CV Check Limited (“CV Check”, “we”, “us” or “our”) is a company incorporated in England and Wales with company number 03344117. Our registered office is Elsley Court, 20-22 Great Titchfield Street, London, UK W1W 8BE, United Kingdom.
This policy sets out the basis on which we process any personal data we collect from individuals, or that individuals provide to us, or that we obtain from other sources in each case in connection with:
• use of our website www.cvcheck.co.uk;and
• our services.
For the purpose of data protection laws, we are the controller and we are registered with the Information Commissioner's Office under number Z4788364.
1 BASIS FOR PROCESSING personal data
1.1 Sections 1.2 – 1.7 below explain how and why we process an individual's personal data, as well as the legal basis on which this processing is carried out.
1.2 Candidate screening products and services: We provide our clients with pre-employment screening products and services that allow our clients to carry out various checks on existing employees (such as those already in a role or being promoted or transferred to another role), consultants or temporary hires (such as those being placed on a new project via an agent or executive outsourcing team) or prospective employees, (each a "candidate"). Where clients order products and/or services from us, we will process the candidate's personal information which is provided to us either by our clients or directly by the candidate themselves when they make use of our online / hardcopy application form questionnaire. Our use of personal data in this way usually includes sharing the candidate's personal data with our data provider partners (please see section 3.2). The legal basis on which a candidate's personal data is processed in this way is the candidate's consent (which is collected either by our clients or via CV Check on instruction from our clients).
1.3 To make our website better: We may process an individual's personal data in order to provide such individual with a more tailored user experience, including using their personal data to make sure our website (including our online application portal) is displayed in the most effective way for the device the individual is using. Where applicable this processing means that the individual's experience of our site will be more tailored to them. We also use various cookies to help us improve our website (more details are set out in section 4), and may share such personal data with the third party analytics and search engine providers that assist us in the improvement and optimisation of our website.
We may also process personal data for the purposes of making our website more secure, and to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
The legal basis on which we process personal data in these circumstances is our legitimate interest to provide individuals with the best customer experience we can, and to ensure that our website is kept secure.
1.4 To provide customer services to our clients and individuals: We may process personal data in order to provide various supporting customer services to individuals (such as individuals who work for and on behalf of our clients and where those individuals contact us with a question in connection with a product or service and/or request certain information from us; or for example, where individuals have recently assisted with one or more of our enquiries - such as providing us with an employment reference - we may send that individual a one-off "thank you postcard" to express our gratitude for their assistance and provide them with marketing information about our products and/or services). The legal basis on which we process an individual's personal data in these circumstances is our respective legitimate interests in providing and receiving customer service communications.
1.5 For marketing purposes: Where:
1.5.1 individuals have expressly opted in to receive marketing communications from us, we will process their personal data to provide them with marketing communications in line with the preferences they have provided; and
1.5.2 individuals have expressly opted in via our website to receive marketing communications from a third party, we will process their personal data by transferring it to the relevant third party,
in each case, the legal basis on which we process personal data is consent. Individuals are not under any obligation to provide us with their personal data for marketing purposes, and they can withdraw their consent to their personal data being processed in this way at any time by contacting us (please see section 13) or, where relevant, by following the unsubscribe link in every marketing communication they receive from us. If individuals do choose to withdraw their consent, this will not mean that our processing of personal data before they withdrew their consent was unlawful.
1.6 If our business is sold: We may transfer individual personal data to a third party:
1.6.1 in the event that we sell or buy any business or assets, in which case we will disclose personal data to the prospective seller or buyer of such business or assets (at all times in accordance with all applicable data protection laws); or
1.6.2 if CV Check or substantially all of its assets are acquired by a third party, in which case personal data held by CV Check about its clients and their candidates will be one of the assets transferred to the purchaser,
in each case, the legal basis on which we process personal data in these circumstances is our legitimate interest to ensure our business can be continued by a purchaser. If individuals object to our use of personal data in this way, the relevant seller or buyer of our business may not be able to provide the applicable products and/or services.
1.7 In certain circumstances we may also need to share personal data if we are under a duty to disclose or share personal data in order to comply with any legal obligation.
2 CATEGORIES OF Information we collect from INDIVIDUALS
2.1 We will collect and process the following personal data.
2.2 Information our clients give us about individuals: When our clients purchase our products and/or services they share information about candidates with us. The information they give us about such candidates may include:
• a candidate's full name (including previous names);
• date of birth;
• National Insurance (NI) number (or corresponding Fiscal Code);
• current address, address history (typically covering the last 6 (six) years); email addresses;
• mobile phone number(s);
• employment data (including employee number, salary and bonus and sickness record);
• educational and/or professional qualifications (including membership information); and
• certified copies of identification documents (including photograph passport, photograph driving licence, utility bills, bank statements, birth certificate).
