CMA Financial Recruitment Ltd ("CMA") and any associated trading names understand the importance of protecting the personal data of our candidates and clients. This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data, and keep it safe. We know that there’s a lot of information here but we want you to be fully informed about your rights, and understand how CMA uses your data.
With this in mind, CMA adhere to the following Privacy Notice. English law and jurisdiction applies with respect to the content of this notice and the information contained. In particular, CMA recognise and address our obligations under the provisions of the Data Protection Act 1998, the General Data Protection Regulation (EU 2016/679) and any applicable statutory or regulatory provisions and all European Directives and regulations in force from time to time relating to the protection and transfer of personal data;
Under the General Data Protection Regulation ('GDPR'), data controllers are defined as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. Based on this definition, CMA will act as the Data Controller with regards to both candidate and client data collected by CMA when providing services in the UK.
Explaining the legal basis we rely on
The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:
In certain circumstances, we may need your personal data to comply with our contractual obligations.
For example, if you are offered a role via CMA, we may collect your contact details and pass them to our client to enable you to receive a formal offer letter and/or proposed contract of employment.
In specific situations, we may collect and process your data with your consent. At the point of registration CMA may ask to retain and use candidate data under the use of consent and in compliance with Principle 1, Article 6 of the GDPR.
For example, when you agree that CMA can pass your details to a client for a role in which you are interested in relation to CMA providing you with work finding services.
When collecting your personal data, we’ll always make clear to you which data is necessary in connection with providing you with work finding services.
If the law requires us to, we may need to collect and process your data.
For example, if you undertake a temporary assignment via CMA, HMRC request specific personal data relating to payroll for RTI reporting purposes and our pension provider requests specific personal data for compliance with auto enrolment legislation.
In specific situations, we may require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.
For example, we will may use your email address details to send you direct marketing information, telling you about products and services that we think might interest you.
How and when CMA collect information
Information is collected via our website and third party sources such as independent external job boards and social media platforms. Information is also voluntarily provided to us by candidates and clients when creating an account or registering for our services. Personal information relating to an individual is collected during candidate registration interviews, telephone calls, email correspondence and reference checks. Client information is also collected during meetings, telephone calls and events CMA attend or host. The legal basis for this processing is our legitimate interest as a business to offer work finding and/or recruitment services.
CMA collect information from all users of CMA’s services, whether this is via our website, in person or via an affiliated partner. CMA collect candidate data required to carry out work finding services. This includes but is not limited to: name, address, date of birth, employment history, right to work, membership details and references. CMA also collect client data required to carry out recruitment services. This includes but is not limited to: name, company address, company phone number, company email and job role.
In addition to the information provided CMA collect and check data from third parties such as companies house and accredited bodies.
CMA never knowingly collect more personal data than is strictly necessary to perform our tasks in providing work finding and/or recruitment services.
Information created when you use our services
If you are a client, CMA will collect details about the company. This includes but is not limited to: company registration details, structure, contact information and role details.
If you are a candidate (job seeker) CMA will collect personal data. This includes but is not limited to: name, address, date of birth, employment history, right to work, qualification membership details, and references.
CMA may associate your name with another person via our refer a friend scheme, to ensure you receive the due recognition.
How and why do we use your personal data
Candidates. CMA do not sell or share your personal information to third parties for third party direct marketing purposes. CMA will use your information to deliver personalised work finding services and optimise your CMA experience. Data will be collated onto our internal systems and all paper documents will be securely stored on each site. CMA will use information collected to:
- Source and match roles and companies to your requirements
- Submit your CV and any other relevant information to clients in the process of providing work finding services
- Communicate with candidates regarding your job search via email, phone, text message or post
- Update candidates on events and announcements which may be of interest in relation to CMA providing current or future work finding services
- Undertake research and analysis to enhance CMA’s work finding services
- Process payroll and comply with Auto Enrolment and HMRC requirements
- Meet our Health & Safety obligations as per UK statute
Clients. Client data is obtained, kept and used under the use of legitimate interest and in compliance with Principle 1 and Article 6.1, 6(1)(f) of the GDPR. CMA do not sell or share your information to third parties for third party direct marketing purposes. Data will be collated onto our internal systems and all paper documents will be securely stored on each site. CMA will use information collected to:
- Discuss present and future organisational recruitment requirements
- Allow CMA to compare CMA candidates with organisational vacancy requirements
- Provide candidate CVs and any other relevant candidate information
- Update clients on events and announcements which may be interest in relation to CMA supporting current or future organisational recruitment strategy
- Manage processes throughout the recruitment cycle including but not limited to: interviews, feedback, offers and timesheet authorisation.
- Process credit checks and raise invoices for services provided
- Undertake research and analysis to enhance CMA’s recruitment services
- Recommend service partners, where agreed details will be passed onto our selected partners
Other processing activities. In addition to the specific purposes for which we may process your personal data set out above, we may also process any personal data where such processing is necessary for compliance with a legal obligation to which we are subject, such as the Conduct Regulations 2003, or in order to protect your vital interests or the vital interests of another natural person.
Data Sharing & Disclosure
Except as set out herein and where required or permitted by law or a court of competent jurisdiction, CMA will not reveal any personal data about you to any third party.
Information will be shared internally within the CMA team to provide work finding, recruitment and payroll services. CMA will only share information with third parties when required as part of our work finding or recruitment services. CMA may check information collected with third parties or with other information held by CMA. Candidate’s personal data will only be shared with CMA clients who have a legitimate interest and only then with the candidate’s permission.
Your data may be disclosed to any person, firm or company to whom we sell the whole or a substantial part of our business or to whom we may transfer any part of our rights or obligations. We may also disclose your
information where necessary to enforce our Terms of Business or other agreements or if necessary to prevent, detect or prosecute illegal or suspected illegal activities or to prevent other damage in response to a legal action against CMA.
How do we protect your information?
Your personal data security is our highest priority. CMA have taken steps to protect your information by limiting the access to our network and locations where your data is stored. Our team only access data which is required to complete their job function. Our IT systems are ISO 27001 accredited. These are provided, monitored and supported by NASSTAR PLC. NASSTAR PLC regularly monitor our system for possible vulnerabilities and attacks, and carry out penetration testing to identify ways to further strengthen security. We secure access to all transactional areas of our websites using ‘https’ technology. Further information on the security features of our system are available on request. Access to your personal data is password-protected. Although we do our best to protect the information you share via the internet, anything you submit via the internet is done so at your own risk. We know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.
Information retention & deletion
Client and Candidate Data
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
During our marketing activities, CMA log who, when and where our mailers have been opened and viewed.
CMA also obtain data from publicly available sources, financial service providers, governing bodies and referees. CMA may combine information collected from these sources with information already in its possession.
Our data is stored on external servers, which are monitored and protected 24hrs a day. All personal information is stored on servers located in the UK.
CMA may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
During the time you are registered as active with CMA we will log calls, emails, meetings, texts, events and any other relevant information on our secure internal database. At this time no option exists for third party access. If a decision is made to change this aspect of the database, then we will notify you first. While all reasonable security measures have been implemented, CMA are unable to accept responsibility for intrusion by third parties acting illegally.
CMA will retain your information whilst you are active, unless you request deletion of your account or information, and for a period of no more than 6 years if you have completed temporary assignments via CMA as required by law and in accordance with UK statute.
If your work finding search is no longer active and you have not undertaken temporary assignments via CMA, your information will be stored for three years following the date of our last contact or dealing with you, under legitimate business interest in compliance with Principle 1 and Article 6 of the GDPR. At the end of that retention period, we’ll contact you to ask whether you’d like CMA to retain, store and process your data. Unless you reply to say ‘yes’, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning. However, some of your data may still exist within our systems. For our purposes, this data will be put beyond use, meaning that while it still exists on a system, it cannot be readily accessed by operational systems, processes or employees.
Client data including but not limited to company information, credit checks and key contact details.
After the three-year period, key contacts who have not been contacted within this period will be deleted. If after this process has been undertaken, the client record has no key contacts, then the company will be deleted from our system. However, some of your data may still exist within our systems. For our purposes, this data will be put beyond use, meaning that while it still exists on a system, it cannot be readily accessed by operational systems, processes or employees.
*Any clients who have actively conducted transactions with CMA within the three-year period will have their company information retained on our system.
Data processing of minors
We do not offer work finding services to anyone under the age of 18. Therefore, no data will be held on individuals under this age.
What are your rights over your personal data?
You have the right to request:
- Access to the personal data we hold about you, free of charge in most cases
- The correction of your personal data when incorrect, out of date or incomplete.
- That we stop using your personal data for direct marketing
- That we stop any consent-based processing after you withdraw that consent
- To be forgotten from our databases and systems
- A copy of our Right to Be Forgotten policy
- A copy of our Subject Access Request Policy
You can contact us to request to exercise these rights at any time. If we choose not to action your request, we will explain to you the reasons for our refusal.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.
We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
To submit a request regarding any of the above please contact your regional office. Contact details are provided below.
T| 023 8063 8046 T| 023 9248 0524
T| 01202 312222 T| 01256 333322
Contacting the Regulator
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office
You can contact them by calling 0303 123 1113.
Or go online to https://ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites)
It’s likely that we’ll need to update this Privacy Notice from time to time. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish. By using our services, you consent to this policy.
Version 7 March 2019