Amoria Bond GDPR Privacy Notice
• Who controls your personal data?
• Who are Amoria Bond and what do we do?
• What is the lawful basis and purpose of the processing?
• Marketing Communication & e-Privacy
• What personal data does Amoria Bond collect?
• Information we obtain from other sources
• Who has access to your data?
• Will your personal data leave the EEA? If so, what safeguarding measures are in place?
• How long will we keep your data?
• Correcting, Updating and Removing your personal data
• What are your rights?
Amoria Bond attaches great importance to the personal privacy of individuals (data subjects) and we are committed to protecting and respecting your privacy.
When you register with us via our website, on-line job boards, other digital methods or sign up to our services in any other way, and/or when you are in contact with one of our employees, the personal data that you entrust to us will be treated in accordance with GDPR legislation and held securely.
We want to help everyone who uses Amoria Bonds service to get the most from it. This Privacy Notice applies to our Group services at all our office locations and is relevant to all categories of data subject. Our Group means our subsidiaries, our ultimate holding company and its subsidiaries, our associated companies as defined in section 1159 of the UK Companies Act 2006 (our Group).
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a new regulation which is updating data protection law and. aims to harmonise data protection legislation across EU member states, enhancing privacy rights for data subjects (individuals) and providing a strict framework within which commercial organisations can legally operate.
Amoria Bonds Head Office is located in Manchester (UK) and therefore the lead supervisory authority for all our GDPR related decision making is the UK Information Commissioners Office (www.ico.org.uk).
Even though the UK has expressed its intention to leave the EU in March 2019, the GDPR will be enforceable in the UK from 25th May 2018. Furthermore, the Information Commissioner’s Office (ICO) has laid out its intention to continue with a similar level of regulation post-March 2019 and the requirements of the GDPR will be reflected in UK law by the new Data Protection Bill (2017) when it comes into force.
Amoria Bonds GDPR Privacy Notice describes your rights and how the GDPR and the current e-Privacy Directive (PECR) apply to the way Amoria Bond handle your personal data. Our aim is to be responsible, relevant and secure with your information.
We encourage you to read through our Privacy Notice so you understand what information we collect about you, who we share it with and how your data could be used.
Who controls your personal data?
The Data Controller is Amoria Bond Limited, registered in England (Company No. 5895820)
We are a recruitment agency and recruitment business as defined in the Employment Agencies and Employment Businesses Regulations 2003.
Amoria Bond Limited is registered as a Data Controller with the ICO, registration reference: Z1303865
Amoria Bond Limited is the group holding company for:
• Amoria Bond GmbH (Company No. HRB 76960)
• Amoria Bond BV (Company No. 34311673)
• Amoria Bond Pte. Limited (Company/GST No. 201136474K; Employment Agency Licence No. 16S8124)
Amoria Bond employees will have access to your personal data through our secure internal database (RDB Pronet).
Any questions regarding this Privacy Notice and our privacy practices should be sent by email to firstname.lastname@example.org or by post to: Amoria Bond Limited, 14 Egerton House, Towers Business Park, Manchester, M20 2DX. Alternatively you can telephone (+44) 0161 448 4882.
Who is Amoria Bond and what do we do?
Amoria Bond is a recruitment agency and recruitment business as defined in the Employment Agencies and Employment Businesses Regulations 2003. We have offices located in Manchester, Amsterdam, Cologne & Singapore. We collect the personal data of the following types of people to allow us to undertake our business;
• Prospective and placed candidates for permanent or contract roles;
• Prospective and live client contacts;
• Supplier contacts to support our services;
• Employees, independent consultants, temporary workers;
What are the lawful bases and purposes of the processing?
As ‘Data Controller’ Amoria Bond relies on ‘legitimate interest’ as the lawful basis upon which we collect & retain your personal data. This is defined by Article 6(1)(f) of the General Data Protection Regulation as:
“…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
A wide range of interests may be considered as legitimate interests. They can be our own interests or the interests of third parties, commercial interests, as well as wider societal benefits.
Our legitimate interest in collecting and retaining your personal data is described below:
As a recruitment business and recruitment agency we introduce candidates to clients for permanent employment or independent professional contracts. The exchange of personal data of our candidates and our client contacts is a fundamental, essential part of this process.
In order to support our candidates’ employment needs & career aspirations and our clients’ staff resourcing needs we require a database of candidate and client personal data containing historical information as well as current resourcing requirements.