2.3 Information individuals give us: Where our clients' candidates complete an application form or questionnaire via our online portal, those candidates may provide us directly with the same information as set out in section 2.2.
In addition, individuals (for example such as individuals working for and on behalf of a client) may provide their personal information when making enquiries about and purchasing our products and/or services, filling in forms on our website, registering for our newsletter, or corresponding with us by phone, e-mail or otherwise.
2.4 Online information we collect: With regard to visits to our website we make use of log files and may automatically collect the following information:
2.4.1 technical information, including the Internet protocol (IP) address used to connect an individual's computer to the internet, login information, browser type and version, the Internet Service Provider used, date/time stamps (including time zone setting), browser plug-in types and versions, screen resolution, operating system and platform details; and
2.4.2 information about an individual's visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our website (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page.
2.5 Information we receive from other sources: For certain products and/or services we provide to our clients, we work with third party data providers from whom we may receive information about candidates, such as credit check data, credit activity and any court judgments or bankruptcy orders, or directorships (including disqualified directorships) data. We also work with other third parties (including, for example business partners, sub-contractors, analytics providers, hosting providers and search information providers) from whom we may also receive information about individuals in connection with our products and/or services.
2.6 We do not process any special categories of personal data, meaning personal data revealing:
2.6.1 racial or ethnic origin;
2.6.2 political opinions; religious or philosophical beliefs or trade union membership;
2.6.3 genetic or biometric data that uniquely identifies an individual; or
2.6.4 data concerning an individual's health, sex life or sexual orientation.
2.7 Heightened Risk Checks: On an ad-hoc basis and only at a client's request we are able to provide heightened risk checks. A client uses this service to assess the business and reputational risk posed by a candidate and we currently provide this service using the worldwide search services of our data partner Equifax (please see section 3.2.2). The information obtained falls into three main categories namely – sanctions and embargoes (e.g. the Bank of England sanctions list), known high risks (e.g. money laundering, terrorism, fraud) and politically exposed persons (PEPs). Any heightened risk data we receive in respect of the candidate we pass directly on to our client.
2.8 Criminal Record Checks: Where we facilitate criminal record checks for and on behalf of our clients we do so in the UK and outside the UK.
2.8.1 For criminal record checks in the UK - we do not collect data relating to criminal convictions or offences or related security measures. In these circumstances we operate as an authorised intermediary between the client and the Disclosure & Barring Service (DBS) / Disclosure Scotland in compliance with the DBS Revised Code of Practice for Disclosure and Barring Service Registered Persons and applicable laws.
2.8.2 For criminal record checks outside the UK – we use our data partners (please see sections 3.2.4 & 3.2.5). Where a match is identified on a candidate, they report the information back to us and any criminal record data we receive in respect of the candidate we pass directly on to our client.
When dealing with criminal record checks we take all reasonable steps to ensure that our clients are eligible under applicable laws to receive such reports and that our clients and their candidates acknowledge and accept that we do not make any decision as to the suitability for employment of an individual to whom such information relates – this decision and the responsibilities for that decision are that of our clients and any individual who has a question in relation to such a decision must make contact with the relevant client.
3 CATEGORIES OF RECIPIENTS OF PERSONAL DATA
3.2 An individual's personal data may be shared by us with, or received from, data providers who support our main pre-employment screening services. The four main data providers that support the provision of our products and services are:
3.2.1 GB Group (GBG): GBG provide us with support on UK Criminal Record Checks, Passport Integrity Checks, DVLA Searches and KYC / ID Checks. GBG data is held on UK based servers.
3.2.2 Equifax: Provide us with credit search data (which carries a personnel vetting footprint only – not a credit/lending footprint) and with support on any ad-hoc heightened risk checks (please see section 2.7). The only data we pass to Equifax is a candidate's name, address (including historical addresses) and date of birth. No other information is shared by us. Credit Activity and Directorship reports are generated from matches on that data only. Equifax data is held on UK based servers.
3.2.3 Experian: Provide us with credit search data (non-credit application footprint only). The only data we pass to Equifax is a candidate's name, address (including historical addresses) and date of birth. No other information is shared by us. Credit reports are generated from matches on that data only. Experian data is held on UK based servers.
3.2.4 Info Cubic: Based in the USA, Info Cubic provide us with civil, bankruptcy and criminal record searches (where available) for all countries worldwide (including some outside the European Economic Area (EEA) – India, Japan, USA). Info Cubic also on occasion and only on an as required basis support CV Check in the provision of worldwide employment and educational verification. The only data CV Check pass to Info Cubic is that contained in their separate International Consent Form. No other information is shared by us and Info Cubic reports are generated from matches on that restricted data only. Info Cubic data is held on US based servers except where it is required to be transferred for the purposes of required checks in another country. The data transferred by Info Cubic is minimized to only the essential information from that contained (and consented to) on the signed consent form. Info Cubic self certifies compliance with EU – US Privacy Shield regarding the collection, use and transfer of personal data from EU Member States to the US.
3.3 For operating our business and in order to provide our clients with our products and/or services, we use third party service providers who may process personal data on our behalf. These are:
3.3.1 Blackthorn GRC (Blackthorn): Our client data (including the personal information related to the candidate) is externally hosted by Blackthorn GRC. Blackthorn also provide a workflow / database solution by which we manage our day to day operations. Any information we collect online via our website (or online application portal) is also processed and stored by Blackthorn. Our data is held on Microsoft Azure Servers which are based in the UK only.
3.3.2 Docusign: We use Docusign as a means of gathering contractual client agreements, together with candidate data and consent with the use of electronic signatures online. Docusign data is held on servers which are based in the EU only.
4.2 A cookie is a small file of letters and numbers that we store on an individual's browser or the hard drive of their computer. We only use (and store) non-essential cookies on an individual's computer's browser or hard drive if they provide their consent.
|_utma||Collects data on the number of times a user has visited the website as well as dates for the first and most recent visit. Used by Google Analytics.||2 years||Full explanation of Google Analytics cookie usage available here:|
|_utmb||Registers a timestamp with the exact time of when the user accessed the website. Used by Google Analytics to calculate the duration of the website visit.||Session|
|_utmc||Registers a timestamp with the exact time of when the user leaves the website. Used by Google Analytics to calculate the duration of the website visit.||Session|
|_utmt||Used to throttle the speed of the requests to the server.||Session|
|_utmv||Saves user-defined tracking parameters for use in Google Analytics.||Session|
|_utmz||Collects data on where the user came from, what search engine was used, what link was clicked and what search term was used. Used by Google Analytics.||6 Months|
|_utm.gif||Google Analytics Tracking Code that logs details about the visitor’s browser & computer||Session|
|serverid||Initiated by Webserver- purpose unclassified||Session||Data retained within the UK|
4.4 Individuals can block cookies by activating the setting on their browser that allows individuals to refuse the setting of all or some cookies. However, if individuals use their browser settings to block all cookies (including essential cookies) they may not be able to access all or parts of our website.
4.5 Except for essential cookies, all cookies will expire as outlined under the expiration column in the table included in section 4.2.
5 USES MADE OF THE INFORMATION
5.1 We will combine the information individuals provide to us with information we collect about them. We will use this information and the combined information for the purposes set out above (depending on the types of information we receive).
5.2 The transmission of information via the internet is not completely secure. Although we will do our best to protect an individual's personal data, we cannot guarantee the security of their data transmitted to our website; any transmission is at the individual's own risk. Once we have received an individual's information, we will use strict procedures and security features to try to prevent unauthorised access.
6 WHERE WE STORE PERSONAL DATA
6.1 All information provided to us about a candidate is held for and on our behalf by Blackthorn on the Microsoft Azure Platform located in mainland UK.
6.2 Except where we make use of Info Cubic and CV Check Australia / New Zealand services (please see sections 3.2.4 & 3.2.5), the data that we collect about individuals will be stored in (and will not be transferred out of) the EEA.
6.3 Whenever we transfer personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
6.3.1 We will only transfer personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
6.3.2 Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
6.3.3 Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
6.4 If further information on the specific mechanism used by us when transferring an individual's personal data out of the EEA is required please contact us directly (please see section 13).
7 PERIOD OF STORAGE
7.1 Where we process a candidate's data we only retain that individual candidate's personal information for six (6) months following the date we have been paid for the applicable products and/or services in which that individual candidate's personal information was contained. This is to allow for any issues to be resolved with the client and/or that individual candidate.
7.2 After six (6) months a candidate's records will be reduced to a basic log entry (consisting only of that individual candidate's name, date of birth and other key non personal data relating to the case) for audit purposes. We call this an individual candidate's 'audit record'.
7.3 Three (3) years and one (1) day after the date of a client's case completion and after receiving payment from the client, an individual candidate's audit record will be permanently erased from our systems.
