Who is GRI from a DATA context?
GRI enables client hiring organisations to manage their bank staff booking process and/or connect with talent pools/recruitment agency panels to find candidates for their vacancies that are non-permanent in nature. e.g., temporary, contract and fixed-term roles.
This “connection” happens either through GRI’s software systems – e-tips® or b2bBuyer® - or third-party software such as Peoplefluent or Beeline. The client hiring organisation decides which software system to opt for and then which vacancies to post to the chosen software system, what the requirements of the job are (for example, the compliance items the worker needs to have in place) and whether the job is an opportunity for their own internal bank staff/talent pool, or additionally/instead of one which is available for their recruitment agency panels to propose candidates to.
The software system then makes sure this vacancy is flagged to the client hiring organisation’s bank staff and/or recruitment agency panels. Bank staff alerted to the vacancy can then decide whether they want to put themselves forward to the job. Similarly, recruitment agency panels also decide which candidates they want to add to the software system and propose the vacancy in question.
GRI does not own any recruitment agencies nor act as a bank manager/talent pool manager. GRI operates only as an outsourced third party that facilitates the process of hiring, ensuring that we can track all decisions in the recruitment process via an electronic system, so all parties to the process know at what stage the recruitment is at, with all actions recorded: from which candidates were proposed, by whom, whether they had the requisite compliance items, who was accepted or rejected and how much they are paid.
This way of recruiting is typically known as a neutral vendor recruitment model, and it is widespread. 13% of all temporary recruitment undertaken by hiring organisations operates through an outsourced model in the UK.
Under the neutral vendor model, GRI is a data processor, processing personal data on behalf of bank staff, talent pools, recruitment agencies who propose candidates and client hiring organisations who hire candidates. In simple terms, the processing means enabling the “connection” between parties in the recruitment process and allowing the secure viewing of the data required to conduct a safe and efficient recruitment process and ongoing activity during a temporary or contingent worker’s assignment.
Client hiring organisations act as data controllers to decide which vacancies to post, whether to post these vacancies to bank staff/talent pools and or to their recruitment agency panels, what the requirements are of the job, including compliance items such as DBS check, driving license or health status forms, and who to accept from those candidates proposed, based on the criteria of the job.
Recruitment agency panels also act as data controllers responsible for ensuring the candidate they propose to the vacancy is aware of how their data will be shared and that the personal data shared on the candidate or their compliance items are accurate. Bank staff and talent pool candidates are also in control of deciding whether to accept a vacancy proposed to them or not.
Some of our clients engage GRI as a managed service provider, meaning we are actively involved in the recruitment process, alongside the client and their supplying agencies. This is a different business model than the neutral vendor solution, and so for these clients, GRI is considered to be a data controller.
Please note that GRI acts as the data controller in respect to the e-tips® and b2bBuyer® logins issued to client hiring organisation users and recruitment agency panel users, and bank staff users. We additionally act as the data controller for any details on our website concerning queries about our service offering, supplier details and agency details for panel enquiries. In all other instances, GRI acts as the data processor.
THIS PRIVACY NOTICE
For applicable data protection legislation (including but not limited to the Data Protection Act 2018 (incorporating the UK GDPR) & the General Data Protection Regulation (Regulation (EU) 2016/679), the company responsible for your personal data is:
Geometric Results International Limited
Booths Park 1
T: 01565 682 020
This Privacy Notice explains how GRI collects/receives data, how we process any data we collect/receive, who we collect/receive this data from, why we collect/receive it, and how we share it (where applicable).
This privacy notice details how we comply with our legal obligations under the Data Protection Act 2018 & the UK GDPR. It also explains how we manage subject access requests and the right to erasure. Your privacy is important to us, and we are committed to protecting and safeguarding data privacy rights. It is important to point out that we may amend this Privacy Notice from time to time. We will post any changes here, so you can easily look at any point to keep up to date.
If you have a query about any aspect of our Privacy Notice, you can contact our Data Protection team and our Data Protection Officer, Dannielle Gibbons, at email@example.com.
Note: If you are a GRI staff member, please contact HR to refer to the GRI staff privacy notice.
WHO DOES THIS POLICY APPLY TO?
- Users of our website – www.geometricresults.co.uk
- Recruitment agency panel e-tips® or b2bBuyer® users
- Employees of agencies contracted to a client hiring organisation’s panel
- Employees of agencies who may have an interest in being part of our panel
- Client hiring organisation e-tips® or b2bBuyer® users
- Employees of GRI clients
- Bank staff e-tips® users
- Talent pool users
- Suppliers of goods & services to GRI
- Other individuals we may contact in certain rare circumstances, for example, agency workers and/or bank staff themselves and the emergency contacts of these workers working at our clients (Please note these scenarios are scarce and would only occur if GRI could not get in touch with the worker’s recruitment agency contact or the client hiring organisation’s bank staff manager - and circumstances were such that to delay contact could cause undesirable ramifications such as compromise safety or notifications in the event of a serious incident).
