Privacy Policy

January 2024 / Version 13

If you are a member of Impellam Group staff, this Privacy Policy should be read in conjunction with the Impellam Group UK Staff Privacy Policy on the Knowledge Library.

This Privacy Policy may be updated from time to time.  You can check https://www.impellam.com/privacy regularly so that you can read the most up-to-date version.
Introduction
Impellam Group plc (“Impellam”) and its subsidiary companies (see Annex 1) acts as both a recruitment agency and recruitment business as defined under The Conduct of Employment Agencies and Employment Businesses Regulations 2003 (“Conduct Regs”).  

We are committed to protecting the privacy and security of your personal information. We have therefore developed this Privacy Policy to inform you of the data we collect, what we do with your information, what we do to keep it secure, as well as the rights and choices you have over your personal information.

Throughout this document we refer to the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation ((EU) 2016/679) (GDPR 2018), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any legislation implemented in connection with the aforementioned legislation.

Where data is processed by a controller or processor established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR).  This includes any replacement legislation coming into effect from time to time.

This policy should be read together with our cookie policy that can be found on our website 

Information about us

Our Data Protection Officer is Emma Trew. You can contact her at gdpr@impellam.com or via our registered address:

Impellam Group plc
800 The Boulevard
Luton
Bedfordshire
LU1 3BA
Company Number: 6511961
VAT Number: 629032550

This Privacy Policy applies in relevant countries throughout our international network.  Where other countries may approach data privacy differently, we have included country-specific versions of this Privacy Policy, in accordance with our comprehensive list of companies within the Impellam Group, as set out at Annex 1.

What does this Privacy Policy cover?

This Privacy Policy sets out what Impellam does with your personal data, whether you are a:

(1) Candidate
(2) Prospective Candidate 
(3) Person with whom we contact to provide us with assistance in relation to one of our candidates (e.g., referees and emergency contacts)
(4) Client 
(5) Supplier 
(6) Temporary Worker 
(7) Permanent Worker 
(8) You are visiting our Website 

This Privacy Policy is divided into a short-form quick reference section, and a long-form more detailed section on the website. It describes how we collect, use and process your personal data, and how we comply with our legal obligations and regulatory requirements.

We keep our Privacy Policy under regular review and we encourage you to periodically review this page for the latest information on our privacy practices.

What is Personal Data?

Personal data is defined by the DPA 2018 and the GDPR 2018 as ‘any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier’.
In simpler terms, personal data is any information about you that enables you to be identified (either on its own or when combined with other data we may hold on you). Personal data covers obvious information such as your name and contact details, but it also covers information such as identification numbers, electronic location data, and other online identifiers.
Our Legal Bases for processing your data

Depending on the type of personal data in question and the grounds on which we are processing it, should you decline to provide us with such data or ask us to stop processing it, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue with our relationship or may have to bring that relationship to a close (i.e. because we cannot continue it without personal data about you). 
Legitimate Interest
In the course of providing work-finding services to our clients and work-seekers, where Impellam acts as a Data Controller, it will be necessary, and in our legitimate interest to process personal data, as defined by the DPA 2018 and the GDPR 2018.

We will process contact data as part of the Refer a Friend schemes on the grounds of legitimate interests. This is where referrals are made on behalf of work-seekers by members of their social group. Each referral is processed on the basis that there is a legitimate interest in us helping to find work for the referred individual.


