Daxtra
Daxtra sits in between applications and entry onto the CRM, creating coversheets entering candidates if flagged in Broadbean or sent via email to Daxtra. This data will include contact details and employment history.
· Applicants found via Broadbean
Broadbean is an applicant tracking system that sits between Xcede and the Job boards. Applicant data is stored in AdCourier. This data will include contact details and employment history.
· Details stored on CRM systems – Permanent placements
Our CRM systems will store candidate details, such as contact details, employment history and salary details. Our systems can also be used to communicate with clients to confirm candidates’ placements or offers.
· Communications via email, including scheduling and conducting phone and/or videophone interviews, providing you with feedback, and managing communications between you and prospect employers.
We may communicate with you via email in order to discuss your job applications or you may apply for jobs via an email sent directly to Xcede Group. During that correspondence, you will be providing Personal Data. We will process the Personal Data you provide to us to respond to you and provide our recruitment services. Emails will be stored in accordance with our retention period set out in the Schedule of Processing which can be found at the end of this document.
· Security checks
Special Category Personal Data may be collected as part of your recruitment process in order to carry out DBS, eligibility to work and additional checks for successful candidates. This will include your name, proof of address, and your passport. We rely on third-parties to assist us with the checks.
· Through third-party mailing lists
Name, role, corporate email address, corporate mobile phone number, organisation, place of work, company, photographs, and seniority levels within the organisation are collected from third-party mailing lists and databases to fulfil our legitimate interests of reaching out to prospect businesses.
6. How we use your Personal Data
We will use your Personal Data in order to provide you with the Xcede Group service. In particular, when you access and interact with our website or recruitment consultants, we need to track your activities to enable you to connect to our website. We use tracking cookies to identify you in performance of this service, information of which is provided in detail in our Cookie Policy https://www.xcedegroup.com/legal_documents/cookies
We will only use your Personal Data for the purpose we collected it and in accordance with the law. We will not use your Personal Data for any other purpose without your prior consent or any other lawful basis under the applicable data protection regulations, including if processing personal data is required or permitted by law, such as where it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the enforcement of civil law matters.
7. Our Lawful Bases for processing your Personal Data
The UK GDPR and the EU GDPR (our global standards of data protection compliance) requires that a controller must have a lawful basis for processing Personal Data. More details are provided in the Schedule of Processing but, in most instances, our lawful bases for processing your personal information are:
· The processing is necessary Article 6(b) of the UK GDPR or the EU GDPR for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. This is where you engage with the Xcede Group such as by applying directly on the website, job boards, or LinkedIn, with a view to securing an employment contract with the prospecting employer.
· The processing is necessary Article 6(b) of the UK GDPR or the EU GDPR for the performance of the services we provide you in order to receive, process and provide you with a response to your enquiries made through our website or phone, or when you download materials from our website such as Salary Surveys and any other guides.
· We need to comply with a legal obligation under Article 6(c) of the UK GDPR or the EU GDPR. For example, this is where the law requires us to obtain Personal Data in relation to things like work permit and DBS checks, making reasonable adjustments, and in relation to maintaining personal and financial records according to the relevant legislation;
· It is necessary for our legitimate interests (or those of a third party, including you) and there are no overriding interests under Article 6(f) of the UK GDPR and the EU GDPR. Under this lawful basis, we’ll process your personal data to provide you with high-standard recruitment services, including providing you with feedback regarding an unsuccessful application and contacting you regarding job positions we think may be of your interest, both for our internal recruitment services and when recruiting for our company clients in the context of providing our services. If you’re a business, we may also send you marketing content under the legitimate lawful basis, or contact people within your organisation to generate leads and upscaling our selling process.
· We have your consent under Article 6(a) of the UK GDPR and the EU GDPR. This is where you agree either in writing or verbally for us to store and process your Personal Data for our marketing purposes – including sending you newsletters, invitations to our webinars/events, and obtaining analytical insights about how you interact with our website, connecting your LinkedIn account with our portal, and to contact you with potential jobs available.
8. Who we share your Personal Data with?
Your Personal Data may be shared internally to the Xcede Group for purpose of providing our recruitment services.
We will only share your personal data with reliable and data protection compliant third parties, and we adopt the necessary measures to ensure they will provide sufficient standards of data protection, including through signing the appropriate agreements.
Your Personal Data may also be shared as follows:
· Service Providers
This can include database management systems that we use to store data, finding prospective candidates and sharing that information with our clients, including recruitment platforms (Headhunt, Daxtra, Broadbean) DBS checking companies (Verifile, People Check, First Advantage and Accurate), CRM systems (Mercury CRM),and our internal data management providers (such as Microsoft and Mailchimp)
· Sharing data with prospective employers and other third parties
This is essential to carry out our business and place candidates.
· Data transfer due to a legal obligation
If we are obligated to transfer your Personal Data to a third party based on a legal obligation or in order to comply with applicable laws and governmental bodies, we will only do so in accordance with those laws (i.e.: DPA 2018, EU GDPR and UK GDPR). This may include for example, defending or pursuing legal claims, investigating fraud and co-operating with criminal investigations, such as complying with a subpoena, or similar legal process, or with the ICO (UK) or other Data Protection Supervisory Authorities.
· Between Xcede Group entities
We may share your personal data across our business entities located across the globe for operational reasons.
9. Marketing
With your consent, we may contact you via email or phone to promote our services, send you newsletters, and invite you to webinars/events. To start or stop receiving marketing from us, simply contact us via our job website portal, let us know through the phone, or use the unsubscribe button placed on our communications.
Where we are legally required to obtain your consent to provide you with marketing material, for instance, when you’re a job applicant, we will only provide you with such marketing materials if you have provided consent for us to do so.
To fulfil our legitimate interests, we rely on third-party B2B data bases to provide us with prospect contact details and allow us to reach out to relevant people with decision-making powers inside prospect organisations. We only receive corporate identifiers such as name, corporate email address and phone number, role, location of work, seniority degree and organisation.
When we collect B2B mailing lists and build a prospect data base, we only do it so in compliance with the Privacy of Electronic Communication Act (PECR).
If you want to unsubscribe from mailing lists or any marketing, you should look for and follow the instructions we have provided in our relevant communications to you, such as by using the unsubscribe link.
If you choose to unsubscribe from any or all marketing, we may retain information sufficient to identify you so that we can honour your request.
10.How long we will keep your Personal Data
We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.
At the end of the retention period, your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.
When calculating the appropriate retention period for your data, we consider the nature and sensitivity of the data, the purposes for which we are processing the data, and any applicable statutory retention periods. Using these criteria, we regularly review the Personal Data which we hold and the purposes for which it is held and processed.
11.Security of your Personal Data
We implement appropriate technical and organisational measures to protect data that we process from unauthorised disclosure, use, alteration or destruction. These measures include ensuring our internal IT systems are suitably secure and implementing procedures to deal with any suspected data breach.
In the unlikely event of a data breach, we will take steps to mitigate any loss or destruction of data and, if required, will notify you and any relevant supervisory authority of such a breach when appropriate.
In addition to the technical and organisational measures we have put in place, there are a number of simple things you can do to in order to further protect your personal information;
1. Never share your portal password.
2. Never enter your details after clicking on a link in an email or text message.
3. Always send confidential information by encrypted email where possible this reduces the risk of interception.
4. If you’re logged into any online service do not leave your computer unattended.
5. Close down your internet browser once you’ve logged off.
6. Never download software or let anyone log on to your computer or devices remotely, during or after a cold call.
12.International Transfers
In order to provide our services, we may need to send your Personal Data outside the UK and, in some cases, outside the EEA. For example, although part of the Xcede Group is based only in the UK (Etonwood), other divisions of the Xcede Group have offices, not only in the UK, but in Europe (Spain & Germany) and in Africa, Asia and North America. It may therefore be necessary to transfer your Personal Data to our other offices outside the UK and/or the EEA. Also, it may be necessary to send your Personal Data outside the UK and/or the EEA in order to share it with third parties, such as, your prospective employer.
If we do transfer your Personal Data outside the UK and/or the EEA, we will ensure that it receives the same protection as if it were being processed inside the UK or the EEA. For example, we will ensure that the country we are sending it to has an adequacy decision issued by the European Commission. (Whilst the UK is no longer in the EU, the UK recognises all adequacy decisions already made by the European Commission). In the absence of an adequacy decision, Xcede will adopt other appropriate safeguards to protect your Personal Data, such as Standard Contractual Clauses (SCC) issued by the European Commission if you are in the EU, and the International Data Transfer Agreement if you are in the UK
13.Your Rights
You have rights under the data protection legislation and, subject to certain legal exemptions, we must comply - and assist the prospective employer to comply - when you inform us that you wish to exercise these rights. There is no charge, unless your requests are manifestly unfounded or excessive. In such circumstances, we may make a reasonable charge or decline to act on your request. Before we action your request, we may ask you for proof of your identity. Once in receipt of this, we will process the request without undue delay and within one month. In order to exercise your rights please contact dataprivacy@xcedegroup.com
You have the following rights in respect of your personal data:
-
You have the right of access to your personal data and can request copies of it and information about our processing of it.
-
If the personal data we hold about you in incorrect or incomplete, you can ask us to rectify or add to it.
-
Where we are using your personal data with your consent, you can withdraw your consent at any time.
-
Where we are using your personal because it is in our legitimate interests to do so, you can object to us using it this way.
-
Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so.
-
You can ask us to restrict the use of your personal data if:
o It is not accurate.
o It has been used unlawfully but you do not want us to delete it.
o We do not need it any-more, but you want us to keep it for use in legal claims; or
o if you have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
-
In some circumstances you can compel us to erase your personal data and request a machine-readable copy of your personal data to transfer to another service provider.
-
You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
You can also lodge a complaint with the Information Commissioner’s Office. They can be contacted using the information provided at: https://ico.org.uk/concerns/ and their address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
14.Your obligations
If any of your Personal Data changes whilst you are a user of our services, it is important that you update the information within your account or otherwise notify us to ensure that the data we hold about you is accurate and up to date.
15.How to contact our Data Protection Officer
We have appointed a global Data Protection Officer (DPO) to handle data protection matters. You can contact via email or via dataprivacy@Xcedegroup.com
16.Changes to this Privacy Notice
We reserve the right to update this Privacy Notice from time to time. Updates to this Privacy Notice will be published on our website. To ensure you are aware of when we make changes to this Privacy Notice, we will amend the revision date at the top of this page. Changes apply as soon as they are published on our website. We therefore recommend that you visit this page regularly to find out about any updates that may have been made.
