GDPR Policy

Issue: 06/24
GDPR DATA PROTECTION POLICY
DEFINITIONS
In this policy, the following words and phrases have the following meanings:
“Consent” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by
which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data
relating to them.
“Criminal records personal data” means personal data relating to criminal convictions and offences andpersonal
data relating to criminal allegations and proceedings.
“Data protection legislation” means the EU General Data Protection Regulation (GDPR), the Data Protection Act
2018 and any other applicable primary or secondary legislation as may be in force in theUK from time to time.
“Data subject” means a living identified or identifiable individual about whom the Company holdspersonal data.
“Member of staff” is any director, employee, worker, agency worker, apprentice, intern, volunteer, contractor and
consultant employed or engaged by the Company.
“Personal data” is any information relating to a data subject who can be identified (directly or indirectly) either from
those data alone or by reference to an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or
social identity of that data subject. It excludes anonymised data, i.e. whereall identifying particulars have been
removed.
“Processing” is any operation or set of operations which is performed on personal data or on sets of personal data,
whether or not by automated means, such as collecting, recording, organising, structuring,storing, adapting, altering,
retrieving, using, disclosing, disseminating, restricting, erasing, or destroying. It also includes transmitting or
transferring personal data to third parties.
“Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning the
physical or mental health of a data subject or data concerning a data subject’s sex life or sexual orientation.
INTRODUCTION
This policy sets out how the Company processes the personal data of data subjects, including the personal data of
job applicants and the personal data of our current and former directors, employees, workers, agency workers,
apprentices, interns, volunteers, contractors, consultants, clients, customers, suppliers and other third parties. It
applies to all personal data that we process, regardless of the media onwhich those personal data are stored, e.g.,
electronically, on paper or on other materials.
The Company is committed to being clear and transparent about how we collect and use personal data and to
complying with our data protection obligations. Protecting the confidentiality, security, and integrity of the personal
data that we process is also of paramount importance to our business operations. The Company will process personal
data relating to you in accordance with this policy, the data protection legislation and the latest privacy notice which
has been issued to you.
This policy applies to all members of staff. It is non-contractual and does not form part of any employment contract,
casual worker agreement, consultancy agreement or any other contract for services.
Issue: 06/24
As a member of staff, you are yourself a data subject and you may also process personal data on the Company’s
behalf about other data subjects. This policy should therefore be read and interpreted accordingly. You must always
comply with it when processing personal data on the Company’s behalf in the proper performance of your job duties
and responsibilities. The data protection legislation contains important principles affecting personal data relating to
data subjects. The purpose of this policy is to set out what we expect from you and to ensure that you understand
and comply with the rules governing the processing of personal data to which you may have access in the course of
your work, so as to ensure that neither the Company nor you breach the data protection legislation.
The Company takes compliance with this policy very seriously. Any breach of this policy or any breach of the data
protection legislation will be regarded as misconduct and will be dealt with under the Company’s disciplinary
procedure. A significant or deliberate breach of this policy, such as accessing a data subject’s personal data without
authority or unlawfully obtaining or disclosing a data subject’s personal data (or procuring their disclosure to a third
party) without the Company’s consent, constitutes a gross misconduct offence and could lead to your summary
dismissal. If you are not an employee, you may have your contract with the Company terminated with immediate
effect.
The Company’s data compliance manager has responsibility for data protection compliance within the business. You
should contact them if you have any questions about the operation of this policy or need further information
about the data protection legislation, or if you have any concerns that this policyis not being or has not been
followed. They can be contacted as follows: Lisa Norton, Compliance & Social Value Director, email:
lisa@artisanrecruitmentgroup.com; DDI: 01329 562 004. You must also contact them to seek further advice in the
following circumstances:
• if you are in any doubt about what you can or cannot disclose and to whom
• if you are unsure about the lawful basis you are relying on to process personal data
• if you need to rely on consent to process personal data
• if you need to obtain or issue privacy notices
• if you are not clear about the retention period for the personal data being processed
• if you are unsure about what appropriate security measures you need to implement to protect
personal data
• if you need assistance in dealing with any rights invoked by a data subject
• if you suspect there has been a personal data breach
• where you propose to use personal data for purposes other than that for which they were collected
• where you intend to engage in a significant new or amended data processing activity
• where you plan to undertake any activities involving automated decision-making, including profiling
• if you need assistance with, or approval of, contracts in relation to sharing personal data with third- party
service providers
• if you believe personal data are not being kept or deleted securely or are being accessed without the
proper authorisation
• if you suspect there has been any other breach of this policy or any breach of the data protection
principles
If you wish to make an internal complaint that this policy is not being or has not been followed, you can also raise
this as a formal grievance under the Company’s grievance procedure.
THE DATA PROTECTION PRINCIPLES
Under the data protection legislation, there are six data protection principles that the Company and all members of
staff must always comply with in their personal data processing activities. In brief, the principles say that personal
data must be:
1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness,fairness,
and transparency).
2. Collected only for specified, explicit and legitimate purposes and not further processed in a manner that is
incompatible with those purposes (purpose limitation).
Issue: 06/24
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed
(data minimisation).
4. Accurate and, where necessary, kept up to date; every reasonable step must also be taken to ensure that
personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or
rectified without delay (accuracy).
5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for
which the personal data are processed (storage limitation).
6. Processed in a manner that ensures appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate
technical or organisational measures (integrity and confidentiality).
The Company is responsible for, and must be able to demonstrate compliance with, these data protection principles.
This is called the principle of accountability.
LAWFULNESS, FAIRNESS AND TRANSPARENCY
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
This principle means that both the Company and members of staff may only collect, process, and share personal data
lawfully and fairly and for specific purposes.