Establishing, Exercising or Defending Legal claims
Sometimes it will be necessary for us to process personal data and, where appropriate and in accordance with our legal obligations and regulatory requirements, sensitive personal data in connection with exercising or defending legal claims. 
The DPA 2018 and GDPR 2018 allows this where the processing "is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity".
This will arise for example where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process.
To Exercise our Rights or Carry out our Employment and Social Security Legal Obligations
For some Candidates, Temporary Workers and individuals it will sometimes be necessary for us to process your sensitive/special category personal data, for the purpose of ensuring compliance with our legal obligations and regulatory requirements.
For example, we may process your medical data to enable us to provide you with adequate support if you suffer from a health condition or disability, for example by sharing medical information about you with an occupational health specialist, in order to determine prognosis and return to work arrangements, and to assess your working capacity more generally. 
The DPA 2018 and the GDPR 2018 allows us to do this where the processing is "necessary for the purposes of carrying out the obligations and exercising [our or your] specific rights… in the field of employment and social security and social protection law", as long as this is allowed by law.
Where processing your personal data is necessary for us to carry out our obligations under our Contract with you, to ensure that you are properly fulfilling your obligations to us, and to ensure that we are fulfilling our obligations to others.
The DPA 2018 and the GDPR 2018 applies where processing of personal data "is necessary for the performance of a contract to which [you are] party or in order to take steps at [your] request … prior to entering into a contract".
Where processing your personal data is necessary for us to carry out our Legal Obligations
In relation to the employment or engagement of Temporary Workers directly by us, as well as our obligations to you under our contract, we also have other legal obligations that we need to comply with. The DPA 2018 and the GDPR 2018 states that we can process your personal data where this processing "is necessary for compliance with a legal obligation to which [we] are subject".
An example of a legal obligation that we need to comply with is our obligation to co-operate with tax authorities, including providing details of your remuneration and tax paid.
Electronic marketing
In addition to the DPA 2018 and the GDPR 2018 requirement for a lawful basis, where we send unsolicited electronic marketing to you we may also require either an opt-in consent or opt-out consent under the Privacy and Electronic Communication Regulations 2003 (“PECR”). That means we are permitted to market products or services to you which are related to the recruitment services we provide to you as long as you do not actively opt-out from these communications. 
Consent
In certain circumstances, we are required to obtain your consent to the processing of your personal data in relation to certain activities. Depending on exactly what we are doing with your information, this consent will be opt-in consent under the DPA 2018 and GDPR 2018, or soft opt-in consent (PECR).
The DPA 2018 and the GDPR 2018 states that (opt-in) consent is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". In plain language, this means that:
you have to be in a position to give us your consent freely, without us putting you under any type of pressure to give or refuse that consent;
you have to know what you are consenting to – so we will make sure we give you enough information;
where consent is required, you should have control over which processing activities you consent to and which you don’t; and
you need to take positive and affirmative action in giving us your consent – we are likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion. We will keep records of the consents that you have given in this way.
You have the right to withdraw your consent to these activities. You can do so at any time by contacting gdpr@impellam.com .

What Are My Rights?

One of the DPA 2018 and GDPR 2018’s main objectives is to protect and clarify the rights of EU and UK citizens and individuals in the EU and UK with regards to data privacy. This means that you retain various rights in respect of your data, even once you have given it to us. These are described in more detail below.
To get in touch about these rights, please email gdpr@impellam.com. We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we will, where necessary, keep a record of your communications to help us resolve any issues which you raise.
Right to object: 

