Staffline Recruitment Limited (03996086), Datum RPO Limited (07741572), Brightwork Limited (SC296104), Driving Plus Limited (02436612) and Staffline Group Plc (05268636) subsidiaries care about your privacy and are committed to processing your personal information in accordance with fair information practices and applicable data privacy laws (specifically, the UK General Data Protection Regulation (‘GDPR’) and the 2018 Data Protection Act). Within this document, all noted companies above are referred to individually and collectively as ‘the Company’.
This notice explains how the Company handles the personal information of all data subjects such as employees, applicants, interims, former employees, dependants, beneficiaries, contractors, consultants, and temporary agency workers whilst operating its human resources activities. The Company may amend this notice from time to time, should it become necessary to do so.
Collection and Use of Personal Information
The Company will process your personal information to administer the employment and/or contractual relationship with you. The Company may collect, use, and transfer your personal information through automated and/or paper-based data processing systems. The Company has established routine processing functions (such as processing for regular payroll and benefits administration) and will also process personal information on an occasional or ad hoc basis (such as when an employee is being considered for a particular new position or in the context of changes to marital status for example).
In the normal course of human resources activities, the Company will collect the following types of personal information:
• Personal identification information, such as your name, home address, date of birth, gender, work-related photographs, and home telephone number
• Government-issued identification numbers, such as national ID for payroll purposes
• Immigration, right-to-work and residence status
• Time and attendance data (utilising facial recognition biometric data) – where applicable
• Family and emergency contact details
• Job-related information, such as years of service, work location, employment ID, work record, vacation absences, and contract data
• Educational and training information, such as your educational awards, certificates and licenses, vocational records, and in-house training attendance
• Recruitment and performance-related data, such as objectives, ratings, comments, feedback results, career history, work equipment, career and succession planning, skills and competencies and other work-related qualifications
• CCTV footage and other information obtained through electronic means such as swipe-card records – where applicable
• Information related to your usage of the Company’s assets
• Information needed for compliance and risk management, such as disciplinary records, background check reports and security data
• Payroll and payment or benefits-related information, such as salary and insurance information, dependents, government identifier or tax numbers, bank account details, and employment related benefits information
The Company uses a survey platform, which, from time to time will be used to invite you to complete a survey (the completion of which is not a requirement and is always considered voluntary). The Company conducts survey activities as part of its legitimate interests to monitor the performance of the services provided and to understand and improve employee/worker satisfaction.
The Company processes personal information for the following purposes:
• Workforce planning, recruitment, and staffing
• Workforce administration, payroll, compensation, and benefit programs
• Performance management, learning and development
• Advancement and succession planning
• Legal compliance, including compliance with government authority requests for information, liens, garnishments, and tax compliance
• Workplace management, such as travel and expense programs and internal health and safety programs
• Internal reporting
• To protect the Company, its workforce, and the public against injury, theft, legal liability, fraud, or abuse
• Other legal and customary business-related purposes.
In addition, the Company shall process sensitive personal information (‘special category’ data) if it is needed for legitimate business objectives or if it is required to comply with applicable law. Sensitive personal information will not be collected, processed, or transferred, except where adequate privacy protection mechanisms are in place and after having first obtained your informed consent, if required by law.
Your personal information may be passed to a Client (defined as an organisation the Company operates with and supplies Workers on assignment to), and vice versa. Such data may include confirmation of your performance on a specific assignment, which the Client may provide to the Company so that it can ensure you are performing at the standard requirements. Information will only be shared to ensure that the Company can administer the employment and/or contractual relationship with you. The Company will not pass any personal data that is not necessary to fulfil its obligations to you and the Client.
The Company may obtain information about you from searching for potential candidates from third party sources such as job sites. If you engage with the Company via any social media platform such as Facebook, the Company will receive information from the applicable site.
The Company uses data processors, which are third party organisations providing services (or elements thereof) to the Company. The Company has a contract in place with all data processors which ensures that all data processors are only permitted to process data in accordance with instructions received by the Company as the data controller and data protection law. Data processors are not permitted to share your personal information with any third-party organisation.
Where data processors are based outside of the UK or EU, the Company ensures that data is legally protected, and transfers are undertaken either:
• On the basis of an adequacy decision where the EU has decided that the destination country has an adequate and equivalent level of protection to that if it were in the EU, or
• By ensuring the processor’s contractual commitment to handle and process personal data to UK standards (as per the UK General Data Protection Regulation and the 2018 Data Protection Act)
• In future, if the UK provides its own adequacy judgements for overseas data protection regimes these will be reflected by the Company
The Company may disclose your personal information for its legitimate purposes or a third party’s legitimate interests for the continuity of its business/service, in the following circumstances:
• Other entities/subsidiaries of the Company, joint ventures, sub-contractors, vendors, or suppliers performing services on the Company’s behalf for the aforementioned purposes; or
• A newly formed or acquiring organisation if the Company Staffline is involved in a merger, sale, or a transfer of business.
