Candidate Privacy Policy
-
What is the purpose of this document?
We have implemented this privacy notice to inform you of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.
Your data will be processed by Curve UK Limited, registration number: 09523903, address: 1-10 Praed Mews, Tyburnia, London, England, W2 1QY. Additionally, if you are a prospective employee, worker or contractor of another Curve entity, your Data Controller will also be the company that you may be employed by in the future::
-
Curve Europe, UAB (Lithuania), registration number: 305626541, address: Jogailos g. 9, LT-01116 Vilnius; or
-
Curve Netherlands B.V., located at Burgemeester Rijnderslaan, 554, 1185MC, Amsterlveen, Netherlands.
-
Data protection principles
All personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
-
processing is fair, lawful and transparent;
-
data is collected for specific, explicit, and legitimate purposes;
-
data collected is adequate, relevant and limited to what is necessary for the purposes of processing;
-
data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay;
-
data is not kept for longer than is necessary for its given purpose;
-
data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures; and
-
we comply with the relevant laws for international transfers of personal data.
-
Types of data held and lawful basis for processing
We keep several categories of personal data on our prospective employees, workers or contractors in order to carry out effective and efficient processes. We keep this data in an electronic personnel file relating to each prospective employee, worker or contractor within our computer systems.
Purpose |
Lawful basis |
Categories of data processed |
Assess your skills, qualifications, and suitability for the role |
Legitimate interests (to ensure we hire suitable candidates) |
|
Carry out background and reference checks (where applicable) |
Performance of a contract Legal obligations |
|
Communicate with you about the recruitment process |
Legitimate interests (to run a fair and efficient recruitment process) |
|
Keep records related to our hiring processes |
Legitimate interests (to ensure our recruitment practices are carried out properly and to establish, exercise or defend ourselves against legal claims) |
|
Comply with legal or regulatory requirements |
Legal obligations |
If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.
-
Collecting your data
We collect personal information about candidates from the following sources:
-
You, the candidate.
-
Existing Curve employees who refer or nominate you for roles with us.
-
Verifile (only if you are a successful candidate and where allowed by law), our background check provider, from which we collect the following categories of data: name, your addresses from the last three years, criminal record, work permit data, national identification numbers, and proof of address documents.
-
Your named referees.
-
Where allowed by law, public sources, including social media platforms.
Special categories of data are relating to you that may be collected are the following:
-
health;
-
sexuality;
-
criminal history;
-
racial or ethnic origins;
-
political opinion;
-
religious or philosophical beliefs;
-
trade union membership; and
-
genetic and biometric data.
The above special categories of data are collected for the following purposes:
-
for the purposes of equal opportunities monitoring; and
-
to determine reasonable adjustments.
We will only process special categories of data when the following applies:
-
you have given explicit consent to the processing;
-
we must process data for reasons of substantial public interest; and
-
processing is necessary for carrying out the obligations and exercising specific rights in the field of employment and social security law and social protection law.
-
Criminal conviction data
We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage. We rely on the lawful basis of the performance of the contract, our legal obligations and our legitimate interests, as well as those of any prospective employers to process this data.
-
Who we share your data with
We may share your personal data with:
-
our group companies, where necessary to process your application;
-
professional advisors, where necessary to receive their services;
-
legal and regulatory authorities, where necessary to comply with our legal obligations; and
-
our third party service providers, (for example, our data hosting service provider, background check provider (Verifile) and online recruitment tools (Comeet).
We share your data with organisations outside of the UK and the EEA. As of the date of this handbook this is limited to the USA, however it may be shared more widely in future as the business expands its operations. We have put efficient measures and controls in place to ensure that your data is transferred securely and that the bodies who receive the data that we have transferred process it in a way required by UK and/or EEA data protection laws.
Where we transfer data outside the European Economic Area or the UK, we rely on a decision recognising that the relevant third country, territory or relevant international organisation provides an adequate level of protection for the data. In the absence of the above decision, we may transfer the data to a third country or international organisation if we have put in place appropriate safeguards (for example, if we have signed the Standard Data Protection Clauses (Article 46(2)(c) of the GDPR). If no adequacy decision has been made or no adequate safeguards have been established, we will transfer the data if one of the exceptions provided for in Article 49 of the GDPR applies (e.g., we have your explicit consent).
If you have any further questions, or wish to obtain a copy of any contracts entered into with the organisations we share your data with, please contact our Data Protection Officer.
-
Protecting your data
We are committed to ensuring that your personal data is safe and take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this notice.
Unfortunately, the transmission of personal data through the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to or stored on our IT system, and any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.
-
Retention policy
We will keep your personal data for as long as necessary to fulfill the purposes described in this notice or the terms of any contract that we enter into, or for such longer period as may be required by law. After this, where allowed by laws and this notice, we will erase or anonymise your personal data.
-
Automated decision making
Automated decision making means making decisions about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
-
Candidate rights
Under UK and EEA data protection laws, you have the following rights in relation to the personal data we hold on you:
-
the right to be informed about the data we hold on you and what we do with it;
-
the right of access to the data we hold on you. More information on this can be found in our separate policy on Subject Access Requests;
-
the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
-
the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
-
the right to restrict the processing of the data;
-
the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
-
the right to object to the inclusion of any information; and
-
the right to regulate any automated decision-making and profiling of personal data.
-
Making a complaint
You are always able to raise a complaint with the relevant regulator, but we hope you will speak with us first with any concerns or issues you are experiencing so that we can try to help.
In the UK, the regulator is the Information Commissioner (ICO). You can contact the ICO at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.
In Lithuania, the regulator is the State Data Protection Inspectorate (VDAI). You can contact the VDAI at ada@ada.lt or by telephone on +370 5 212 7532.
-
Data protection compliance
We have appointed external data protection officers in the UK and the EEA.
You can send any queries, requests or comments to: dpo@imaginecurve.com.