Lawfulness and fairness
The data protection legislation provides that processing is only lawful in certain circumstances. These include where:
• the data subject has given consent to the processing of their personal data for one or more specific purposes
• the processing is necessary for the performance of a contract with the data subject, e.g., an employment
contract, or in order to take steps at the request of the data subject prior to entering acontract
• the processing is necessary for compliance with our legal obligations
• the processing is necessary to protect the data subject’s vital interests (or someone else’s vital interests)
• the processing is necessary to pursue our legitimate interests (or those of a third party), where the data subject’s
interests or fundamental rights and freedoms do not override our interests; the purposes for which we process
personal data for legitimate interests must also be set out in an appropriate privacy notice
The Company and members of staff must only process personal data based on one or more of these lawful bases for
processing. Before a processing activity starts for the first time, and then regularly while it continues, we will review
the purpose of the processing activity, select the most appropriate lawful basis (or bases) for that processing and
satisfy ourselves that the processing is necessary for the purpose of that lawful basis (or bases). When determining
whether the Company’s legitimate interests are the most appropriate basis for lawful processing, we will conduct a
legitimate interest’s assessment, keep a record of it and keep it under review.
Where the Company relies on consent as the lawful basis for processing, this requires the data subject to have given
a positive statement, active opt-in, or clear affirmative action; pre-ticked boxes, inactivity orsilence do not constitute
consent. If consent is given in a document that also deals with other matters, the request for consent must be clearly
distinguishable and kept separate from those other matters. In addition, consent must specifically cover the purposes
of the processing and the types of processing activity, so you must ensure that you obtain separate consents for
different types of processing, where appropriate.
Issue: 06/24
Data subjects also have the right to withdraw their consent to processing at any time, they must be advised of this
right and it must be as easy for them to withdraw their consent as it was to give it.
The data protection legislation also provides that the processing of special categories of personal data and
criminal records personal data is only lawful in more limited circumstances where a special condition for processing
also applies (this is an additional requirement; the processing must still meet one or more of the conditions for
processing set out above). These include where:
• the data subject has given their explicit consent to the processing of their personal data for one or more specified
purposes; explicit consent requires a very clear and positive statement, and it cannot be implied from the data
subject’s actions
• the processing is necessary for the purposes of carrying out obligations or exercising specific rights of either the
Company or the data subject under employment law or social security law
• in the case of special categories of personal data, the processing relates to personal data which are manifestly
made public by the data subject
• the processing is necessary for the establishment, exercise, or defence of legal claims
We may from time to time need to process special categories of personal data and criminal records personal data.
The Company and members of staff must only process special categories of personal data and criminal records
personal data where there is also one or more of these special lawful bases for processing. Before processing any
special categories of personal data and criminal records personal data,you must notify our data compliance manager
so that they may assess whether the processing complies with one or more of these special conditions.
A clear record must be kept of all consents, including explicit consents, which covers what the data subject has
consented to, what they were told at the time and how and when consent was given. This enables the Company to
demonstrate compliance with the data protection requirements for consent.
TRANSPARENCY
Under the data protection legislation, the transparency principle requires the Company to provide specific
information to data subjects through appropriate privacy notices. These must be concise, transparent, intelligible,
easily accessible and use clear and plain language. Privacy notices may comprise general privacy statements applicable
to a specific group of data subjects, e.g., employees, or they may be stand- alone privacy statements covering
processing related to a specific purpose. Whenever we collect personal data directly from data subjects, including
for employment purposes, we must provide the data subjectwith all the information required to be included in a
privacy notice. This includes:
• the identity and contact details of the Company (as data controller) and any representative
• where applicable, the identity and contact details of the data protection officer
• the purposes for which the personal data will be processed
• the lawful basis or bases for processing
• where we are relying on our legitimate interests (or those of a third party) as the lawful basis for
processing, what those legitimate interests are
• the categories of personal data, unless they were obtained directly from the data subject
• the third-party sources that the personal data originate from, unless they were obtained directly from the
data subject
• the recipients, or categories of recipients, with whom the personal data may be shared
• details of transfers to non-EEA countries and the suitable safeguards applied
• the retention period for the personal data or, if that is not possible, the criteria to be used to determine the
retention period
• the existence of the data subject’s rights, i.e., subject access, rectification, erasure, restriction of
processing, objection, and data portability
• the right to withdraw consent to processing at any time, where consent is being relied on as the lawful basis for
processing
Issue: 06/24
• the right to lodge a complaint with the Information Commissioner’s Office
• whether the provision of personal data is part of a statutory or contractual requirement or obligation, ora
requirement necessary to enter into a contract, and the possible consequences of failing to provide the personal
data
• the existence of any automated decision-making, including profiling, and meaningful information abouthow
decisions are made, the significance and consequences.
We must issue a privacy notice, which can be by electronic means, when we first collect a data subject’s personal
data from them. If the personal data have been obtained from third parties, we must provide the privacy notice
information within a reasonable period of having obtained the personal data, but at thelatest within one month.
However, if the personal data are to be used to communicate with the data subject, the privacy notice information
is to be provided, at the latest, when the first communication takes place, or if disclosure of the personal data to
another recipient is envisaged, it is to be provided, at the latest, when the data are first disclosed. You must comply
with these rules on privacy notices when processing personal data on the Company’s behalf in the proper
performance of your job duties and responsibilities.
The Company will issue privacy notices to you from time to time.
Privacy notices can also be obtained from the Company’s data compliance manager.
PURPOSE LIMITATION
Personal data must be collected only for specified, explicit and legitimate purposes and they must not be further
processed in any manner that is incompatible with those purposes.
Personal data cannot be used for new, different, or incompatible purposes from those disclosed to the datasubject
when they were first obtained, for example in an appropriate privacy notice, unless the data subject has been
informed of the new purposes and the terms of this policy are otherwise complied with,
e.g., there is a lawful basis for processing.