The Company may also disclose your details to any recipient:
• If it is legally obliged to, such as by applicable court order or law
• With your consent, such as for employment verification or bank loans
• When reasonably necessary such as in the event of a life-threatening emergency
The Company respects your right to object to any uses or disclosures of your personal information which are not:
• Required by law
• Necessary for the fulfilment of a contractual obligation (e.g., employment contract)
• Required to meet the legitimate interests of the Company as an employer (such as disclosures for internal auditing and reporting purposes or other processing covered by this notice). If you do object, the Company shall endeavour to work with you to find a reasonable accommodation.
At times the Company will use automated systems/processes and automated decision making (like profiling) to improve and support your experience. Automation allows the Company to make processes intuitive, simple, and easy to use. You have Rights in relations to Automatic Processing, see ‘Know Your Rights’.
Your personal information may be transferred outside of the country where you work, including to countries which do not provide the same level of protection for your personal information. The Company is committed to protecting the privacy and confidentiality of personal information when it is transferred. Where such transfers occur, the Company shall ensure that adequate protection exists either through appropriate contractual arrangements or as required by law.
The Company takes reasonable steps to ensure that personal information is accurate, complete, and current. Please note that you have shared responsibility with regards to the accuracy of your personal information. Please notify the Company through your local site contact of any changes to your personal information or that of your beneficiaries or dependants.
You may reasonably access and update the personal information pertaining to you that is on file with the Company. You can exercise this right by contacting: DPO@staffline.co.uk
• Your ability to access and correct personal information is not limited by transfers of personal information – the ability shall exist regardless of where personal information is physically situated within the Company
• Your right to access your personal information may have some restrictions. For example, access may be denied in the case of recurrent access requests within a short time interval, or where providing such access or correction could compromise the privacy of another person or unreasonably expose sensitive company information
Right to Erasure
You can ask the Company to delete any information it holds about you if the law and the Company’s data retention policies allow for this.
The Company takes precautions to protect personal information from loss, misuse, and unauthorised access, disclosure, alteration, and destruction. The Company has taken appropriate technical and organisational measures to protect the information systems on which your personal information is stored and require its suppliers and service providers to protect your personal information by contractual means.
Your personal information will be retained as long as necessary to achieve the purpose for which it was collected, usually for the duration of any contractual relationship and for any period thereafter as legally required or permitted by applicable law, after which point all information shall be securely destroyed in accordance with the Company’s Data Protection and Information Security policies.
The Company will only continue to contact you for a period of two years after you have left employment or registered interest to work for the Company.
If you do not want us to contact you anymore, please contact: DPO@staffline.co.uk .
Handling Privacy Concerns
If you have any questions about this notice or if you believe that your personal information is not handled in accordance with the applicable law or this notice, you have several options:
Contact the Company
• Discuss the issue with your supervisor or another supervisor or manager
• Contact the Company’s Human Resources department (email@example.com)
• Contact the Company’s Data Protection Officer (DPO@staffline.co.uk)
• Contact the Information Commissioner’s Office (the ‘ICO’)
• Telephone the ICO helpline (0303 123 1113)
• Visit the ICO website https://ico.org.uk/global/contact-us/
• Write to the ICO at the following postal address:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
The Company’s ICO Registration Numbers are as follows:
• Staffline Recruitment Limited: Z2743868
• Brightwork Limited: Z9636732
• Datum RPO Limited: ZA895607
• Driving Plus Limited: zb470713
• Staffline Group PLC: Z8383724
‘Know Your Rights’
The UK General Data Protection Regulation (GDPR) and the 2018 Data Protection Act (DPA) enshrines a number of rights for data subjects which are listed below, all of which are supported by the Company. Further information about these rights may be accessed by clicking the link shown at the bottom of the page.
1. The right to be informed:
The right to be informed encompasses our obligation to provide ‘fair processing information’. This emphasises the need for the Company to be transparent about how your personal data is used.
2. The right of access:
3. The right to rectification:
You are entitled to have personal data rectified if it is inaccurate or incomplete.
4. The right to erasure:
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
5. The right to restrict processing:
Under the DPA, you have the right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, the Company is permitted to store the personal data, but not further process it. Retaining just enough information about you to ensure that the restriction is respected in future is permitted.
6. The right to data portability:
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
7. The right to object:
You have the right to object to: (a) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); (b) direct marketing (including profiling); and (c) processing for purposes of scientific/historical research and statistics.
8. Rights in relation to automated decision making and profiling:
The GDPR provides safeguards for you against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA.
More detailed information on each of the rights can be found here: