GDPR at the ITHR Group

Who we are

For a full list of the Companies within the ITHR Group with the relevant addresses and further information on our brands please click here.

Data Privacy Notice

The ITHR Group plc and its brands and subsidiaries are fully committed to ensuring that your data is protected to the highest standards in line with The General Data Protection Regulations (“GDPR”) and APSCO or REC directives.
These are formulated by us into best practices, systems and processes for your Data Privacy. In line with the GDPR article 13, This Privacy Notice explains how we do this and our approach with regards to the privacy of your information. It lets you know what categories of personal data are collected and where from, as well as how and why your data is handled and processed by the ITHR Group in its capacity as a “Data Controller” (for definition see GDPR Article 4.7).

Why we collect your personal data

As a well-established Recruitment Agency and employment business with subsidiaries affiliated to the globally recognised bodies of the REC and APSCO, the ITHR Group determine our collection and processing of your data to be within the lawful basis of our legitimate interests.
As this document explains further, the categories of personal data collected and processed is always minimal, relevant and appropriate to the services we provide. We collect this data for 2 key reasons:
Candidate data: We collect data from Candidates in order to provide work finding services within our capacity as an agency or employment business as defined in The Conduct of Employment Agencies and Employment Businesses Regulations 2003 - Part 1(2)
We do not act on behalf of any marketing agencies or share your data with any 3rd. party that could not be legitimately and feasibly considered as being for the purpose of providing work finding services or recruitment services.
Client data: We collect data from Clients more specifically individuals at the Clients organisation in the course of providing recruitment services; usually centred around finding Candidates who may be of interest to their organisation on a Permanent or Contract basis, or as part of a wider Professional Services offering.
In all cases the level of data the ITHR Group will process will be in line with the GDPR Article 5(c) principles and limited to what is adequate, relevant and limited only to what is necessary.
To ensure that we provide you with the best service possible, we store your personal data and/or the personal data of individual contacts at your organisation as well as keeping records of our conversations, meetings, registered jobs and placements. From time to time, we may also ask you to undertake a customer satisfaction survey. We think this is reasonable – we deem these uses of your data to be necessary for our legitimate interests as an organisation providing various recruitment services to you.

Our basis for processing your Data

We acknowledge that your data must be handled within the principles of “fair processing” as outlined in the GDPR article 5.
The ITHR Group only collect the data that is required for legitimate purposes, and the level of data processed is determined by the minimum requirement necessary to facilitate work finding services and recruitment services for you as Clients and Candidates.
There will be different bases for the processing of diverse data at the different stages of the recruitment process as it develops. As a general rule; the further we all progress with your recruitment process - the more data that we will need to process for you, especially if you are a Candidate.
Broadly speaking, the basis for our data processing will fall under the 4 legal grounds of either;
a) Legitimate interest, b) Consent, c) performance of a Contract (or to take steps to enter into a contract) or d) Legal obligation.
We believe these grounds as defined in the GDPR Article (6) will not override your rights or interests as an individual. In fact, we strongly hope that they form a basis whereby we as a Group always align with your interests and career goals or recruitment objectives.
These lawful grounds are referenced further on along with the scenarios in which they are applicable

How we collect your personal data

The personal data we process for Clients and Candidates is strictly only collected or received in 2 classifiable ways, being: br 1) Personal data that you share with us directly –These ways may include any of the following channels:
-Sending your CV to us or allowing us admission to a personal shared portal or drive to access your CV
-Applying to a job advertisement via any of the ITHR Group websites or an aggregator site that directs you to an ITHR Group website
- Entering your details and/or uploading your CV onto any of the ITHR Group Websites Contact Us.
-Meeting with an ITHR Group Consultant and providing your details or a hard copy of your CV to them or your contact details for future recruitment services engagement
-Initiating contact with an ITHR Consultant by phone or email or from within a social media network or channel

2) Personal data that we receive from other sources or 3rd parties – These ways in which we collect data may include the following circumstances:
-An ITHR Group Consultant may receive personal data about you from a profile that you have created and made searchable and publicly accessible on a job board, website or within a Social network such as Linkedin.
-Applying to a job advertisement via any of the Job boards utilised by the ITHR Group Plc on behalf of our Clients to publicise their job vacancies.
-Clients of the ITHR Group plc may share relevant or necessary personal information about you
-Referees that you provide may disclose personal information about you in line with applicable laws or our Clients recruitment process requirements
- A colleague or former employer may provide your contact details to us by way of Recommendation or Referral due to your potential suitability as a Candidate or Client
- “Connecting”, “following” or “liking” any of the ITHR Company Social media pages publicly available on such sites or networks as Linkedin, Twitter or Facebook will enable us to receive certain aspects of your personal information wholly dependent on the privacy levels you choose through your respective profile settings
-If a Client or its associated RPO/MSP or Candidate refers you to us for purposes of recruitment services

Ways in which we process your personal data

The ways in which we process your personal data fall into 2 distinct but interrelated categories:
A) Recruitment Activities
Candidate Work finding services / Client Recruitment Services
In order to provide work finding or recruitment services to you in our capacity as an agency or employment business to you in your position as either a Client or a Candidate. These will be centred around Contract or Permanent recruitment, Professional Services or Recruitment Process Outsourcing / Managed Service Provision.
We may contact you about specific job opportunities in order to assist or optimise our work finding services to you.
Similarly, we may contact you to update the personal data we hold for you and to ascertain your current work finding requirements or recruitment needs. This will also facilitate your Right to Rectification under the GDPR (Article 16)
The ITHR Group holds the ISO 9001 certification which mandates a principal of continuous improvement in all aspects of our business. For this reason, we will also utilise your personal data when appropriate to send you Client and Candidate customer satisfaction surveys in a continual initiative to refine our practices.
B) Marketing purposes
In general, the ITHR Group plc may send you targeted marketing collateral or other such communications designed to increase our efficiency of service to you and our understanding of your recruitment needs and timeframes; whether as an existing or potential Client or Candidate.
We may also use this considered approach to introduce brands and services from the full range available within The ITHR Group portfolio that we reasonably estimate would be relevant to you.
Alongside this we may also send you material that we believe you may find interesting as part of our service to you; for example, information on networking events or reports on industry related topics.
The ITHR Group do not consider that email updates to Candidates with relevant job opportunities constitutes by definition “marketing” as it is part of our means of effectively providing work finding services for them.

The Categories of data we collect

In accordance with principles 2. And 5. of the GDPR –
the data we collect is adequate and necessary and limited for its purpose to enhance and inform our ability to on one hand crucially understand your requirements for recruitment activities as a Client, and on the other to assess your suitability as a Candidate and align your career preferences in relation to the vacancies we undertake on behalf of our Client portfolio.
A) The personal information about you we may collect and process to align these 2 demarcated purposes is laid out here:

Type of DataCollect From Client?Collect From Candidate?
Address (business)
Address (personal)  
Contact number(s) / Skype ID
Email Address
Email Log
CV or Work Summary  
Education or Training Doccuments  
Records of all recruitment related information

Please note that the ITHR Group do not collect any type of what is termed “Special personal data” (Previously referred to in section 2 of the Data Protection Act 1998 as “sensitive personal data”) under the GDPR unless we are legally obliged to do so or by your Consent. Personal data relating to ethnic origin insofar as it may be discerned from your passport details may be collected in line with Right to Work Legislation: The Conduct of Employment Agencies and Employment Businesses Regulations 2003 or the Immigration, Asylum and Nationality Act 2006.
As the recruitment process progresses there may be further personal data that we are obligated to obtain from you as the Candidate - mostly at the post placement stage during your Client on boarding or pre-employment screening (PES) process as outlined below in section B) Please note that although Right to Work related personal data will usually be collected by us, further information such as financial credit checks and CRB checks may be carried out in partnership with GDPR compliant 3rd party organisations where necessary.
These Suppliers are under agreement that they will not be permitted to use your data for other purposes.
We will inform you of these extra data requirements at the correct times as they may be dependent on; legal obligations set by UK Government legislation or EAA regulations or health and safety directives.
If we are engaging with Clients for roles within the Financial, Defence, Health or Public sectors there may also be extra mandatory data requirements imposed upon us as governed by legal and regulatory bodies and/or Security Clearance prerequisites. Find these marked with * on the list below.
B) Categories of personal data that we may collect in these instances are set out below:
-References (further to references we may have already obtained)
-Proof of addresses (possibly including address history) *
-Passport (or equivalent such as visa or permits)
-Travel history (usually within defined time parameters) *
-N I number
-Date of birth (as well as birth certificate) *
-Proof of bank account
-Bank account details
-Criminal record / Court Orders history *
- Financial Credit history *
-Medical information *

Who we share data with

In order to deliver work finding services solutions for you it is fundamental that we exchange data between Candidates and Clients. The ITHR Group ensure that this is done within the framework of a controlled and compliant methodology.
The level of personal data we share is allied solely to the recruitment process and is only shared when strictly necessary to the initiation or advancement of the recruitment cycle.
Crucially, this sharing of personal data will strictly not take place unless we have gained your explicit consent to do so.
In Candidate terms: this means we will not send your CV to a Client without having obtained your explicit consent
ITHR Group Plc only ever share data with other organisations within the context of a recruitment process and / or in the provision of work finding services.
Before a Sales Consultant shares any of your data with a Client or 3rd party for these purposes, we ensure that we have obtained Consent from you to do so.
If you have, as a Candidate (or “Worker”), provided your services via us by means of a Limited or Umbrella Company without us operating PAYE we legally must share certain elements of your data with HMRC in our position as the “intermediary”. This may involve providing this data to the Umbrella Company you designated.
If ITHR Group Plc are providing recruitment services to an end client via an RPO or MSP we are contractually and legally obliged for them to act as the “data processor” or “joint Controller” or “intermediary” and therefore provide them with the aforementioned data.
For further information regarding HMRC intermediary reporting please click this link.
In Client terms: The ITHR Group may process information relating to Credit referencing to inform decisions around credit and financial assessment. Insofar as this being necessary we may have to share and further process relevant data with our financiers and/or credit reference agencies.