To maintain, expand and develop our business we need to record the personal data of prospective candidates and client contacts.
As a recruitment agency Amoria Bond has a legitimate commercial interest to collect & process personal data relating to active & passive jobseekers (Candidates) as well as the collection of personal data relating to Hiring Managers of organisations we provide recruitment services to; or Hiring Managers of organisations we would engage with to offer our services (these can be defined as live & prospective Clients). Organisations that use our services to fill their vacancies would be considered as third parties, though Amoria Bond has a legitimate interest in sharing Candidate personal data with these organisations as part of its recruitment services.
In order to provide permanent and contract recruitment services, it is necessary for Amoria Bond to process certain types of personal data. The personal data we collect is only used only for the purpose of providing recruitment services. In particular, we use your data to deliver recruitment services by:
• Identifying & selecting Candidates whose skills and/or experience are appropriate for the vacancies and contract assignments detailed to us by our Clients;
• Notifying Candidates of potentially suitable and appropriate permanent jobs or contract assignments;
• Notifying Hiring Managers of the availability of suitably skilled workers (Candidates).
As a Candidate your data may also be used for:
• Assisting our Clients to identify and select suitable Candidates for interview on permanent vacancies and contract assignments;
• Processing of pre-employment screenings;
• Internal management purposes: Amoria Bond quality control & reviews to ensure the service that we offer is appropriate and targeted at the right audience.
If we provide recruitment services to you, as Candidate or Client, we will also need to ensure compliance with relevant laws and regulations in the jurisdictions that we operate, such as:
• social legislation
Because we provide recruitment services to our Clients (who may be the organisations subject to the above laws and regulation), we may need to process Candidate personal data to meet contractual obligations with our Clients, but we will always obtain further consent from a Candidate where required by law.
Should we want or need to rely on consent to lawfully process your data Amoria Bond will request your consent orally, by email or by an online process for the specific activity we require consent for and record your response on our system. Where consent is the lawful basis for our processing you have the right to withdraw your consent to this particular processing at any time.
Marketing Communication & e-Privacy (PECR)
To comply with the e-Privacy Directive (PECR) Amoria Bond will ask for your consent to send relevant marketing communications that provide information & advice on our services. You have the right to opt-out of this service at any time by emailing: email@example.com
Amoria Bond does not share your personal data with third parties for marketing purposes.
What personal data does Amoria Bond collect?
We collect and process personal information to enable us to provide advice and professional services as an employment agency and employment business. This information may include:
• personal contact details;
• family details;
• links to your professional profiles available in the public domain e.g. LinkedIn, Twitter, corporate websites;
• education and employment details.
We only collect personal information necessary for the best performance of our services and/or to improve our services, or to be able to fulfil specific requests & requirements from our Candidates and Clients.
Upon registration as a Candidate we may ask for your:
• full name & contact details (telephone, mobile & email);
• location / home address;
• your most recent Curriculum Vitae (CV);
• links to your professional profiles available in the public domain e.g. LinkedIn, Twitter, corporate website;
• relevant educational, industry qualifications and employer references (diplomas, courses and certifications);
• your availability & proof of the right to work in your country or countries of residence & choice.
When placing you in a role at one of our Clients we might request additional personal information such as:
• social security number;
• passport or identity card;
• employer references.
and if you are an independent Contractor, personal business documents such as:
• Company registration certificate / freelancer registration certificate;
• Insurance documentation;
• VAT registration details.
Additional types of data we collect
Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
Profile Data includes your username and password, your interests, preferences, feedback and survey responses.
Usage Data includes information about how you use our website, products and services.
Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
We may also need to collect sensitive personal data to provide our service but we will only do so with your explicit consent or where there is a lawful requirement to do so. By sensitive data we mean information such as criminal record checks, memberships of industry bodies or trade unions, racial or ethnic origins, physical or mental health details. This data will be stored securely, deleted when no longer needed and will never be used to discriminate against you.
As a Candidate your personal data will only be used by Amoria Bond in order that we can provide recruitment agency services. With your consent, your data will be shared with third parties, specifically – prospective employers, who might be interested in your availability as an appropriately skilled worker. However, it is standard practice for Amoria Bond to remove personal information such as home address & contact details from your CV before it is provided to our clients. Your personal data will not be used for any purpose other than the provision of our recruitment services.
As a Hiring Manager within a prospective or current client we will collect personal data such as your:
• Name, job title & business contact details (telephone, mobile & email);
• Your place of work (company name), plus the location or business address;
• links to your professional profiles available in the public domain e.g. LinkedIn, Twitter, corporate website.
As a Hiring Manager your personal data will not be shared with any other parties outside of Amoria Bond or be used for any purpose other than the provision of our recruitment services.
Information we obtain from other sources.
This is information we obtain about you from other sources such as LinkedIn, social media profiles, corporate websites, job board websites, online CV libraries, data aggregators or personal recommendations. In this case we will inform you of the fact we hold personal data about you, the source the personal data originates from and for what purpose we intend to retain and process your personal data, when the first communication takes place.
From your current employer: where you are employed by an umbrella/payroll company or personal service company. Please note: In these circumstances, when you are engaged through such a company, we will be relying on your employer to ensure they have established a legal basis for processing your data with you. Our basis for the ongoing processing of your data will become subject to a contract between us and that company.
WEBSITE USERS: When you visit our website there is certain information that we may automatically collect, whether or not you decide to use our services. This includes your IP address, the date and the times and frequency with which you access the website and the way you browse its content. We will also collect data from you when you contact us via the website.
We collect your data automatically via cookies, in line with cookie settings in your browser. If you are also a Candidate or Client of Amoria Bond, we may use data from your use of our websites to enhance other aspects of our communications with or service to you. See below if would like to find out more about cookies, including how we use them and what choices are available to you.
What’s a cookie?
A “cookie” is a piece of information that is stored on your device which records your navigation of a website so that, when you revisit that website, it can present tailored options based on the information stored about your last visit. Cookies can also be used to analyse traffic and for advertising and marketing purposes.
Cookies are used by nearly all websites and do not harm your system. If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings.
– to track your use of our website. This enables us to understand how you use the site and track any patterns that emerge individually or from larger groups. This helps us to develop and improve our website and services in response to what our visitors want and need; and
– to help us advertise jobs to you that we think you’ll be interested in. Hopefully this means less time for you trawling through endless pages and will get you to the relevant information you want more quickly.
Cookies are either:
– Session cookies: these are only stored on your device during your web session and are automatically deleted when you close your browser – they usually store an anonymous session ID allowing you to browse a website without having to log in to each page but they do not collect any information from your device; or
– Persistent cookies: a persistent cookie is stored as a file on your device and it remains there when you close your web browser. The cookie can be read by the website that created it when you visit that website again. We use persistent cookies for Google Analytics and for personalisation (see below).
Cookies can also be categorised as follows:
– Strictly necessary cookies: These cookies are essential to enable you to use the website effectively, such as when applying for a job, and therefore cannot be turned off. Without these cookies, the services available to you on our website cannot be provided. These cookies do not gather information about you that could be used for marketing or remembering where you have been on the internet.
– Performance cookies: These cookies enable us to monitor and improve the performance of our website. For example, they allow us to count visits, identify traffic sources and see which parts of the site are most popular.
– Functionality cookies: These cookies allow our website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced features. For instance, we may be able to provide you with news or updates relevant to the services you use. These cookies can also be used to remember changes you have made to text size, font and other parts of web pages that you can customise. They may also be used to provide services you have requested such as viewing a video or commenting on a blog. The information these cookies collect is usually anonymised.
– Personalisation cookies: These cookies help us to advertise details of potential job opportunities that we think may be of interest. These cookies are persistent (for as long as you are registered with us) and mean that when you log in or return to the website, you may see advertising for jobs that are similar to jobs that you have previously browsed.
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
COOKIE NAME PURPOSE MORE INFORMATION
Google Analytics _utma
_utmz These cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site
Click here for an overview about Privacy at Google
My Account Session Cookie This cookie is essential for the “My Account” login. It remembers that you are logged into your account whilst you are online. This cookie is deleted when you close your browser.
Job Shortlist Session cookie This cookie is essential in order to provide you with the jobs short-list service on the website. It remembers which jobs you have selected to add to your short-list.
It is deleted when you close your browser session – unless you are logged into your account, where it will be saved to enable you to view it when you next login.
AddThis Sharing Cookie di
ups This function allows you to share content or pages on our site with people you choose to via a 3rd party widget called AddThis. This 3rd party stores non-personally identifiable information from you in order to provide us with statistics to help us track which content you share and therefore find useful to enable us to improve our site features in the future.
If you wish to block the company AddThis from using your information to target advertising on other websites opt out here
Who has access to your data?