This right enables you to object to us processing your personal data where we do so for one of the following four reasons: 
(i) our legitimate interests; 
(ii) to enable us to perform a task in the public interest or exercise official authority; 
(iii) to send you direct marketing materials; and 
(iv) for scientific, historical, research, or statistical purposes.
The "legitimate interests" and "direct marketing" categories above are the ones most likely to apply to our Website Users, Candidates, Temporary Workers, Clients and Suppliers. 
If your objection relates to us processing your personal data because we deem it necessary for your legitimate interests, we must act on your objection by ceasing the activity in question unless:
we can show that we have compelling legitimate grounds for processing which overrides your interests; or
we are processing your data for the establishment, exercise or defence of a legal claim.
If your objection relates to direct marketing, we must act on your objection by ceasing this activity.
Right to withdraw consent: 
Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time, and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition.
Data Subject Access Requests (DSAR): 
You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. 
We may ask you to verify your identity and for more information about your request. 
If we provide you with access to the information we hold about you, we will not charge you for this unless your request is "manifestly unfounded or excessive". 
If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible. 
Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will always tell you the reasons for doing so.
Right to erasure: 
You have the right to request that we erase your personal data in certain circumstances. Normally, the information must meet one of the following criteria:
the data are no longer necessary for the purpose for which we originally collected and/or processed them;
where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing;
the data has been processed unlawfully (i.e., in a manner which does not comply with the DPA 2018 and the GDPR 2018);
it is necessary for the data to be erased in order for us to comply with our legal obligations as a data controller; or
if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with legal obligations or for the performance of a public interest task or exercise of official authority;
for public health reasons in the public interest;
for archival, research or statistical purposes; or
to exercise or defend a legal claim.
When complying with a valid request for the erasure of data we will delete the relevant data.
Right to restrict processing: 
You have the right to request that we restrict our processing of your personal data in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either: 
one of the circumstances listed below is resolved; 
you consent; or 
further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important UK, EU or Member State public interest.
The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified;
where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data;
where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
where we have no further need to process your personal data, but you require the data to establish, exercise, or defend legal claims.
If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
Right to rectification: 
You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
Right of data portability: 
If you wish, you have the right to transfer your personal data between data controllers. In effect, this means that you are able to transfer your Impellam account details to another online platform. 
To allow you to do so, we will provide you with your data in a commonly used machine-readable format that is password-protected so that you can transfer the data to another online platform. 
Alternatively, we will directly transfer the data for you. This right of data portability applies to: 
personal data that we process automatically (i.e., without any human intervention); 
personal data provided by you; and 
personal data that we process based on your consent or in order to fulfil a contract.
Right to lodge a complaint with a supervisory authority: 
You also have the right to lodge a complaint with the Information Commissioners Office (‘ICO’). 
Phone: 0303 123 1113
Email: casework@ico.org.uk

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
If you would like to exercise any of these rights, or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), please email gdpr@impellam.com 
Please note that we will, where necessary, keep a record of your communications to help us resolve any issues which you raise.
You may ask to unsubscribe from job alerts and other marketing communications from us either by unsubscribing where prompted on any relevant communication from us, or at any time by emailing gdpr@impellam.com  
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period for which we hold your data. 
What Data do you collect about me and how; and how do you use it, share it and retain it? 
The short-form information below can be found in more detail in our long-form section by clicking on the link relevant to what type of data subject you are on the website.

 

How do we store and transfer your personal data internationally?
In order to provide you with the best service and to carry out the purposes described in this Privacy Policy; your data may be transferred:
between and within Impellam entities globally;
to third parties (such as advisers or other Suppliers to the Impellam business);
to overseas Clients where applicable;
to Clients within your country, where applicable, who may, in turn, transfer your data internationally;
to a cloud-based storage provider. 
We want to make sure that your data are stored and transferred in a way which is secure. We will therefore only transfer data outside of the UK / European Economic Area (EEA) where it is in line with applicable law, and we will require that there is an adequate level of protection for your personal data, and that appropriate security measures are in place. 
In such cases where your personal data is transferred outside of the UK / EEA we will require that the following safeguards are observed:
The laws of the country to which your personal data is transferred ensure an adequate level of data protection;
By way of data transfer agreement, incorporating the standard data protection contractual clauses (SCC’s) approved by the European Commission or International Data Transfer Agreement (IDTA) approved by the UK Government; or
Any other applicable appropriate safeguards under the DPA 2018 / GDPR 2018 
To ensure that your personal information receives an adequate level of protection, we have put in place appropriate procedures with the third parties we share your personal data with to ensure that your personal information is treated by those third parties in a way that is consistent with, and which respects the law on data protection, This includes:
Mandating by contract that all sub-processors adhere to data protection legislation requirements;
Ensuring that any data transfers are encrypted in transit;
Storing your data on encrypted servers and networks;
Undergoing yearly security audits;


Who is responsible for processing your personal data
You can find out which Impellam entity is responsible for processing your personal data and where it is located within Annex 1 
Cookies and similar technologies
A “cookie” is a piece of information that is stored on your computer’s hard drive and which records your navigation of a website so that when you revisit website, it can present tailored options based on the information stored about your last visit.  Cookies can also be used to analyse traffic and for advertising purposes.
Cookies are used by nearly all websites and do not harm your system. If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings, or you can change your preferences within our Cookie Settings.  We also provide information about this within our Cookie Policy
 Security of your personal data
We have implemented appropriate technical and organisational controls to protect your personal data against misuse, loss, or unauthorised access. These include measures to deal with any suspected data breach.
If you suspect any misuse or loss of or unauthorised access to your personal information, please let us know immediately by emailing gdpr@impellam.com 
Data Security is of great importance to Impellam and to protect your data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure your collected data.
We take security measures to protect your information including:
Limiting access to our buildings to those that we believe are entitled to be there by use of passes;
Implementing access controls to our information technology;
We use appropriate procedures and technical security measures (including strict encryption, anonymization and archiving techniques) to safeguard your information across all our computer systems, websites and offices.
Impellam is ISO 27001 and Cyber Essentials Certified.

  Automated Decision Making or Profiling
We do not undertake automated decision making or profiling,
We do use our computer systems to search and identify personal data in accordance with parameters set by a person. A person will always be involved in the decision-making process.
Some of our brands may offer the opportunity for candidates to undertake a psychometric assessment. This is entirely optional and is used solely to help match candidates more closely to suitable job roles.  

 

ANNEX 1 - Impellam Group Companies:


The list below is subject to amendment and update – please check www.impellam.com for the latest list.
 

Legal Entity

Trading Name (if different)

Location

BarPellam Inc

 

U.S

Bartech Technical Services of Canada ULC

 

Canada

Carbon60 AG

 

Switzerland

Carbon60 Limited

 

United Kingdom

Comensura Limited

 

United Kingdom

Comensura Pty Limited

Comensura Australia

Australia

Corporate Employment Resources Inc

 

U.S

Flexy Corporation Limited

 

United Kingdom

Flexy Services Pty Limited

 

Australia

Guidant Global UK Limited

 

United Kingdom

Guidant Global Belgium NV

Guidant Global Belgium

Belgium

Guidant Global Europe Limited

 

U.S

Guidant Global Germany GmbH;

Guidant Global Germany

Germany

Guidant Global Germany GmbH (France branch)

Guidant Global France

France

Guidant Global Germany (Netherlands branch)

Guidant Global Netherlands

Netherlands

Guidant Global Germany (Norway branch)

Guidant Global Norway NUF

Norway

Guidant Global Germany GmbH – (Poland branch)

Guidant Global Poland

Poland

Guidant Global Germany GmbH – Secursal em Portugal

Guidant Global Portugal

Portugal

Guidant Global Germany GmbH -  Fillal

Guidant Global Sweden

Sweden

Guidant Global Inc

 

U.S

Guidant Global India Private Limited

 

India

Guidant Global Italy SRL

Guidant Global Italy

Italy

Guidant Global Puerto Rico Inc

Guidant Global Puerto Rico

Puerto Rico

Guidant Global Mexico S de R.L de C.V

Guidant Global Mexico

Mexico

Guidant Global Switzerland AG

Guidant Global Switzerland

Switzerland

Guidant Global SG Pte Limited

Guidant Global Singapore

Singapore

Guidant Group Inc

 

U.S

Impellam GmbH

Carbon60; SRG; Lorien

Germany

Impellam Group PLC

 

United Kingdom

Impellam UK Limited

 

United Kingdom

Irish Recruitment Consultants Limited

IRC; Guidant Global Ireland; Lorien Resourcing Ireland; SRG Ireland

Ireland

Lorien Resourcing Limited

 

United Kingdom

Science Recruitment Group Limited

SRG; Synergy

United Kingdom

 


ANNEX 2 – Retention Periods

 

Retention Period (up to)

All types of Candidates with whom we have had no contact

6 months - If no contact made

Candidates we have had meaningful contact with but not placed

 

1* year from the later of:

  • Candidate registration;
  • Consent to represent received (for Conduct Regs purposes) (which is separate from any consent given for data protection purposes)
  • Last meaningful contact.

 

*Exception: 5 years for SRG, C60 and Lorien Candidates

Temporary Workers we have placed

6 years from the later of:

  • End of last assignment; or
  • 1 year after last meaningful contact.