This also includes special categories of personal data and criminal records personal data.
DATA MINIMISATION
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they
are processed.
We will only collect personal data to the extent that they are required for the specific purposes notified to the data
subject. You must only process personal data where your job duties and responsibilities require itand you must not
process personal data for any reason which is unrelated to your job duties and responsibilities. In addition, you must
ensure that any personal data you collect are adequate and relevantfor the intended purposes and are not excessive.
This includes special categories of personal data and criminal records personal data.
When personal data are no longer needed for specified purposes, you must ensure that they are destroyed, erased
or anonymised in accordance with the Company’s rules on data retention and destruction set out below.
ACCURACY
Personal data must be accurate and, where necessary, kept up to date. In addition, every reasonable stepmust be
taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Issue: 06/24
It is important that the personal data we hold about you as a data subject is accurate and up to date. Please keep us
informed if your personal data changes, e.g., you change your home address, so that our records can be updated.
The Company cannot be held responsible for any errors in your personal data in this regard unless you have notified
the Company of the relevant change. We will promptly update your personal data if you advise us that they have
changed or are inaccurate.
You must also ensure that the personal data we hold about other data subjects is accurate and up to date where this
is part of your job duties or responsibilities. This includes special categories of personal data and criminal records
personal data. You must check the accuracy of any personal data at the point of theircollection and at regular intervals
thereafter. You must take all reasonable steps to destroy, erase or update outdated personal data and to correct
inaccurate personal data.
STORAGE LIMITATION
Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary
for the purposes for which the personal data are processed.
The Company will only retain personal data for as long as is necessary to fulfil the legitimate business purposes for
which they were originally collected and processed, including for the purposes of satisfying any legal, tax, health and
safety, reporting or accounting requirements.
This includes special categories of personal data and criminal records personal data. You must comply with the
Company’s rules on data retention and destruction set out below.
RETENTION: JOB APPLICANTS
If a job applicant’s application for employment or engagement is unsuccessful, the Company will generally hold their
personal data, including special categories of personal data and criminal records personal data, for one year after the
end of the relevant recruitment exercise but this is subject to: (a) any minimum statutory or other legal, tax, health
and safety, reporting or accounting requirements for particular data or records, and (b) the retention of some types
of personal data for up to six years to protect against legal risk, e.g. if they could be relevant to a possible legal claim
in a tribunal, County Court or High Court.
If the job applicant has consented to the Company keeping their personal data on file for in case there are future
suitable employment opportunities with us, we will hold their personal data for a further one year after the end of
the relevant recruitment exercise, or until they withdraw their consent if earlier.
RETENTION: MEMBERS OF STAFF
The Company will generally hold personal data, including special categories of personal data and criminal records
personal data, for the duration of a member of staff’s employment or engagement. The exceptions are:
• any personal data supplied as part of the recruitment process will not be retained if they have no bearing on the
ongoing working relationship
• criminal records personal data collected in the course of the recruitment process will be deleted once they have
been verified through a DBS criminal record check, unless, in exceptional circumstances, the information has
been assessed by the Company as relevant to the ongoing working relationship
• it will only be recorded whether a DBS criminal record check has yielded a satisfactory or unsatisfactory result,
unless, in exceptional circumstances, the information in the criminal record check has been assessed by the
Company as relevant to the ongoing working relationship
• if it has been assessed as relevant to the ongoing working relationship, a DBS criminal record check will
nevertheless be deleted after one year or once the conviction is “spent” if earlier (unless information about
spent convictions may be retained because the role is an excluded occupation or profession)
Issue: 06/24
• disciplinary, grievance and capability records will only be retained until the expiry of any warning given (but a
summary disciplinary, grievance or performance management record will still be maintained for the duration of
employment).
Once a member of staff has left employment or their engagement has been terminated, we will generally hold their
personal data, including special categories of personal data and criminal records personal data, for one year after the
termination of their employment or engagement, but this is subject to: (a) any minimum statutory or other legal, tax,
health and safety, reporting or accounting requirements for particular data or records, and (b) the retention of some
types of personal data for up to six years to protect against legal risk, e.g. if they could be relevant to a possible legal
claim in a tribunal, County Court or High Court. We will hold payroll, wage, and tax records (including salary, bonuses,
overtime, expenses, benefits and pension information, National Insurance number, PAYE records, tax code and tax
status information) for up to six years after the termination of their employment or engagement.
Overall, this means that we will “thin” the file of personal data that we hold on to members of staff one year after
the termination of their employment or engagement, so that we only continue to retain for a longer period what is
strictly necessary.
RETENTION: OTHER THIRD PARTIES, INCLUDING CLIENTS, CUSTOMERS AND SUPPLIERS
The Company will generally hold personal data, including special categories of personal data and criminal records
personal data, belonging to clients, customers, and suppliers for the duration of our business relationship with them.
Once our business relationship with a client, customer or supplier has been terminated, we will generally hold their
personal data, including special categories of personal data and criminal records personal data, for one year after the
termination of the business relationship, but this is subject to: (a) any minimum statutory or other legal, tax, health
and safety, reporting or accounting requirements for particular data or records, and (b) the retention of some types
of personal data for up to six years to protect against legal risk, e.g. if they could be relevant to a possible legal claim
in a County Court or High Court.
Overall, this means that we will “thin” the file of personal data that we hold on to clients, customers and suppliers
one year after the termination of the business relationship, so that we only continue to retain fora longer period
what is strictly necessary.
DESTRUCTION AND ERASURE
All personal data, including special categories of personal data and criminal records personal data, must be reviewed
before destruction or erasure to determine whether there are special factors that mean destruction or erasure should
be delayed. Otherwise, they must be destroyed or erased at the end of the retention periods outlined above. If you
are responsible for maintaining personal data and are not clear what retention period should apply to a particular
record, please contact our data compliance manager for guidance.
Personal data which are no longer to be retained will be permanently erased from our IT systems or securely and
effectively destroyed, e.g., by cross-shredding of hard copy documents, burning them or placing them in confidential
waste bins or by physical destruction ofstorage media, and we will also require third parties to destroy or erase such
personal data where applicable. You must take all reasonable steps to destroy or erase personal data that we no
longer require.
In some circumstances we may anonymise personal data so that they no longer permit a data subject’s identification.
In this case, we may retain such personal data for a longer period.
Issue: 06/24
INTEGRITY AND CONFIDENTIALITY
Personal data must be processed in a manner that ensures appropriate security of the personal data, including
protection against unauthorised or unlawful processing and against accidental loss, destruction,or damage, using
appropriate technical or organisational measures.
The Company takes the security of personal data seriously and we have implemented and maintain safeguards which
are appropriate to the size and scope of our business, the amount of personal data that we hold and any identified
risks. This includes encryption and pseudonymisation of personal data where appropriate. We have also taken steps
to ensure the ongoing confidentiality, integrity, availability and resilience of our processing systems and services
and to ensure that, in the event of a physical ortechnical incident, availability and access to personal data can
be restored in a timely manner.
We regularly test and evaluate the effectiveness of our technical and organisational safeguards to ensure the security
of our processing activities.
In turn, you are responsible for protecting the personal data that we hold, and you must implement reasonable and
appropriate security measures against unauthorised or unlawful processing of personal data and against their
accidental loss, destruction, or damage. You must be particularly careful in protecting special categories of personal
data and criminal records personal data. You must follow all procedures, and comply with all technologies and
safeguards, that we put in place to maintain the security of personal data from the point of collection to the point of
destruction.
Where the Company uses third-party service providers to process personal data on our behalf, additional security
arrangements need to be implemented in contracts with those third parties to safeguard the security of personal
data. You can only share personal data with third-party service providers if you have been authorised to do so and
provided that certain safeguards and contractual arrangements have been put in place, including that:
• the third party has a business need to know the personal data for the purposes of providing the
contracted services
• sharing the personal data complies with the privacy notice that has been provided to the data subject(and, if
required, the data subject’s consent has been obtained)
• the third party has agreed to comply with our data security procedures and has put adequate measures
in place in ensure the security of processing
• the third party only acts on our documented written instructions
• a written contract is in place between the Company and the third party that contains specific approved terms
• the third party will assist the Company in allowing data subjects to exercise their rights in relation to data
protection and in meeting our obligations in relation to the security of processing, the notification of data
breaches and data protection impact assessments
• the third party will delete or return all personal data to the Company at the end of the contract
• the third party will submit to audits.
Before any new agreement involving the processing of personal data by a third-party service provider is entered into,
or an existing contract is amended, you must seek the approval of its terms from our data compliance manager.
You may only share personal data with other members of staff if they have a business need to know in order to
properly perform their job duties and responsibilities.
Hard copy personnel files, which hold personal data gathered during the working relationship, are confidential and
must be stored in locked filing cabinets. Only authorised members of staff, who have a business need to know in
order to properly perform their job duties and responsibilities, have access to these files. Files will not be removed
from their normal place of storage without good reason. Personal data stored on removable storage media must be
kept in locked filing cabinets or locked drawers and cupboards when not in use by authorised members of staff.
Personal data held in electronic format will be stored confidentially by means of password protection, encryption or
pseudonymisation, and again only authorised members of staff have access to those data.
Issue: 06/24
The Company has network backup procedures in place to ensure that personal data held in electronic format cannot
be accidentally lost, destroyed, or damaged. Personal data must not be stored on local computer drives or on
personal devices.
The data protection legislation requires the Company to notify any personal data breach to the Information
Commissioner’s Office within 72 hours after becoming aware of the breach and, where there is a high risk to the
rights and freedoms of data subjects, to the data subject themselves.
A personal data breach is any breach of security which leads to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed and
includes any act or omission that compromises the confidentiality, integrity or availability of personal data or the
safeguards that we, or our third-party service providers, have put in place to protect them. The Company has
procedures in place to deal with any suspected personal data breach and you are required to comply with these.
If you know or suspect that a personal data breach has occurred, you must immediately contact our data compliance
manager, retain any evidence you have in relation to the breach and follow the Company’s data breach policy and
response plan.
ACCOUNTABILITY
The Company is responsible for, and must be able to demonstrate compliance with, the data protection principles.
This means that we must implement appropriate and effective technical and organisational measures to ensure
compliance, and we also require you to fully assist and co-operate with us in this regard. In particular, we have:
• appointed a data compliance manager to be responsible for data protection compliance and privacy matters
within the business
• kept written records of personal data processing activities
• implemented a privacy by design approach when processing personal data and we will conduct and complete
data protection impact assessments (DPIAs) where a type of data processing, e.g., the launch of a new product
or the adoption of a new program, process or IT system, in particular using a new technology, is likely to result
in a high risk to the rights and freedoms of data subjects
• integrated data protection requirements into our internal documents, including this data protection policy, other
related policies, and privacy notices
• introduce a regular training programme for all members of staff on the data protection legislation and on their
data protection duties and responsibilities and we also maintain a training record to monitor itsdelivery and
completion – you must undergo all mandatory data protection training
• introduced regular reviews of our privacy measures and our policies, procedures and contracts and regular
testing of our systems and processes to monitor and assess our ongoing compliance with the data protection
legislation and the terms of this policy in areas such as security, retention, and data sharing.
We also keep records of our personal data processing activities, and you are required to assist us in ensuring these
records are full, accurate and kept up to date.
PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS
We are required to implement privacy by design measures when processing personal data by implementing
appropriate technical and organisational measures in an effective manner to ensure compliance with the data
protection legislation. You must assess what privacy by design measures can beimplemented on all processes or
systems that process personal data where this is part of your job dutiesor responsibilities because those processes
or systems are under your control.
Issue: 06/24
Where a type of data processing, e.g., the launch of a new product or the adoption of a new program, process or IT
system which is under your control, is likely to result in a high risk to the rights and freedomsof data subjects, you
must assist us in conducting and completing a DPIA.
This includes (but is not limited to):
• systematic and extensive automated processing and automated decision-making activities, including profiling,
and on which decisions are based that have legal effects, or similar significant effects, on data subjects
• large-scale processing of special categories of personal data or criminal records personal data
• large-scale systematic monitoring of publicly accessible areas, e.g., using CCTV.
Before any form of new technology, program, process, or system is introduced, you must contact our data compliance
manager in order that a DPIA can be carried out.
A DPIA will comprise a review of the new technology, program, process or system and it must contain a description
of the processing operations and the purposes, an assessment of the necessity and proportionality of the processing
in relation to those purposes, an assessment of the risks to individuals and the measures in place to address or
mitigate those risks and demonstrate compliance.
AUTOMATED PROCESSING AND AUTOMATED DECISION-MAKING
Automated processing is any form of automated processing of personal data consisting of the use of personal data
to evaluate certain personal aspects relating to an individual, and automated decision- making occurs when an
electronic system uses an individual’s personal data to make a decision without human intervention.
You will not be subject to decisions that will have a significant impact on you based solely on automated processing
unless we have a lawful basis for doing so, i.e., it is necessary for the performance of the contract we have entered
into with you, or your explicit consent has been obtained or is authorised by law.You will also be given the right to
obtain human intervention, to express your point of view and to contest the decision.
Where you are involved in any data processing activity that involves automated decision-making or profiling, you
must comply with the Company’s guidelines.
DIRECT MARKETING
The Company is subject to certain rules when marketing our clients and customers. If you are involved in direct
marketing to customers, you must comply with the Company’s guidelines on this. In particular, a data subject’s prior
consent is required for electronic direct marketing. There is a limited exception for existing clients and customers
which allows us to send marketing texts and e-mails if we have obtained their contact details in the course of a sale
to that person, we are marketing similar products or services to them and we gave that person an opportunity to opt
out of marketing when first collecting their details and in every subsequent message.
If a data subject objects to direct marketing, it is essential that this is actioned in a timely manner and their details
should be suppressed as soon as possible. You can retain just enough information to ensure that marketing
preferences are respected in the future.
TRANSFERRING PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
The data protection legislation restricts transfers of personal data to countries outside the European Economic Area
(EEA) in order to ensure that the level of data protection afforded to data subjects is maintained.
The Company does not transfer personal data to countries outside the EEA and you must ensure that you comply
with this rule.
Issue: 06/24
DATA SUBJECT RIGHTS TO ACCESS PERSONAL DATA
Under the data protection legislation, data subjects have the right, on request, to obtain a copy of the personal data
that the Company holds about them by making a written data subject access request (DSAR). This allows the data
subject to check that we are lawfully processing their personal data. The data subject has the right to obtain:
• confirmation as to whether or not their personal data are being processed
• access to copies of their specified personal data
• other additional information.
The other additional information (which should be provided in a concise, transparent, intelligible, and easilyaccessible
form, using clear and plain language) comprises:
• the purposes of the processing and the categories of personal data concerned
• the recipients, or categories of recipients, to whom the personal data have been or will be disclosed, in
particular recipients in non-EEA countries
• where the personal data are transferred to a non-EEA country, what appropriate safeguards are inplace
relating to the transfer
• the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to
determine that period
• the existence of the data subject’s rights to request rectification or erasure of their personal data or
restriction of processing of their personal data or to object to such processing
• their right to lodge a complaint with the Information Commissioner’s Office if they think the Companyhas
failed to comply with their data protection rights
• where the personal data are not collected from them, any available information as to their source
• the existence of automated decision-making, including profiling, and meaningful information about thelogic
involved, as well as the envisaged consequences of such processing for them.
When a data subject makes a DSAR, we will log the date on which the request was received and confirm their identity.
Where we have reasonable doubts concerning the data subject’s identity, we will request them to provide such
additional information necessary to confirm their identity before complying with their DSAR. We will then search
databases, systems, and other places where the personal data which are the subject of the DSAR may be held. Where
we process a large quantity of personal data about a data subject, we may ask them to first specify the information
that their DSAR relates to.
If the data subject makes their DSAR electronically, the Company must provide a copy of the personal data in a
commonly used electronic format, unless they specifically request otherwise. If the data subject wants additional
copies of the personal data, the Company will charge a reasonable fee, which is basedon our administrative costs
of providing the additional copies.
The Company will normally respond to a DSAR and provide copies of the personal data within one month of the date
of receipt of the request. However, we may extend this time limit for responding by a further two months if the
request is complex or there are a number of requests made by the data subject. If we intend to extend the time limit,
we will contact the data subject within one month of the DSAR’s receipt to inform them of the extension and to
explain why it is necessary.
Before providing the personal data to the data subject making the DSAR, we will review the personal data requested
to see if they contain the personal data of other data subjects. If they do, we may redact the personal data of those
other data subjects prior to providing the data subject with their personal data, unlessthose other data subjects have
consented to the disclosure of their personal data.
We will also check whether there are any statutory exemptions from disclosure that apply to the personal data that
are the subject of the DSAR. If a statutory exemption applies to any of the personal data, those personal data may
not be disclosed.
Issue: 06/24
Whilst we will normally provide a copy of the personal data in response to a DSAR free of charge, we reserve the right
to charge a reasonable fee, based on our administrative costs of providing the personal data, when a DSAR is
manifestly unfounded or excessive, particularly if it repeats a DSAR to which we have already responded.