LAWFUL BASIS FOR PROCESSING
Almost all of the data that GRI process on behalf of our clients and recruitment agencies are processed to fulfil a contract, specifically our contract for the provision of our services to these parties. This lawful basis covers all types of data outlined within this Privacy Notice, except in the instance of processing of personal data of agencies who wish to join our panels. In this instance, we work based on legitimate interest.
Where GRI are asked to process special category data on behalf of our data controllers, we assume that the relevant consents have been obtained from the data subjects by the data controllers we work with (i.e., our clients and recruitment agencies).
Please note: Across all categories of data and depending on the type of personal data in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue with our relationship.
WHAT KIND OF PERSONAL DATA DO WE PROCESS OR COLLECT & HOW DO WE USE IT?
e-tips® and b2bBuyer® User Data
What do we process and why: We provide every e-tips® or b2bBuyer® user (whether the client/internal or agency or bank staff) with a unique login to access the system as part of our contractual agreements. To do this, we ask for your name, company workplace and "business" email address. We then use this data to ensure an audit trail of activity on the site (for example, which users are changing what information). This ensures we have visibility of who is using the system from a data security perspective. Periodically, we check to see whether users are still logging in and if they are not, and the login has not been used for over 6 months, the profile is revoked. Revoking access to e-tips® can also be requested by the user themselves or the organisation they work for.
In addition, and to fulfil our contractual obligations, we may need to email our e-tips® or b2bBuyer® users from time to time, using the email address provided for the login, for one or more of the following reasons:
- To inform them of an update to the e-tips® or b2bBuyer® system (as is relevant)
- To confirm changes to pay rates on the system due to legislation changes (for example, pensions auto-enrolment or national minimum wage uplifts)
- To make users aware of training opportunities or best practice guidance.
Proposed Candidate Data
What do we process, and why? Our client hiring organisations, as data controllers, decide what information is required from any candidate being proposed for each type of vacancy posted. This can include any or all of the following, depending on the client:
- Contact Details
- Supply type - whether someone is working under PAYE or self-employed as a PSC to be taxed appropriately.
- A CV (So their application can be assessed) or the primary skills required or preferred, the education required or preferred, the years of technical experience required or preferred. Please note that when “experience” is collected, it relates to technical skills gained over several years, not the candidate's age.
- Nationality – to better understand the Brexit risk status
- Where appropriate and following local laws and requirements governing certain employment scenarios, copies of various compliance items, for example, Right to Work, driving license, proof of address etc.…This may also include processing special category data relating to health and criminal convictions (DBS check status, health consent forms etc.…)
- Whether the candidate has previously worked at and/or subsequently retired from the organisation, they now wish to temp at, and if they have, what grade they were at or what position they occupied previously.
- Notice period – if applicable.
- The stages of the recruitment process, if any, that the candidate moves through
- Our recruitment agency panels and/or bank staff/talent pools supply this information to GRI, and we process this data on their behalf.
Additionally, GRI may require date of birth, diversity information and an email address/phone number, and next of kin details and Identity Number (either passport or NI number). When this is asked for, the client does not see this information against the individual candidate record card. This information collected is used in the following ways:
- The date of Birth and Identity Number is to ensure the identity of the candidate for HMRC reporting.
- Diversity Information is collected to help our client hiring organisations understand whether any diversity initiatives are successful. Diversity statistics are never provided at an individual level to hiring managers but are presented as an aggregate meaning an individual cannot be specifically identified.
- An email address and phone number for either the worker or next of kin is requested; it is not passed on to the client hiring organisation. Still, it is available for emergencies should GRI need to contact the candidate/next of kin urgently, for example, in an emergency where the candidate’s agency cannot be reached.
Working Candidate Data
What do we process and why: Once a candidate is working at a client hiring organisation, e-tips® and b2bBuyer® records the hours they work, their rate of pay, appropriate tax and NI contributions, the length of the assignment, the type of assignment, where that assignment is based, any incidents on that assignment and objective feedback from that assignment. Our Audit Team may also review compliance documentation to ensure that our agencies have asked for the appropriate permissions to share this with the client hiring organisation and that the compliance documentation is accurate. Our Audit Team may also be required to request additional information that has not been uploaded to e-tips® and b2bBuyer®, to enable GRI to fulfil its contractual obligation to audit and assure legal compliance of the recruitment agency panel and the candidates who have been supplied to the client hiring organisation.
What we process and why: GRI use traffic log cookies to identify which pages on our website are visited and how often. We conduct statistical analysis on web page traffic, which allows us to determine which pages are most useful to our website users. All data is deleted once this analysis is complete.