To provide the best service to meet your employment or recruitment needs, your personal information will be accessible to:
• Amoria Bond employees in our UK, NL, DE & Singapore locations;
• Access Group, provider of our CRM database (RDB Pronet);
• Nasstar, provider of our hosted IT network systems & security;
• Governmental departments & legal entities (data only provided when required to do so by law).
Will your personal data leave the EEA? If so, what safeguarding measures are in place?
Amoria Bond have a secure company-wide shared database (RDB Pronet) provided by Access Group and a secure I.T. network that is hosted by Nasstar Plc.
The personal data that we collect can be accessed outside the European Economic Area (”EEA”) by employees of Amoria Bond Pte (Singapore). Where our employees are not based in the EEA we ensure adequate levels of protection via data processing agreements and having a robust, Group wide Data Protection Policy.
Personal Data may also be accessed by Nasstar staff operating in New Zealand who provide our I.T. support services outside of UK business hours. We ensure the security of your data because New Zealand has received an ‘adequacy decision’ from the European Commission in relation to data processing and we also have an appropriate contract in place with Nasstar. Amoria Bond will take all steps necessary to ensure that your data is kept secure and treated in accordance with this Privacy Notice.
On occasion, Amoria Bond will also request your consent to send your personal information (specifically your CV) to international clients located outside of the EEA.
In this respect, we have taken all technical and organisational measures to protect your data.
Internal organisational measures taken to protect your personal data
Amoria Bond have implemented internal security measures such that no staff (unless authorised) can copy data from their PC (screen shot or otherwise) or download data to any type of external storage device. Monitoring is in place to ensure that staff access to data records is consistent, within the parameters that we would consider ‘normal’ and that we are alerted of any abnormal activity. Any internal data breach that represents a high level of risk affecting the rights and freedoms of the individuals whose data we hold will be reported to the relevant Supervisory Authority in the appropriate jurisdiction, as well as the UK ICO within 72 hours of the breach. To further protect your personal data, all Amoria Bond staff are trained on Data Protection standards and how to handle your data, ensuring it is kept secure and used appropriately.
Nasstar Plc – security measures
I.T System security is implemented by Nasstar to the fullest extent possible, using relevant technologies with the following aims in mind:
• Protection of physical systems
• Restriction of systems and data access to authorised users
• Prevention of malicious attack on systems and/or data
• Restriction of network access and usage to authorised users and purposes only
Nasstar’s systems are maintained in secure, dedicated facilities known as “Server Farms”, which are built to high security standards, restricting access to authorised personnel only at all times. These Server Farms are located the United Kingdom in Telford and London. Access to all non-public areas of Nasstar’s on-line systems and services is controlled by a system of authentication and encryption, thus ensuring that access is restricted to authorised individuals and that attempts to intercept network traffic will not reveal data content or enable access to our information or data. Their Server Farm systems are all connected to the Internet via a firewall, ensuring that all illegal and/or undesirable traffic which can be identified at packet or port level is disabled by default. Entry to and access of systems, including the entry of username and password, is handled using SSL 3 (Secure Sockets Layer 3) 128-bit encryption. Access to data for legitimate users is controlled by server based scripts. All network traffic is monitored and checked routinely for consistent performance and attempted security breaches.
Breach Notification – Nasstar will notify Amoria Bond (data controller) without undue delay after becoming aware of a personal data breach. This is documented within Nasstar’s Information Security Incident Management process.
Breach Detection – Nasstar utilises a combination of IDS (Intrusion Detection System), Gateway Anti-Virus scanning, Endpoint protection and third party SIEM systems to monitor and detect potential breaches.
Data Access – Nasstar classifies all Amoria Bond (data controller) data (including personal data) as ‘confidential’ under the Nasstar ISO27001 Information Classification policy. As a result there are strict guidelines controlling the access, disclosure, disposal, storage and transfer of any such classified information.
Access Group – GDPR compliance & security measures
Employees of Access Group have access to our database in order to provide us with technical support and maintenance services.
Access Group is registered with the Information Commissioners office (Z5042164) and currently handles all data in accordance with the main principles of data protection as prescribed in the GDPR.
Data is never stored or managed outside of the EU. Their Access Alto office in New York, manages only US based clients and similarly, do not transfer their data out of the USA.
