IR2UK Part of RGH Global Ltd GDPR Data Protection Policy 2023

1. Introduction

As a recruitment business, RGH Global Ltd (including IR2UK) collects and processes both personal data and sensitive personal data. This policy outlines how RGH implements the Data Protection Laws and should be read in conjunction with the Data Protection Procedure and current active guidance from the ICO.

2. Definitions

In this policy, the following terms have the following meanings:

a. Consent means any freely given, specific, informed, and unambiguous indication of an individual’s wishes by which he or she agrees to the processing of personal data.

b. Data controller means an individual or organization that determines the purposes and means of the processing of personal data.

c. Data processor means an individual or organization that processes personal data on behalf of the data controller.

d. Personal data means any information relating to an individual who can be identified, such as by a name, identification number, location data, or factors specific to their identity.

e. Personal data breach means a breach of security leading to the accidental or unauthorized destruction, loss, alteration, disclosure, or access to personal data.

f. Processing means any operation performed on personal data, such as collection, recording, organization, storage, retrieval, consultation, use, disclosure, or destruction.

g. Profiling means automated processing of personal data to evaluate personal aspects related to an individual.

h. Pseudonymization means processing personal data in a way that it can no longer be attributed to an individual without additional information.

i. Sensitive personal data means personal data revealing specific categories of information.

3. Data Controller

RGH Global Ltd acts as a data controller for the personal data of its staff, candidates, and individual client contacts. RGH is registered with the ICO (registration number ZA792151).

4. Purposes of Data Processing

RGH may hold personal data for the following purposes:

a. Staff administration b. Advertising, marketing, and public relations c. Accounts and records d. Administration and processing of candidates’ personal data for work-finding services e. Administration and processing of clients’ personal data for supplying/introducing candidates f. Contractual information for both public and private customers

5. The Data Protection Principles

The Data Protection Laws require RGH to process data in accordance with the principles of data protection:

a. Lawfulness, fairness, and transparency b. Purpose limitation c. Data minimization d. Accuracy e. Storage limitation f. Integrity and confidentiality g. Accountability

6. Legal Bases for Processing

RGH will only process personal data with a legal basis for doing so. Please refer to Annex A for the legal bases for processing.

7. Privacy by Design and by Default

RGH has implemented measures and procedures to protect privacy and ensure data protection is integral to all processing activities. This includes data minimization, pseudonymization, anonymization, and cybersecurity. RGH holds a valid Cyber Essentials certificate.

8. Privacy Notices

RGH provides privacy notices to individuals in the following situations:

a. When collecting personal data directly from individuals b. When collecting personal data from other sources c. When disclosing personal data to third parties d. When further processing personal data for different purposes

9. Subject Access Requests

Individuals have the right to access their personal data and request rectification. Requests should be sent to the person listed in the Appendix.

10. Rectification

Individuals have the right to request rectification of inaccurate or incomplete personal data. If RGH has disclosed the data to third parties, those parties will also be informed of the rectification request.

11. Erasure

Individuals have the right to request erasure of their personal data. If RGH has disclosed the data to third parties, those parties will also be informed of the erasure request.

12. Restriction of Processing

Individuals have the right to request restriction of processing under certain circumstances.

13. Data Portability

Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another data controller where technically feasible.

14. Objection to Processing

Individuals have the right to object to the processing of their personal data based on specific grounds.

15. Enforcement of Rights

All requests regarding individual rights should be sent to the person listed in the Appendix. RGH will respond to requests within the specified timeframes.

16. Automated Decision Making

RGH will not subject individuals to decisions based solely on automated processing, unless authorized by law or with explicit consent.

17. Direct Marketing

RGH complies with rules regarding direct marketing, including obtaining prior consent for electronic direct marketing and providing opt-out options. RGH ensures that any third-party data purchased or platforms used meet GDPR standards.

18. Reporting Personal Data Breaches

All data breaches should be reported to the person listed in the Appendix. RGH will take steps to contain and recover breaches and notify the ICO if necessary.

19. Communicating Personal Data Breaches to Individuals

RGH will inform affected individuals without undue delay if a personal data breach poses a high risk to their rights and freedoms. Exceptions apply if appropriate protection measures have been implemented or if informing individuals involves disproportionate effort.

20. Human Rights

All individuals have rights under the Human Rights Act 1998, including the right to respect for private and family life, freedom of thought, belief, expression, assembly and association, and protection from discrimination.

21. Complaints and Contact Information

Individuals can report complaints or make suggestions regarding RGH’s handling of personal data to the person listed in the Appendix. Alternatively, individuals may contact the ICO directly.

22. Data Protection Officer

Cheryl Mann is RGH’s Data Protection Officer and is responsible for adding, amending, or deleting personal data, handling subject access requests, reporting data breaches, and ensuring compliance with data protection regulations.

23. Legal Bases for Processing Personal Data

RGH processes personal data based on the following legal bases:

a. Consent b. Performance of a contract c. Legal obligation d. Protection of vital interests e. Public task or official authority f. Legitimate interests

24. Legal Bases for Processing Sensitive Personal Data

RGH processes sensitive personal data based on the following legal bases:

a. Explicit consent b. Compliance with employment, social security, or social protection law c. Protection of vital interests d. Not-for-profit organizations with a specific aim e. Public information f. Legal claims g. Substantial public interest h. Medical purposes i. Public health j. Archiving purposes, scientific research, and statistics

Appendix: Contact for reporting complaints, subject access requests, and other inquiries.

Keep up to date with the latest news from IR2UK