Alternatively, where a DSAR is manifestly unfounded or excessive, we reserve the right to refuse to respond
altogether. Where we refuse to act on a request in this way, we will set out our written reasons why to the data
subject within one month of receipt of their DSAR. We will also inform them of their right to complain to the
Information Commissioner’s Office or to seek a judicial remedy in the courts.
If you wish to exercise your data subject access rights, please complete our data subject access request form, or put
the request in an e-mail, and send it to our Human Resources Director as follows: Lisa Norton, email:
lisa@artisanrecruitmentgroup.com. We will inform you if we need to further verify your identity.
If you receive a DSAR from another data subject, you must immediately forward it to our Group Human Resources
Manager, and they will deal with responding to it.
OTHER DATA SUBJECT RIGHTS IN RELATION TO THEIR PERSONAL DATA
Data subjects have a number of other rights in relation to their personal data. When we process data subjects’
personal data, we will respect those rights. It is the Company’s policy to ensure that requests by data subjects to
exercise their rights in respect of their personal data are handled in accordance with the data protection legislation.
Subject to certain conditions, and in certain circumstances, data subjects have the right to:
• be informed – this is normally satisfied by issuing them with an appropriate privacy notice
• request rectification of their personal data – this enables them to have any inaccurate or incomplete personal
data we hold about them corrected or completed, including by their providing a supplementary statement
• request the erasure of their personal data – this enables them to ask us to delete or remove their personal data
where there’s no compelling reason for their continued processing, e.g. it’s no longer necessary in relation to
the purpose for which they were originally collected or if there are nooverriding legitimate grounds for the
processing
• restrict the processing of their personal data – this enables them to ask us to suspend the processingof their
personal data, e.g. if they contest the accuracy and so want us to verify the accuracy or the processing is unlawful,
but they don’t want the personal data to be erased
• object to the processing of their personal data – this enables them to ask us to stop processing their personal
data where we are relying on the legitimate interests of the business as our lawful basis for processing and there
is something relating to their particular situation which makes them decide to object to processing on this ground
• data portability – this gives them the right to request the transfer of their personal data to another party so that
they can reuse them across different services for their own purposes
• not be subject to automated decision-making, including profiling – this gives them the right not to be subject to
a decision based solely on the automated processing of their personal data, if such decisionproduces legal effects
concerning them or similarly significantly affects them
• prevent direct marketing – this enables them to prevent our use of their personal data for direct marketing
purposes
• be notified of a data breach which is likely to result in a high risk to their rights and freedoms.
If, as a data subject, you wish to exercise any of these rights, please contact our Group Human Resources.
If a data subject invokes any of these rights, you must take steps to verify their identity, log the date on which the
request was received and seek advice from our Group Human Resources Manager if you need assistance in dealing
with the matter. The following response procedures apply as applicable:
• response to requests to rectify personal data – unless there is an applicable exemption, we will rectify the
personal data without undue delay and we will also communicate the rectification of the personal data to each
recipient to whom the personal data have been disclosed, e.g., our third-party service providers, unless this is
impossible or involves disproportionate effort
Issue: 06/24
• response to requests for the erasure of personal data – we will erase the personal data without undue delay
provided one of the grounds set out in the data protection legislation applies and there is no applicable
exemption (and, where the personal data are to be erased, a similar timetable and procedure to that applying
to responding to DSARs will be followed). We will also communicate the erasure of the personal data to each
recipient to whom the personal data have been disclosed unlessthis is impossible or involves disproportionate
effort. Where we have made the personal data public, we will take reasonable steps to inform those who are
processing the personal data that the data subject has requested the erasure by them of any links to, or copies
or replications of, those personal data
• response to requests to restrict the processing of personal data – where processing has been restricted in
accordance with the grounds set out in the data protection legislation, we will only processthe personal data
(excluding storing them) with the data subject’s consent, for the establishment, exercise, or defence of legal
claims, for the protection of the rights of another person, or for reasons of important public interest.
Prior to lifting the restriction, we will inform the data subject that it is to be lifted. We will also communicate the
restriction of processing of the personal data to each recipient to whom the personaldata have been disclosed,
unless this is impossible or involves disproportionate effort
• response to objections to the processing of personal data – where such an objection is made in accordance with
the data protection legislation and there is no applicable exemption, we will no longerprocess the data subject’s
personal data unless we can show compelling legitimate grounds for the processing which overrides the data
subject’s interests, rights and freedoms or we are processing the personal data for the establishment, exercise,
or defence of legal claims. If a data subject objects to the processing of their personal data for direct marketing
purposes, we will stop processing the personal data for such purposes
• response to requests for data portability – unless there is an applicable exemption, we will provide the personal
data without undue delay if the lawful basis for the processing of the personal data is consentor pursuant to a
contract and our processing of those data is carried out by automated means (and a similar timetable and
procedure to that applying to responding to DSARs will be followed)
• response to requests not to be subject to automated decision-making – where such a request is made we will,
unless there is an applicable exemption, no longer make such a decision unless it’s necessaryfor entering into,
or the performance of, a contract between us and the data subject, is authorised by applicable law which lays
down suitable measures to safeguard the data subject’s rights, freedomsand legitimate interests, or is based
on the data subject’s explicit consent. In these circumstances, thedata subject will still be given the right to obtain
human intervention, to express their point of view and to contest the decision.
In the limited circumstances where the data subject has provided their consent to the processing of their personal
data for a specific purpose, they have the right to withdraw their consent for that specific processing at any time.
This will not, however, affect the lawfulness of processing based on consent before its withdrawal.
If, as a data subject, you wish to withdraw your consent to the processing of your personal data for a specific purpose,
please contact our Group Human Resources Manager. Once we have received notification that you have withdrawn
your consent, we will no longer process your personal data for the purpose you originally agreed to, unless we have
another lawful basis for processing.
