Ferreira Young Ltd (Ferreira Young) is committed to comply with the EU General Data Protection Regulation (GDPR) 2018 policy. As an organisation, Ferreira Young is required to gather and use certain personal information about individuals. These individuals can include any type of contact in the field of Recruitment and other people Ferreira Young has a relationship with or may wish to approach to forge a relationship with. This policy describes how such personal data is collected, handled and stored to meet the GDPR standards, and to comply with the law.
Why does this policy exist?
This GDPR policy ensures that Ferreira Young:
- complies with data protection law and follows good practice;
- protects the rights of all business contacts, whether currently known or prospective;
- Is open about how it stores and processes individuals’ data;
- Protects itself from the risks of a data breach.
The GDPR Act 2018 describes how organisations — including Ferreira Young — must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. GDPR is underpinned by six important principles.
These say that personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability and Transparency
Ferreira Young adopts the principals of Accountability and Transparency and as such:
- has implemented appropriate technical/organisational measures to ensure compliance;
- has appointed a data protection officer;
- has implemented measures that meet the principles of data protection by design and data protection by default.
Ferreira Young holds personal data on the lawful basis of Legitimate Interest. Data is sourced for the purpose of providing Mapping, Talent Pipelining and Professional Search & Selection services to global clients, and as such only data already available in the public domain is held. It is deemed that seeking consent to hold such personal basic information would be disproportionately balanced. Verbal permission to keep data is requested when engaging with prospective business contacts/candidates for the first time. Consent, by the process of signing the Ferreira Young Declaration is requested when a candidate chooses to engage in the process and potentially be introduced to a client of Ferreira Young.
Data is stored on a proprietary database which is securely cloud-based and accesses by password through a computer, then a separate and different application password. Resetting of passwords initiates a secure 2-step authentication. Only employees & associates of Ferreira Young receive access to the database. No details that could be considered high-risk (such as financial details, date of birth, passport, identification, home addresses, sexual orientation, political/religious beliefs, biometric data) will be requested or held.
Sharing of Data
Ferreira Young may share personal data with clients where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights are enforceable and effective legal remedies for individuals are available following the transfer. Clients of Ferreira Young are required to agree to the data sharing agreement set out in the client-signed Letter of Engagement, and such confirm that their organisation is GDPR compliant and will handle the shared data under the basis of their own GDPR policy.
Basic personal data obtained under the lawful basis of Legitimate Interest may be shared without notification.
Full and detailed personal data obtained under the lawful basis of Consent will only be shared once the individual has signed the Ferreira Young Declaration, agreeing to such sharing of data.
Transfer of Data
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Basic personal data obtained under the lawful basis of Legitimate Interest may be transferred outside of the EU without notification to UK-based clients who may have offices in other non-EU territories.
Full and detailed personal data obtained under the lawful basis of Consent may only be transferred once the individual has signed the Ferreira Young Declaration, agreeing to such transfer of data.
GDPR provides the following rights for individuals:
- right to be informed;
- right of access;
- right to rectification;
- right to erasure;
- right to restrict processing;
- right to data portability;
- right to object.
Procedure for access
Any access requests should be made to the Data Protection Officer via email: email@example.com. Requests are free of charge and will be handled within 30-days. Data will have been recorded and ultimately delivered in a concise, transparent and intelligible manner, written in a clear and plain language. After receipt of the data, any of the Individual Rights can be requested and as such will be actioned in 30-days.
This policy was set-out on 25 May 2018 and is stored for public view on https://fy-recruitment.co.uk. As the intellectual property of Ferreira Young, this document must not be printed, copied or forwarded.