1.0 Introduction
We, Bulletproof UK Ltd also referred to in this document as “we,” “us,” “controller”) take the protection of your personal data very seriously and strictly adhere to the rules laid out by data protection laws and the UK General Data Protection Regulation (UK GDPR).
This privacy notice gives you information on how we collect and process your personal data through your use of Teamtailor and any data you may provide if you contact us regarding recruitment and hiring.
We have appointed a data protection officer (DPO) who is responsible for monitoring and providing guidance with our UK GDPR status. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our DPO using the contact information in section 15 of this privacy notice.
2.0 Why we Collect your personal information
We collect your personal data for one of the following purposes:
- To manage the recruitment and hiring process
- To manage the onboarding and employee lifecycle process
3.0 Lawful Basis for Processing Information
We only collect and use personal information about you where is it necessary for:
- compliance with a legal obligation to which the controller is subject;
- the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
We also rely on the lawful basis of the processing of your personal data on the basis of your consent, which is obtained from you when you create a Teamtailor account and accept our terms and conditions.
Your consent will expire after 6 months and then we will request further consent to keep your personal data beyond an initial 6-month retention period (or 30 days for those candidates sourced or referred) when necessary.
You can withdraw your consent at any time by using the self-service option to close your account or by contacting dpo@bulletproof.co.uk however, this may not be applied retrospectively as certain information may be required to be retained in line with our legal obligations under employment, tax laws or the Immigration Act 2016.
4.0 What Information we collect and where from
We collect personal information from you, through the Teamtailor website. The categories of personal information that we may collect, store, and use about you includes:
- Name, address, telephone number, email.
- Information from Facebook, LinkedIn, and other social media accounts
- Date of birth
- CV
- Job history and education/qualifications and notice period
- Roles that interest you and roles you apply for
- Your choice of Location of where you are interested in working (including remote working)
- IP Address
- Geo Location
- Your right to Work
- Basic DBS check
- Salary
- Personal profile you create on your account to improve your success rate in obtaining relevant employment
We also collect special category personal information from you, through the Teamtailor website. The categories of special category personal information that we may collect, store, and use about you includes:
- Your country of birth, nationality.
- and gender.
- Passport details, national insurance number.
- Personal information you may provide to us during the course of the recruitment process.
- Health data
- Racial or ethnic original
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Data concerning sex life or sexual orientation
4.1 Special Category Personal Data
We ask you not to provide any special category data (as described above) when uploading your details on this platform. As successful candidates will be asked to provide confirmation of identity and right to work at contract offer stage.
To the extent that you may upload this data, we will only process special category data where we have an Article 9 exception of the UK GDPR allowing us to do so, in this case, this is explicit consent. You will be asked to provide your explicit consent during the application process.
4.2 Third Party Collection of Personal Data
We may also collect your data through Third Parties such as Recruitment agencies, Our client; Defense.com and ServerChoice Ltd, Employee referral, LinkedIn, social media, and recruitment websites.
5.0 How Long we Keep Information For
We pride ourselves on ensuring that your personal data is only retained for the period that we need it for, or in accordance with laws, regulations, and professional obligations to which we are subject. All personal information collected has a defined retention period, which is in-line with our retention & disposal policy. The information collected in Teamtailor is retained as follows:
Candidate data is initially kept for 6 months if the candidate is classified as an active candidate i.e. they are moving through the recruitment process and have not been rejected.
If a candidate is rejected, their personal data will be flagged for deletion after 5 days from the date of rejection and 7 days after being flagged for deletion, the data will be removed, unless required to be retained for legal purpose.
If a candidate is classified as inactive (e.g. no actions or notes have been added to their profile), their personal data will be flagged for deletion after 30 days from the date of the last activity and 7 days after being flagged as inactive, the data will be removed, unless required to be retained for legal purpose.
Any candidate that submits a Data Subject Erasure Request will be flagged for deletion 1 day after the request is made and removed 7 days after being flagged for removal, unless required to be retained for legal purpose.
Active candidates, successful interviewees, or referred/sourced candidates can opt in for us to keep their personal data for a further 6 months. If candidates do not respond to a request to extend the retention period beyond 6 months, they will be flagged for deletion after the opt-in message and removed 7 days after this, unless required to be retained for legal purpose.
Data is backed up however backups are deleted on a 28-day cycle.