If a data subject invokes their right to withdraw their consent, seek advice from our Human Resources Manager.
Data subjects also have the right to make a complaint to the Information Commissioner’s Office at any time.
Issue: 06/24
YOUR OBLIGATIONS IN RELATION TO PERSONAL DATA
You must always comply with this policy and the data protection principles in your personal data processing activities
where you are acting on behalf of the Company in the proper performance of your jobduties and responsibilities. We
rely on you to help us meet our data protection obligations to data subjects.
Under the data protection legislation, you should also be aware that you are personally accountable for your actions,
and you can be held criminally liable. It is a criminal offence for you knowingly or recklessly toobtain or disclose
personal data (or to procure their disclosure to a third party) without the consent of the Company. This would include,
for example, taking clients’ or customers’ contact details or other personal data without the Company’s consent on
the termination of your employment, accessing another employee’s personal data without authority or otherwise
misusing or stealing personal data held by the Company. It is also a criminal offence to knowingly or recklessly reidentify personal data that has been anonymised without the consent of the Company, where we de-identified the
personal data, and it is a criminal offence to alter, block, erase, destroy or conceal personal data with the intention
of preventing their disclosure to a data subject following a data subject access request. Where unlawful activity is
suspected, the Company will report the matter to the Information Commissioner’s Office for investigation into the
alleged breach of the data protection legislation and this may result in criminal proceedings being instigated against
you. The Company may also need to report the alleged breach to a regulatory body.
This conduct would also amount to a gross misconduct offence under the Company’s disciplinary procedure and
could lead to your summary dismissal.
You must also always comply with the following guidelines:
• only access personal data that you have authority to access and only for authorised purposes, e.g. if you need
them for the work you do for the Company, and then only use the data for the specified lawful purpose for which
they were obtained
• only allow other members of staff to access personal data if they have the appropriate authorisation and never
share personal data informally
• do not disclose personal data to anyone except the data subject. In particular, they should not be given to
someone from the same family, passed to any other unauthorised third party, placed on the Company’s website
or posted on the Internet in any form. unless the data subject has given their explicit consent to this
• be aware that those seeking personal data sometimes use deception to gain access to them, so always verify the
identity of the data subject and the legitimacy of the request
• where the Company provides you with code words or passwords to be used before releasing personaldata, you
must strictly follow the Company’s requirements in this regard
• only transmit personal data between locations by e-mail if a secure network is in place, e.g., encryption is used
for e-mail
• if you receive a request for personal data about another member of staff or data subject, you should
forward this to the Company’s Human Resources Manager
• ensure any personal data you hold are kept securely, either in a locked non-portable filing cabinet or drawer if
in hard copy, or password protected or encrypted if in electronic format, and comply with Company rules on
computer access and secure file storage
• do not access another member of staff’s personal data, e.g., their personnel records, without authority as this
will be treated as gross misconduct and it is a criminal offence
• do not obtain or disclose personal data (or procure their disclosure to a third party) without authority orwithout
the Company’s consent as this will be treated as gross misconduct and it is a criminal offence
• do not write down (in electronic or hard copy form) opinions or facts concerning a data subject which itwould
be inappropriate to share with that data subject
• do not remove personal data, or devices containing personal data, from the workplace with the intention of
processing them elsewhere unless this is necessary to enable you to properly carry out your job duties and
responsibilities, you have adopted appropriate security measures (such as password protection, encryption or
pseudonymisation) to secure the data and the device and it has been authorised by your line manager
Issue: 06/24
• ensure that, when working on personal data as part of your job duties and responsibilities when away from your
workplace and with the authorisation of your line manager, you continue to observe the terms of this policy and
the data protection legislation, in particular in matters of data security
• do not store personal data on local computer drives, your own personal computer or on other personal devices
• do not make unnecessary copies of personal data and keep and dispose of any copies securely, e.g., by crossshredding hard copies
• ensure that you attend all mandatory data protection training
• refer any questions that you may have about the data protection legislation or compliance with this policy to our
data compliance manager
• remember that compliance with the data protection legislation and the term of this policy is your personal
responsibility.
CHANGES TO THIS POLICY
The Company will review this policy at regular intervals, and we reserve the right to update or amend it at any time
and from time to time. We will circulate any modified policy to members of staff and, where appropriate, we may
notify you of changes by e-mail.
It is intended that this policy is fully compliant with the data protection legislation. However, if any conflict arises
between the data protection legislation and this policy, the Company will comply with the data protection legislation.
This policy may also be made available to the Information Commissioner’s Office on request.
Darren Burnett
March 2025
I acknowledge receipt of this data protection policy, and I confirm that I have read and understood it. I understand
that I am responsible for complying with the terms of this policy.
Signed: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Print name: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dated: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• your name, address and contact details, including email address and telephone number, date of birth
  and gender
• the terms and conditions of your employment
• details of your qualifications, skills, experienced employment history
• including start and end dates, with previous employers and with the organisation;
• information about your remuneration, including entitlement to benefits such as pensions or insurance
  cover;
• details of your bank account and national insurance number;
• information about your maritalstatus, next of kin, dependents and emergency contacts;
• information about your nationality and entitlement to work in the UK;
• information about your criminal record;
• details of yourschedule (days of work and working hours) and attendance at work;
• details of periods of leave taken by you, including holiday,sickness absence, family leave and
  sabbaticals, and the reasonsforthe leave;
• details of any disciplinary or grievance procedures in which you have been involved, including any
  warnings issued to you and related correspondence;
• assessments of your performance, including appraisals, performance reviews and ratings,
  performance improvement plans and related correspondence;
• information about medical or health conditions, including whether or not you have a disability for which
  the organisation needsto make reasonable adjustments; and
• equal opportunities monitoring information, including information about your ethnic origin,sexual
  orientation, health and religion or belief.