Cookies do not give GRI access to personal details about the user in question (unless you have chosen to share details with us on one of our online forms), nor access to your computer. However, they allow us to collect information on which companies visit our site and what pages they view.
Cookies are only collected where the user has accepted this collection within their browser settings. Declining cookies still grants access to our website but may prevent you from taking full advantage of the content.
b2bBuyer Site Users
Cookies generated by b2bBuyer, with the following information, are used to keep the user logged in while using the system and in determining when their password needs to be reset. These are 'session cookies' and are deleted when the browser is exited:
- User ID
- Login ID
- User Type – Client, Agency, Agency Worker
- Authority Level
- Last Successful Login Date
What do we process and why: We need a small amount of information from our goods & services suppliers to ensure that things run smoothly. We need contact details of relevant individuals within the organisation to allow for seamless communications. We also need other information such as bank details to pay for the services provided (if this is part of the contractual arrangements).
Agencies who are interested in joining our panel
What do we process and why: Agencies interested in joining our panels can submit their contact details via a form on our website or through direct contact with one of our employees. To process these requests, GRI needs to retain the name, email address and telephone number, and on occasion, postal address of contact within the agency.
GRI retain and process this data under legitimate interests – GRI believes that the privacy impact of this processing on individuals is minimal and is outweighed by the commercial opportunities that may arise as a result of this processing.
Who do we share our personal data with?
A full list of our sub-processors can be found here: https://www.geometricresults.co.uk/gdpr, but we would draw particular attention to the following:
- e-tips® and b2bBuyer® USER LOGINS: This data may be shared internally within GRI to understand who is doing what on the e-tips® or b2bBuyer® portal, for reasons of data security and data transparency. We need to send an e-tips® user an email; your data is processed by our email platform- dotmailer.
- AGENCIES WHO ARE INTERESTED IN JOINING OUR PANEL: We send information regarding this opportunity via email other than Outlook; your data is processed by our email platform – dotmailer.
- USERS WHO NEED SUPPORT OR ASSISTANCE: e-tips® users raising support tickets have their query and data facilitated through Zendesk. B2bBuyer® users raising support tickets have their query and data facilitated through OTRS.
- CLIENTS WHO ARE WISH TO SEE DATA TRENDS ON THEIR RECRUITMENT ACTIVITY: Depending on the client and the software system their recruitment activity transacts through, data analysis will run through either Power BI, STARS or Envision.
- SUPPLIER DATA: Unless you specify otherwise, we may share your information within our company and associated third parties such as our service providers and organisations to whom we provide services
- WEBSITE USERS: Unless you specify otherwise, we may share your information with providers of web analytics services
- WORKING CANDIDATE DATA: To fulfil our legal obligations, we may need to share your details with third parties like HMRC to ensure your taxation is correct and adherence to regulations requirements like Oil Reporting.
- AUDITING PARTNER: Our audit service is provided by an external partner based outside of the UK. The Auditors within this team will have access to e-tips® and will be processing personal data in line with the requirements of the audit being completed.
- FULFILMENT SERVICE PARTNER: Our fulfilment service is provided by an external fulfilment partner based outside of the UK. The fulfilment advisors within this team will have access to e-tips® and will be processing personal data relevant to the fulfilment of vacancies raised by clients who use this service. This team also assists with fulfilling Royal Mail Group vacancies through the processing of personal data (provided via email) in respect of Security Clearance/Vetting.
- VETTING PARTNER: The Vetting submission process for RMG is provided by an external partner outside the UK. The advisors within this team will have access to relevant personal data provided by email. They will be processing personal data in line with the requirements of the security vetting process.
Do we transfer any data outside of the UK?
Yes. Where data is transferred or accessed outside of the UK, GRI has worked hard to ensure that these transfers are compliant with the DPA 2018 & the UK GDPR and that any sub-processors are held to the same data protection standards as GRI.
- Our data backups are stored in Ireland. This transfer is covered under the adequacy decision given to the EU by the UK and also by standard contractual clauses in place with the host.
- Where a client is utilising our vacancy fulfilment service, the e-tips® user details for agency and client users, and the basic personal information of the workers assigned to relevant roles (including but not limited to Name, Address, NI number), will be accessed by our global fulfilment partners who operate outside of the UK. The sub-processing agreement includes a rigorous data protection schedule and standard contractual clauses in line with the EDPB guidance. All data storage remains UK-based, and all data access is completed via remote workspaces, which are tracked and audited by GRI.
- Where an Agency is subject to the GRI remote audit process, in line with client requirements, this audit will be completed by our audit team operating outside of the UK. The sub-processing agreement includes a rigorous data protection schedule and standard contractual clauses in line with the EDPB guidance. All data storage, including the transmission of data via email, remains UK-based. The audits will be completed on a remote workspace, which is tracked and audited by GRI.