7.4 Where we have processed personal data to provide marketing communications with consent, we may contact individuals at least every twelve (12) months to ensure they are happy to continue receiving such communications. If individuals tell us that they no longer wish to receive such communications, their personal data will be removed from our lists.
7.5 Where we have processed an individual's personal data for any other reason (such as where the individual has contacted us with a question in connection with our products and/or services), subject to section 7.1, we will retain the individual's data for 12 (twelve) months from such contact.
7.6 Where a client purchases products and/or services from us, we may retain data relating to that sale (which could include contact information) for a period of six (6) years after the products and/or services were provided to the client, to ensure that we are able to assist with any questions or feedback in relation to our services or to enforce, or protect, or defend our legal rights.
8.2 All our systems are password protected to help ensure there is no unauthorised access to personal data. Where we have given individuals a password (or where individuals have subsequently changed that default password and chosen their own password), the password enables them to access certain parts of our website (including the online portal) and each individual is responsible for keeping this password confidential. Individuals must not share their password with anyone.
9 INDIVIDUAL'S RIGHT TO OBJECT UNDER DATA PROTECTION LAWS
9.1 Individuals have the right to object to us processing their personal data where we are processing personal data:
9.1.1 based on our legitimate interests (as set out at sections 1.3, 1.4 and 1.6 above). If individuals ask us to stop processing their personal data on this basis, we will stop processing their personal data unless we can demonstrate compelling grounds as to why the processing should continue in accordance with data protection laws; and
9.1.2 for direct marking purposes. If individuals ask us to stop processing their personal data on this basis, we will stop.
In each case please do so by contacting us directly (please see section 13).
10 OTHER INDIVIDUAL RIGHTS UNDER DATA PROTECTION LAWS
Right of access
10.1 Individuals have the right to receive confirmation as to whether their personal data is being processed by us, as well as various other information relating to our use of their personal data. Individuals also have the right to access their personal data which we are processing. Individuals can exercise this right by contacting us directly (please see section 13).
Right to rectification
10.2 Individuals have the right to require us to rectify any inaccurate personal data we hold about them. Individuals also have the right to have incomplete personal data we hold about them completed, by providing a supplementary statement to us.
Right to restriction
10.3 Individuals have the right to restrict our processing of their personal data where:
10.3.1 the accuracy of the personal data is being contested by them;
10.3.2 the processing by us of their personal data is unlawful, but the individual does not want the relevant personal data erased;
10.3.3 we no longer need to process their personal data for the agreed purposes, but the individual wants to preserve their personal data for the establishment, exercise or defence of legal claims; or
10.3.4 we are processing their data on the basis of our legitimate interest (as set out at sections 1.3, 1.4 and 1.6 above) and the individual:
10.3.4.1 objects to our processing on the basis of our legitimate interest under section 9.1.1 above; and
10.3.4.2 wants processing of the relevant personal data to be restricted until it can be determined whether our legitimate interest overrides their legitimate interest.
10.4 Where any exercise by an individual of their right to restriction determines that our processing of particular personal data are to be restricted, we will then only process the relevant personal data in accordance with their consent and, in addition, for storage purposes and for the purpose of legal claims.
Right to data portability
10.5 Individuals have the right to receive their personal data in structured, standard machine readable format and the right to transmit such personal data to another controller.
Right to erasure
10.6 Individuals have the right to require we erase their personal data which we are processing where one of the following grounds applies:
10.6.1 the processing is no longer necessary in relation to the purposes for which their personal data was collected or otherwise processed;
10.6.2 our processing of their personal data is based on their consent, individual has subsequently withdrawn their consent and there is no other legal ground we can use to process their personal data;
10.6.3 individuals object to the processing of their personal data as set out in section 9.1.1 above and we have no overriding legitimate interest for our processing;
10.6.4 the personal data has been unlawfully processed; and
10.6.5 the erasure is required for compliance with a law to which we are subject.
10.7 Individuals have the right to lodge a complaint with the Information Commissioner's Office, the supervisory authority for data protection issues in England and Wales.
10.8 Exercising individual rights: Individuals can exercise their rights by contacting us directly (please see section 13).
11 LINKS ON OUR WEBSITE
Our website may, from time to time, contain links to and from the websites of our partner networks and affiliates. Our service connects individuals to different websites. If individuals follow a link to any of these websites or use our service, please note that the individual has left our website and these websites have their own privacy policies. We do not accept any responsibility or liability for these policies or websites. Please check these policies before submitting any personal data to these websites.
Individuals can contact us by telephoning us on +44 (0)1803 525073 or by writing to us at email@example.com. Alternatively, please do get in contact directly with our Managing Director, Katie Turpin firstname.lastname@example.org.