Access Group are very much aware of the GDPR and have taken measures in all areas of their business to protect your data, This includes but is not limited to:-
• Changes and additions to authored software where appropriate to accommodate encryption for sensitive information / lawful basis for processing and right to be forgotten
• Changes to internal processes to ensure they maintain appropriate records and comply with the regulation
• Ensuring they have all existing systems recorded that contain personal data and again the lawful basis for processing / agreements etc. and that they can provide that information to individuals when asked
• Privacy Impact Assessments across the business
• Updated privacy notices & data protection policies
• Amendment of their ISMS (ISO27001:2013) to accommodate GDPR regulation
• GDPR compliant contracts and Framework agreements
• Provisions for special categories of data
• Active retention and deletion processes and software, as well as an annual review of retention schedules
• Incorporating the Data protection Role within the Information Security Managers remit
• Employee screening
• System access and end point security
• Non Disclosure Agreements
All Access Groups Server Rooms are covered by CCTV, locked and restricted to only those that require access in the performance of their role. All perimeter doors are secured by Salto card access or combination button locks; external physical barriers are also in place; all doors are alarmed and, where possible, internal intruder alarms are installed. All Access staff are required to wear ID badges at a times and visitors are required to wear badges with red lanyards that clearly identify them as visitors, they are required to sign in and out of each office and are not permitted to walk around their premises unaccompanied.
They do not permit third party access to their Network or systems and Data is never stored or managed outside of the EU.
Access Group & Nasstar Plc are both accredited with the ISO 27001 information security standard.
If you require any further information on how we or our I.T. providers protect your personal data, please contact: firstname.lastname@example.org
How long will we keep your data?
We understand our legal duty to retain accurate data and only retain personal data for as long as we need it for our legitimate business interests. Accordingly, we have a data retention policy and run data routines to remove data that we no longer have a legitimate business interest in maintaining.
We do the following to ensure our data is accurate:
• Initial phone call to review & confirm whether the details we hold about you are accurate.
• Prior to introducing you to a client for a vacancy we check that we have accurate information about you
• We keep in touch with you periodically so you can let us know of changes to your personal data
Amoria Bond will retain your personal data for 5 years from the date of the last communication with you (email, telephone or otherwise). This is determined on the basis that 5 years is considered to be the average length of time individuals and hiring managers are employed within the industry sectors and organisations we deal with and many candidates can remain ‘dormant’ for long periods of time, only to become ‘actively looking’ when approached by Amoria Bond with a relevant job opportunity. If there have been no active communications for a period of 5 years or more, your details will be deleted.
For candidates who are ‘engaged under contracts for services’ with our clients, in order to comply with the requirement of financial laws in the jurisdictions that we operate, we will hold your personal data for a minimum of 7 years.
We will delete your personal data from our records once the relevant retention period is reached, or when we are in receipt of a data subject request to do so (if not overridden by lawful requirements). We may archive part or all of your personal data or retain it for our financial records only, deleting all or part of it from our main database system.
For the purposes of creating an ‘opt out’ or ‘erasure’ suppression file we may minimise the amount of data we hold down to your name and email address. This will ensure that we do not re-enter your personal data on to our database or communicate with you again but you also have the right to object to this.
Correcting, Updating & Removing your personal data
If your personal information or circumstances change, you can correct, update or request to remove your personal data by emailing: email@example.com
What are your rights?
Whilst the processing of your personal data is necessary for the completion of our employment agency services and our legitimate commercial interests, under Article 6 of the GDPR, we have obligations to you the Data Subject.
You retain the following rights to have your personal data processed fairly, lawfully and proportionately to the services that we provide. Specifically, Amoria Bond confirms your individual rights as follows:
• The right to be informed – that we have collected and are processing your data;
• The right of access – gives you the right to access information held about you;
• The right to rectification – this enables you to have any incomplete or inaccurate information we hold about you corrected;
• The right to restrict processing – this enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
• The right to object – to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for marketing purposes;
• The right to erasure – this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
• The right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Queries & Complaints
If you have a request, query, concern or complaint about how Amoria Bond collects, stores and uses your personal data then please email: firstname.lastname@example.org and we will respond to you within the timeframe stipulated by the GDPR.
If your request or complaint is not dealt with by Amoria Bond in the timeframe stipulated by the GDPR, then you have the right to make a complaint to one of the following Supervisory Authorities:
UK ICO – https://ico.org.uk/for-the-public/raising-concerns/
DE BFDI – http://www.bfdi.bund.de/
NL – https://autoriteitpersoonsgegevens.nl/nl