Where we hold your personal data

ITHR Group Plc hold your personal data on our recruitment services specific databases warehoused on our in-house secure servers based in the UK. Our database supplier has attained the ISO27001:2013 certification which is the most stringent globally recognised standard for information security controls and management.
Our Swan specialist ERP/SAP recruitment practice operates both a UK and a South Africa office. If you are a Candidate or Client of Swan your database record may be accessible to the Swan South Africa team which is located outside of the EAA. If you have any questions about this please contact us on the link at the end of this document, however do rest assured that all of the ITHR Group offices and staff are governed by the same GDPR compliant procedures and best practices.
Any information that you provide to us in hardcopy is securely handled in line with our documented internal employee procedures by our trained staff.

How long we keep your data for

The ITHR Group abide by principle 5 Of the GDPR which decrees that personal data must not be kept longer than needed.
We believe that our standard data retention policy of 5 years is reasonable and in line with expectation for us to adequately and legitimately provide our services for jobseekers and Clients alike.
If you have been successfully placed in a Contract, the ITHR Group will be under legal obligation to retain information for up to 6 years in line with the statute of limitations. This includes, but is not limited to, ensuring you have the ongoing right to work in the UK and to comply with HMRC requirements regarding payroll information. During this time, we will ensure to do everything we can to ensure that the data we retain about you is up to date and accurate to ensure our commitment to upholding the GDPR principle 4.
In any event - If after the timeframes outlined above there has been no meaningful interaction between us, such as any contact regarding work finding services or recruitment services, we will delete your personal data.

Our assurances to you regarding your personal data privacy

ITHR Group only processes your personal data in the provision of work finding services and never uses it in any other way. We do not share your information with any 3rd parties for any other reason than for Client and Candidate specific recruitment activities.
Further – we do not asses any aspect of your personal data by solely automated decision making mechanisms and do not utilise this data in order to operate any form of profiling (as defined in article 22 of the GDPR).
Human decision making delivered through the expertise of ITHR Group Consultants under our best practice guidelines drives every aspect of our recruitment services offering. Our recruitment processes are underpinned by the GDPR as well as REC and APSCO policies throughout our provision of work finding and recruitment services to you.

Your Data Rights

The ITHR Group fully respect and support your rights as a “data subject” as laid out in the GDPR Articles 12 – 23.


As previously mentioned, the ITHR Group do not define us contacting you via email as a Client or Candidate with recruitment services or relevant job opportunities to be deemed as “marketing”, however we acknowledge your right not to be contacted regarding our services through this channel and the option to unsubscribe will be available to you on every email that we send.
You can also do this by clicking here and typing “unsubscribe” in the email subject line.

As outlined by the GDPR and clearly summarised by the ICO, you as a “Data subject” have rights in relation to your personal data:
These rights are laid out in the table below, along with the process to follow if you feel you would like to exercise them

Data right Principle Process or reference point Contact channel for enquiry ITHR Group Response timeframe
Right to be informed You are informed about the collection and use of your data in a transparent way The ITHR Group Privacy Statement [email protected] As soon as possible but within 10 working days
Right of access You have access to the data we retain about you Submit “Subject Access Request” to the ITHR Group [email protected] Type “Subject Access Request” in the email subject field One month
Right to rectification The data that we hold about you is accurate and complete Submit “Data Rectification Request” to the ITHR Group [email protected] Type “Rectification request” in the email subject field One month
Right to erasure The data that we retain about you may be erased Submit “Erasure Request” to the ITHR Group [email protected] Type “Erasure request” in the email subject field One month
Right to restrict processing The data we retain about you may be restricted Submit “Restriction Request” to the ITHR Group [email protected] Type “Restriction request” in the email subject field One month
Right to data portability The data we hold about you may be requested in a transportable format Submit “Data portability request” to the ITHR Group [email protected] Type “Data portability request” in the email subject field One month
Right to Object You may object to your data being used for direct marketing Submit “Unsubscribe request” to the ITHR Group [email protected] Type “unsubscribe” in the email subject field One month

Please note that if you wish to exercise your Right to erasure - to ensure that the ITHR Group and its employees do not accidentally contact you again through seeing your details on a 3rd party platform such as a Social network or a job board, it may be preferable for you to access your Right to restrict processing for you to be registered on our “Data suppression list”.
Data Security
The ITHR Group ensure to protect your data and operate the highest possible levels of data security both internally and in any dealings with 3rd parties as outlined above in relation to recruitment and work finding services. In the event of a data breach, in accordance with the GDPR (Recital 87) we will ensure to establish whether a personal breach has occurred and quickly address it. If the breach is deemed to be at a high risk of adversely affecting your rights as a Data subject, we will notify you within 72 hours or earlier if at all possible.
Please also be aware that your exercising of all of these data rights are subject to due process by the ITHR Group and review against the legal grounds upon which the purpose we may be processing the data is based, as outlined by the ICO.
For further details regarding this or indeed any of the paragraphs or clauses within this document, please don’t hesitate to contact us on [email protected] or +44 (0) 207 747 1000.