6.0 Security of personal information
We take the responsibility for protecting your privacy very seriously and we will ensure your data is secured in accordance with our obligations under the Data Protection laws. We have in place technical and organisational measures to ensure personal information is secured and to prevent your personal data from being accessed in an unauthorised way, altered, or disclosed. We have in place a robust access control policy which limits access to your personal data to those employees, contractors and other third parties who only have a business need to know. The processing of your personal data will only take place subject to our instruction.
We have policies and procedures to handle any potential data security breaches and data subjects, third parties and any applicable regulators will be notified where we are legally required to do so.
We have achieved ISO 27001 certification, and we are Cyber Essentials and Cyber Essentials Plus certified.
We have ensured that all employees have had information security and data protection training and complete annual mandatory refresher courses. If you would like more details of the security we have in place, please see "additional information", section 15 of this policy.
7.0 Children's information
We do not knowingly collect information on children. If we have collected personal information on a child, please contact us immediately using the details in section 15, so we can remove and/or assess this information without any undue delay. However, some of our candidates may be under the age of 18 who will be protected under the Data Protection Act 2018 to ensure a higher level of protection.
8.0 Your individual rights
In this Section, we have summarised the rights that you have under the UK General Data Protection Regulation. Some of the rights are complex, accordingly, you should read the relevant laws and guidance from the regulatory authorities which can be found on link: Individual rights - guidance and resources | ICO for a full explanation of these rights or contact us at DPO@bulletproof.co.uk.
Your principal rights under the UK General Data Protection Regulation are:
- Right to Object
- Right to request Access of your personal information
- Right to request to be informed
- Right to request Rectification
- Right to request Erasure
- Right to request Restricting Processing
9.0 Consent
Where you have given consent for processing, or explicit consent in relation to the processing of special category personal data, you have the right to withdraw this consent at any time, but this will not affect the lawfulness of processing based on consent before its withdrawal, and we may not be able to proceed with your application.
10.0 Failure To Provide Personal Information
Where we need to collect personal data in order to process your application and you fail to provide that data when requested, we may not be able to continue with your application. In this case, we will notify you if this is the case at the time.
11.0 Cookies
Cookies are used on this website. You can control whether you want to accept the use of these cookies via the cookie consent options on the website.
For more information about the cookies used, please see our Cookies Policy. However, you may not be able to access the full website services as the Teamtailor site may not fully work without functional cookies.
12.0 Transfers to Third Parties
We may disclose your personal data, listed in section 4 to some third parties to help us deliver our services/products. All third parties are contractually bound to protect the personal data we provide to them. We may use several or all of the following categories of recipients:
- Business partners, suppliers, contractors for the performance of any contract we enter into with them or you
- for administrative purposes and to provide services to you
- Third parties that support us to provide products and services e.g. IT support, cloud-based software services, providers of telecommunications equipment
- Professional advisors e.g. lawyers, auditors
- Web analytics and search engine provider to ensure the continued improvement and optimisation of our interaction with TeamTailor website
13.0 Transfers Outside of The UK
In this section, we provide information about the circumstances in which your personal data may be transferred and stored in countries outside the UK
We may share personal information to third parties outside of the UK). Any personal information transferred will only be processed on our instruction and we ensure that information security at the highest standard would be used to protect any personal information as required by the Data Protection laws.
Where personal data is transferred outside of the UK to a country without an adequacy decision, we will ensure appropriate safeguards are in place prior to the transfer. These could include:
UK International Transfer Agreements (ITAs)Binding Corporate Rules
An exception as defined in Article 49 of the UK GDPR
For more information about transfers and safeguarding measures, please contact us using the information in section 15.
14.0 Right to complaint
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading, or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact us via email on dpo@bulletproof.co.uk.
Alternatively, you can contact us:
By Post: Unit H, Gateway 1000, Whittle Way, Stevenage SG1 2FP
By Phone: 01438 500096
If you are dissatisfied with the outcome of any review carried out in relation to information we hold about you, you may wish to appeal to the Information Commissioner’s Office:
By Post:
Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
By Website: Click Here
By Email: Click Here
By Phone: 0303 123 1113 (Local rate) or 01625 545 745 (National rate)
15.0 Additional information
Your trust is important to us. That is why we are always available to talk with you at any time and answer any questions concerning how your data is processed. If you have any questions that could not be answered by this privacy policy or if you wish to receive more in-depth information about any topic within it, please contact our DPO and Compliance Team via email on dpo@bulletproof.co.uk.
16.0 Policy Review and Amendments
We keep this Policy under regular review. This Policy was last updated on 02/05/2024
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.