Privacy Policy

cardfactory Privacy Notice - Recruitment

What is the purpose of this document?

cardfactory is committed to protecting the privacy and security of your personal information and takes our Data Protection obligations very seriously.

This privacy notice describes how we collect and use personal information about you before, during and after your application of employment with us, in accordance with Data Protection legislation (UK & EU General Data Protection Regulation (GDPR), any relevant country specific legislation such as the Data Protection Act 2018 and any subsequent updated legislation).

cardfactory is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you. We are required under Data Protection legislation to notify you of the information contained in this privacy notice.

This notice applies to anyone applying for a position with cardfactory. This notice does not form part of any contract of employment or other contract to provide services. 

The personal data we may collect

We collect personal data directly from you as follows:

  • contact details such as name, title, address, telephone numbers, and personal email addresses,
  • personal information such as date of birth, gender (if included in CV),
  • evidence of how you meet the requirements of the job, including CV, application form
  • information about your education, skills, qualifications and work experience (included in your CV),
  • evidence of your right to work in the UK and immigration status,
  • information about your health, including any medical needs or conditions, but only in order for us to make reasonable adjustments during the recruitment process (should this be required),
  • information about equal opportunities monitoring information (which includes information such as gender and community background/religion etc) which is required to comply with legislation & to report aggregated data (as part of British Retail Consortium),             
  • information relating to the interview process, personality tests or capability tests (where appropriate and relevant to the role),
  • background check information through reference checks, confirmation of employment and if applicable qualification verification and criminal record data (where appropriate and relevant to the role).

Please note this list is not exhaustive but gives an indication of the data we collect.

Generally we do not want to received data such as health information, political opinions, trade union membership, sex life or sexual orientation, unless you believe such information is strictly relevant and necessary for us to assess your application or for reasonable adjustments at interview. If you believe such data is strictly relevant and necessary to your application, we will consider your forwarding of such data to us as your specific and explicit consent for us to process this data for the purposes set out in this privacy notice.

 

How is your personal information collected? 

We collect personal information about candidates through the application and recruitment process, either directly from candidates, or sometimes from an employment agency or background check provider.  We may sometimes collect additional information from third parties including former employers, or other background right to work providers. 

 

If you fail to provide personal information 

If you fail to provide certain information when requested, we may not be able to assess your capability for the position. This could affect the recruitment process and your ability to be employed by cardfactory. 

 

Our legal basis for processing your data 

We will only use your personal information when the law allows us to do so.  Most commonly we will use your personal information in accordance with the following conditions for processing: 

  • Consent (Article 6 (1a)) - We process your personal data based on your consent. 
  • Contract (Article 6(1b)) – In the majority of instances we process your personal data based on our proposed contractual employment relationship.  
  • Legal obligation (Article 6 (1c)) – We process your personal data based on a law, such as our legal obligations (such as providing annual reports to the Northern Ireland Equality Commission). 
  • Legitimate interests (Article 6 (1f)) – We process your data for our legitimate interest and your interests and fundamental rights do not override those interests. 

 

Special category data is particularly sensitive personal information that requires higher levels of protection.  We need to have further justification for processing this type of personal information. We prefer not to receive such data, however where you provide the information or it is necessary for us to process it, we will use your personal information in accordance with the following conditions for processing: 

  • Explicit Consent (Article 9 (2a)) - We process your personal data based on your explicit consent in limited circumstances. 
  • Employment, Social Security & Social Protection Law (Article 9 (2b)) – We process your personal data based on employment and social security law. 
  • Legal Claims (Article 9 (2f)) – we will process your personal data in order to establish, exercise or defend legal claims. 

 

Should you require any reasonable adjustments during the recruitment process we will consider the provision of health information by you to us as your explicit consent. Should you provide information about your ethnicity, we will use this to ensure meaningful equal opportunity monitoring and reporting in accordance with the Equality Act 2010. We will process gender, community background & religion for those applying for roles in Northern Ireland to comply with the Fair Employment and Treatment (NI) Order 1998 (FETO). Generally we rely on the processing conditions in the Data Protection Act 2018 which relate to processing of special category data for employment, statutory and regulatory purposes. 

 

Purposes of our processing

We may use your personal information for the following purposes: 

  • make a decision about your recruitment or appointment,  
  • administering and processing your application,
  • check you are legally entitled to work in the UK, 
  • conducting background checks including criminal convictions history (where appropriate dependent on the role), 
  • communicating with you, other cardfactory colleagues and third parties (e.g. referees, including former employers & external recruitment agencies & right to work providers),
  • complying with applicable laws, such as employment laws, and employment-related requirements,
  • responding to and complying with requests and legal demands from regulators or other authorities,
  • responding to requests from law enforcement agencies and the Courts.

 

Please note this list is not exhaustive but gives an indication of the processing activities we undertake.

Change of purpose 

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.  If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. 

 

Information about criminal convictions 

We do not generally collect criminal convictions data as we may only use such information where the law allows us to do so.  This will usually be where such processing is necessary to carry out our obligations in respect of employment law and provided we do so in line with our Data Protection Policy. 

 

Who we share your data with?

We only share your information where we are strictly able to and only in accordance with Data Protection legislation. We may share your personal data in the following circumstances:

  • Within the Cardfactory Group,
  • With relevant recruitment agencies,
  • With your former employer and/or referees,
  • With a background check provider,
  • With a regulator or Government body where required by law,
  • Where we are using contracted service partners for services such as IT hosting companies and IT services companies,
  • To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person,
  • To process your application for a DBS Check where required, for the role you have applied for,
  • To enforce or apply our Terms of Service or other agreements or to protect Cardfactory and its customers (including with other companies and organisations for the purposes of fraud protection and credit risk reduction),
  • To any other person with your consent to the disclosure.

 

Finally we may share anonymised or aggregated data gathered in the normal course of the administration and good running of our business with third parties or service providers to enable greater analysis, improvements, industry or service related trends to be identified and action taken accordingly. Please note this list is not exhaustive but gives an indication of the information shared by cardfactory.

A list of third parties who we may share your data with can be obtained from our Data Protection Officer.

International Transfers

If your Personal Data is transferred to one of our affiliated companies with the UK or the EU/EEA or a third party located in a country outside the EU/EEA, cardfactory will ensure that such transfer(s) will be carried out in accordance with the applicable Data Protection legislation.

If your Personal Data is transferred to our affiliated companies outside the UK/EU/EEA, without an adequacy decision, the transfer will be based on the cardfactory Intra-Group Agreement which includes the EU Commission’s Standard Contractual Clauses and the relevant transfer impact assessment.

Transfers to third parties outside the UK/EU/EEA, without an adequacy decision, will be safeguarded by ensuring that the third party enters into the EU Commission’s Standard Contractual Clauses and the UK ICO Addendum or the UK International Data Transfer Agreement and the relevant assessments (TRA/TIA). 

Should the Data Protection legislation change in this respect, we will review the obligations and amend this notice as appropriate. More information can be obtained by contacting our Data Protection Officer.

How long do we keep your data for?

We will retain your personal information for a period of 12 months after we have communicated to you our decision about whether to appoint you. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. We also may contact you to ask you to consider other roles available within cardfactory should any further suitable vacancies arise.

After 12 months, we will securely destroy your personal information in accordance with our Retention Policy.

 

Your rights

It is important that the personal information we hold about you is accurate and current.  Please keep us informed if your personal information changes during your employment with us. 

Your rights in connection with personal information 

Right to be informed how we process your personal data, which is set out in this notice.

Request access to your personal information (commonly known as a “data subject access request”).  This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. 

Request rectification of the personal information that we hold about you.  This enables you to have any incomplete or inaccurate information we hold about you corrected. 

Request erasure of your personal information.  This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing. 

Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground.  You also have the right to object where we are processing your personal information for direct marketing purposes. 

Request the restriction of processing of your personal information.  This enables you to ask us to suspend the processing of personal information about you. 

Request data portability of your personal information to another party. 

Rights relating to automated processing including profiling of your personal information. This enables you to ask for a review of this activity.

In the limited circumstances where you may have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.   

If you want to exercise any of your rights, please contact our Data Protection Officer dpo@cardfactory.co.uk.

Automated screening 

We may use some automated screening tools as part of our application process. The answers you provide to one or more of the questions, excluding any equal opportunities questions about your gender, community background or religion, may result in your application being automatically declined. This technology is used to help us manage the high volume of

applications we receive and we can assure applicants the same outcome would occur if we manually reviewed your application. The reason for the decline will be made available to you in your candidate account. If you wish to challenge the outcome, this can be reviewed by contacting the Data Protection Officer. 

Data security 

We have put in place appropriate security measures to ensure your personal information is safeguarded and prevented from being accidently lost, used or accessed in an unauthorised way, altered or disclosed.  In addition, we limit access to our personal information to those colleagues, agents, contractors and other third parties who have a business need to know.  They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure. 

We have put in place procedures to deal with any suspected data security breaches and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 

Data Protection Officer 

We have appointed a Data Protection Officer to oversee compliance with our Data Protection obligations.  If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO at dpo@cardfactory.co.uk

You have the right to make a complaint at any time to the relevant supervisory authority for Data Protection legislation, (UK - Information Commissioner’s Office www.ico.org.uk Ireland – Data Protection Commission https://forms.dataprotection.ie/contact)

Changes to this Privacy Notice

We keep our privacy notice under regular review, and it is subject to change at any time. We may also notify you in other ways from time to time about the processing of your personal data.