  The organisation may collect thisinformation in a variety of ways. For example, data might be collected through
  application forms, CVs or resumes; obtained from your passport or other identity documents such as your
  driving license; from forms completed by you at the start of or during employment(such as benefit nomination
  forms); from correspondence with you; or through interviews, meetings or other assessments.
  The organisation seeks information from third parties with your consent only.
  Data will be stored in a range of different places, including in your personnel file, in the organisation’s HR
  management systems and in other IT systems (including the organisation’s email system).
  Why does the organisation process personal data?
  The organisation needsto process data to enter into an employment contract with you and to meet its
  obligations under your employment contract. For example, it needsto process your data to provide you with an
  employment contract, to pay you in accordance with your employment contract and to administer benefit,
  pension and insurance entitlements.
  In some cases, the organisation needs to process data to ensure that it is complying with itslegal obligations.
  For example, it isrequired to check an employee’s entitlement to work in the UK, to deduct tax, to comply with
  health and safety laws and to enable employees to take periods of leave to which they are entitled.
  In other cases, the organisation has a legitimate interest in processing personal data before, during and after
  the end of the employment relationship. Processing employee data allowsthe organisation to:
• run recruitment and promotion processes;
• maintain accurate and up-to-date employment records and contact details (including details of who to
  contactin the event of an emergency), and records of employee contractual and statutory rights;
• operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct
  within the workplace;
• operate and keep a record of employee performance and related processes, to plan for career
  development, and for succession planning and workforce management purposes;
• operate and keep a record of absence and absence management procedures, to allow effective
  workforcemanagement and ensure that employees are receiving the pay or other benefitsto which
  they are entitled;
• obtain occupational health advice, to ensure that it complies with duties in relation to individuals with
  disabilities, meet its obligations under health and safety law, and ensure that employees are receiving
  the pay or other benefits to which they are entitled;
• operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and
  shared parental leave),to allow effective workforce management,to ensure thatthe organisation
  complies with duties in relation to leave entitlement, and to ensure that employees are receiving the
  pay or other benefits to which they are entitled;
• ensure effective general HR and business administration;
• provide references on request for current orformer employees;
• respond to and defend against legal claims; and
• maintain and promote equality in the workplace.
  Some special categories of personal data, such as information about health or medical conditions, is
  processed to carry out employment law obligations (such asthose in relation to employees with disabilities).
  Where the organisation processes otherspecial categories of personal data,such asinformation about ethnic
  origin,sexual orientation, health orreligion or belief,thisis done forthe purposes of equal opportunities
  monitoring. Data thatthe organisation usesforthese purposesis anonymised oris collected with the express
  consent of employees, which can be withdrawn at any time. Employees are entirely free to decide whether or
  not to provide such data and there are no consequences of failing to do so.
  Who has access to data?
  Your information may be shared internally, including with HR, payroll, your line manager, managers in the
  business area in which you work and IT staff if accessto the data is necessary for performance of theirroles.
  The organisation shares your data with third partiesin order to obtain pre- employment referencesfrom other
  employers, obtain employment background checksfrom third-party providers and obtain necessary criminal
  records checksfrom the Disclosure and Barring Service. The organisation may also share your data with third
  partiesin the context of a sale ofsome or all of its business. In those circumstances the data will be subject to
  confidentiality arrangements.
  The organisation also shares your data with third partiesthat process data on its behalf, in connection with
  payroll, the provision of benefits and the provision of occupational health services.
  Your data may be transferred to countries outside the European Economic Area (EEA) to where any of our
  clients have processing centres. Data is transferred outside the EEA on the basis of binding corporate rules.
  How does the organisation protect data?
  The organisation takes the security of your data seriously. The organisation hasinternal policies and controlsin
  place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not
  accessed except by its employees in the performance of their duties. Internal policies include;
• Confidentiality Obligations
• IT and Data Protection Policy
• Personal Records and Employee Data Policy
• Social Media Policy
  Where the organisation engagesthird partiesto process personal data on its behalf, they do so on the basis of
  written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and
  organisational measures to ensure the security of data.
  For how long does the organisation keep data?
  The organisation will hold your personal data for the duration of your employment. The periods for which your
  data is held afterthe end of employment are two yearsfollowing yourtermination date.
  Yourrights
  As a data subject, you have a number ofrights. You can:
• access and obtain a copy of your data on request;
• require the organisation to change incorrect or incomplete data;
• require the organisation to delete or stop processing your data, for example where the data is no longer
  necessary forthe purposes of processing; and
• object to the processing of your data where the organisation is relying on its legitimate interests as the
  legal ground for processing.
  If you would like to exercise any of these rights, please contact Lisa Norton, SHEQ Manager via email at;
  lisa@artisanrecruitmentgroup.com
  If you believe that the organisation has not complied with your data protection rights, you can complain to the
  Information Commissioner.
  What if you do not provide personal data?
  You have some obligations under your employment contract to provide the organisation with data. In particular,
  you are required to report absencesfrom work andmay be required to provide information about disciplinary or
  other matters under the implied duty of good faith. You may also have to provide the organisation with data to
  exercise yourstatutory rights,such asin relation to statutory leave entitlements. Failing to provide the data may
  mean that you are unable to exercise your statutory rights.
  Certain information,such as contact details, your right to work in the UK and payment details, must be
  provided to enable the organisation to enter a contract of employment with you. If you do not provide other
  information, this will hinder the organisation’s ability to administer the rights and obligations arising as a result
  of the employment relationship efficiently.
  Automated decision-making
  Employment decisions are not based solely on automated decision-making.
  Signed:
  Name: Darren Burnett
  Date: March 2025