- Where a candidate is submitted for the Security Vetting Process with Royal Mail Group, their relevant personal data will be processed by the Vetting team based outside of the UK. The sub-processing agreement includes a rigorous data protection schedule and standard contractual clauses in line with the EDPB guidance. All data storage, including the transmission of data via email, remains UK-based. The submissions will be completed on a remote workspace, which is tracked and audited by GRI.
- Personal data including Name of Worker, PO Number, Department Code, Start and End Date, Customer Charge Rate, Reports to Manager and Report to Managers’ email address relating to workers accepted for a position with Ford Motor Company (FMC) may be transferred outside of the EEA at the request of FMC (acting as controller). Acting as data processors, we consider this transfer outside of the EEA permitted per Article 49.
How do we safeguard your personal data?
We care about protecting your information. That is why we put appropriate measures designed to prevent unauthorised access to and misuse of your personal data. Our systems are certified to ISO 27001 standards for data security. Our platforms are accessed only by password-protected logins, and all users have defined access restrictions. Data is shared with external sub-processors, we have reviewed data protection policies and implemented rigorous data protection clauses within our service contracts.
How long do we keep your personal data?
As a data processor, we abide by our data controller’s requirements on all data retention policies and facilitate these requirements unless we believe in good faith that the law or other regulation requires us to preserve it (for example, because of our obligations to tax authorities or in connection with any anticipated litigation).
The exceptions to this are as follows:
- e-tips® and b2bBuyer® logins: As a data controller, we determine the retention periods for this data. To preserve the security of the e-tips® system, we revoke user access regularly if a login has not taken place in the preceding six months.
- Agencies who are interested in joining our panel: This data is retained until the data subject requests this to be deleted. Due to contract wins occurring over several years, commercial opportunities based in the areas agencies can supply may arise at any time. We believe that agencies would prefer us to retain their information for when these circumstances arise.
- Information gathered during any Audit Process that may take place: We consider all documents sent by agencies to the Audit team about a specific audit relevant and should be accessible until the next audit is due, in line with contractual requirements. In standard cases, this is 12 months but may be reduced to 3 or 6 months depending on the audit frequency defined by a client.
RIGHTS OF OUR DATA SUBJECTS
Under the Data Protection Act 2018 and the UK GDPR, data subjects have various rights about the data held and processed by GRI. These can be raised with us by contacting us at firstname.lastname@example.org. We will endeavour to deal with your request without undue delay, and in any event, per the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues you raise.
We may need to refer you to the relevant data controller to assess your rights, for example - if you are a candidate that works through a recruitment agency panel for a client hiring organisation, as depending on the circumstances, it is your recruitment agency panel or the client hiring an organisation that will be the data controller who is best placed to assess your rights.
- Right of Access: If you are interested in finding out what data we hold on you or wish to obtain a copy of this data via a Subject Access Request, please contact the Data Protection team at email@example.com at any point, and we will be happy to advise. Please note that to comply with your request, we may ask you to verify your identity or ask for more information about your request, and we may decline your request, where we are legally permitted to do so, but we will explain why if we do so.
- Right to rectification: You have the right to request that we amend data we hold on you if you believe that data is incorrect. To do this, please get in touch with the Data Protection team at firstname.lastname@example.org, and we will be happy to advise.
- Right to Erasure: In certain situations, you have the right to request us to "erase" your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases and we may, should a worker contact us directly, need to refer this request to the appropriate data controller to assess – for example, the client hiring organisation or the recruitment agency panel) and will only disagree with you if certain limited conditions apply (these will typically be around competing legislation, for example, health and safety or HMRC requirements). If we do agree to your request, we will pseudonymise your data. We do this to preserve the integrity of our database (audit traceability of users etc.…) and allows us to retain a record of data processing activities without the data being attributed to an individual without the use of additional information. We will retain this additional information securely, using the appropriate technical and organisational methods.
- Right to Restrict Processing: You have the right to request that we stop processing your personal data as an alternative to erasing the data. This could include retaining some of your information on a register of those individuals who do not want to be contacted by us. You may exercise this right by contacting our Data Protection team at email@example.com, and we will be happy to advise.
- Right to Data Portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this by directly transferring your data for you or by providing you with a copy in a commonly used machine-readable format.
- Right to Object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you disagree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.
- Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example, for having an e-tips® login in), you may withdraw your consent at any time.
- Right to complain: Under the EU GDPR, if you are based in the EU and GRI process your data, you have the right to complain with a supervisory authority. You may contact GRI in the EU via our Germany office, the details of which are below. If you are not satisfied with the response you receive, you are free to complain with the supervisory authority in Germany or the supervisory authority in the country in which you are located.
Supervisory Authority Germany:
Landesbeauftragte für Datenschutz und Informationsfreiheit
Postfach 20 04 44
Information Commissioner's Office
Telephone: 0303 123 1113
Fax: 01625 524510