Permanent Workers we have placed

2* years from the later of:

  • placement date; or
  • 1 year after last meaningful contact.

*Exception: 5 years for placed SRG, C60 and Lorien Permanent Workers

Our Own Permanent Employees or Direct Hire Temps

Not Hired - 1 year from registration or consent if not placed.

Hired - 6 years from end of employment

All Others

6 months - If no contact made; or

2 years- from last meaningful contact.

 


ANNEX 3 – Country specific variations to our Privacy Notice 

Australia & New Zealand

Germany

Switzerland

 

ANNEX 4 – Glossary

Candidates – refers to applicants (and those subsequently engaged on temporary assignments, directly or indirectly, by Impellam and/or one of its subsidiary companies)  for any roles advertised by or through Impellam and/or one of its subsidiary companies, whether permanent or temporary positions, whether as freelancers, contractors, flexible employees or through third parties including Suppliers; as well as people who have submitted a speculative CV to Impellam and or one of its subsidiary companies.

 

Clients – covers organisations which engage with Impellam and/or one of its subsidiary companies for it to provide recruitment or other services.

 

Data Controller – is a person, company, or other body that determines the purpose and means of personal data processing.

 

Data Processor – processes personal data only on behalf of the Data Controller.

 

Data Protection Act 2018 - updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

 

Employees – includes employees engaged directly by Impellam (or who have accepted an offer to be employed) as well as certain other workers engaged in the business of providing services to Impellam and/or one of its subsidiary companies.  This includes employees engaged to work on client premises under the terms of managed service agreements or equivalent.

 

General Data Protection Regulation (GDPR) – A European Union statutory instrument which aims to harmonise European data protection laws. It has an effective date of 25 May 2018, and any references to it should be construed accordingly to include any related national data protection legislation. 

 

The EU GDPR applies to all 27 member countries https://europa.eu/european-union/about-eu/countries_en of the European Union (EU). It also applies to all countries in the European Economic Area (the EEA), and includes Iceland, Norway, and Liechtenstein. 

 

The UK withdrew from the European Union on 31 December 2020, and the GDPR has now been enshrined under UK GDPR. The UK is expected to substantially follow the GDPR after Brexit but this Policy will be updated to reflect any changes where necessary.

Information Commissioners Office (ICO) - is the UK's independent body and supervisory authority set up to uphold information rights.

Managed Service Provider (MSP) Programmes  Clients’ outsourcing of the management of external staff (including freelance workers, independent contractors and temporary employees) to an external recruitment provider.

Meaningful Contact - When we refer to "meaningful contact", we mean, for example, communication between us (either verbal or written), or where you are actively engaging with our online services.

Privacy and Electronic Communication Regulation (PECR) – sit alongside the Data Protection Act and GDPR to give people specific privacy rights in relation to electronic communications.

Prospective Candidates – individuals with whom Impellam and/or one of its subsidiary companies has not had prior contact but whom Impellam and/or one of its subsidiary companies reasonably considers would be interested in our services and, in particular, in being considered for any roles advertised or promoted by Impellam and/or one of its subsidiary companies, including permanent, part-time and temporary positions and freelance roles with Impellam and/or one of its subsidiary companies Clients.

Recruitment Process Outsourcing (RPO) Services – full or partial outsourcing of the recruitment process for permanent employees to a recruitment provider.

Special Category or Sensitive Personal Data - the GDPR defines special category data as Personal Data revealing: (1) Racial or Ethnic Origin; (2) Political Opinions; (3) Religious or Philosophical Beliefs; (4) Trade Union Membership; (5) Genetic Data; (6) Biometric Data (where used for identification purposes); (7) data concerning Health; (8) data concerning a person’s Sex Life; (9) data concerning a person’s Sexual Orientation. This does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply. 

Suppliers – covers supplier companies (including sole traders), vendors, umbrella companies, partnerships and limited company contractors who provide services to Impellam and/or one of its subsidiary companies including as sub-contractors.  Suppliers should ensure their employees and workers are made aware of the provisions of this Privacy Policy as applicable.