Euro London Appointments Data Protection Policy 2025

Contents

• Introduction
• Definitions
• Data processing under the UK Data Protection Laws
    1. The data protection principles
    2. Legal bases for processing
    3. Privacy by design and by default
• Rights of the Individual
    1. Privacy notices
    2. Subject access requests
    3. Rectification
    4. Erasure
    5. Restriction of processing
    6. Data portability
    7. Object to processing
    8. Enforcement of rights
    9. Automated decision making
• Personal data breaches
    1. Where the Company is the data controller
    2. Where the Company is the data processor
    3. Communicating personal data breaches to individuals
• The Human Rights Act 1998
• AI and Automated Decision-Making
• Complaints
Appendix
Annex - legal bases for processing personal data

Introduction

All organisations that process personal data are required to comply with UK data protection legislation. This includes the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (as amended), and associated guidance issued by the Information Commissioner’s Office (ICO). These laws give individuals certain rights over their personal data while imposing obligations on organisations that process such data.

As a recruitment business, the Company collects and processes both personal and special category data. This policy explains how the Company implements data protection in accordance with UK GDPR requirements.

Definitions

‘consent’ means any freely given, specific, informed and unambiguous indication of an individual’s wishes by which they signify agreement to the processing of personal data.

‘data controller’ means the organisation that determines the purposes and means of the processing of personal data.

‘data processor’ means an organisation which processes personal data on behalf of the data controller.

‘personal data’ means any information relating to an identified or identifiable natural person.

‘special category data’ means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and data concerning health, genetics, biometrics or sexual orientation.

‘personal data breach’ means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data.

‘processing’ means any operation performed on personal data, such as collection, storage, use or disclosure.

‘Supervisory authority’ means the Information Commissioner’s Office (ICO), the UK’s independent regulator for data protection.

Data Processing under the Data Protection Laws

The Company processes personal data in relation to its staff, candidates, and clients and acts as a data controller for such processing. The Company is registered with the Information Commissioner’s Office (ICO) under registration number Z788953X.

The Company may hold personal data for the following purposes:
• Staff administration
• Advertising, marketing and public relations
• Accounts and records
• Administration and processing of work-seekers’ personal data for providing work-finding services
• Administration and processing of clients’ personal data for supplying or introducing work-seekers

1. The Data Protection Principles

The Company complies with the data protection principles set out in Article 5 of the UK GDPR, ensuring that personal data is:
1. Processed lawfully, fairly, and transparently.
2. Collected for specified, explicit, and legitimate purposes.
3. Adequate, relevant, and limited to what is necessary.
4. Accurate and kept up to date.
5. Retained only as long as necessary.
6. Processed securely using appropriate technical and organisational measures.
7. The Company is responsible for demonstrating compliance with these principles.

2. Legal Bases for Processing

The Company processes personal data only where a lawful basis exists under the UK GDPR. These bases include consent, contract, legal obligation, vital interests, public task, or legitimate interests. Special category data is processed only where an additional condition applies, such as explicit consent or compliance with employment law obligations.

3. Privacy by Design and by Default

The Company integrates privacy and data protection considerations into all processing activities by default. Measures include data minimisation, pseudonymisation, encryption, access controls and regular security assessments.

Rights of the Individual

Individuals have the following rights under the UK GDPR:
• To be informed
• To access their data
• To rectification
• To erasure
• To restrict processing
• To data portability
• To object
• Rights regarding automated decision-making and profiling

Personal Data Breaches

All data breaches must be reported immediately to the Data Protection Officer. Where a breach presents a risk to individuals, the ICO will be notified within 72 hours, and affected individuals will be informed without undue delay if required.

The Human Rights Act 1998

In processing personal data, the Company respects individuals’ rights under the Human Rights Act 1998, including the right to privacy, freedom of expression, and protection from discrimination.

AI and Automated Decision-Making

Euro London Appointments does not engage in automated decision-making or candidate profiling that produces legal or similarly significant effects on individuals. Should this position change, the Company will ensure full compliance with UK GDPR, including appropriate safeguards, transparency and human oversight.

Complaints

If you have a complaint about how the Company handles your personal data, please contact:

Data Protection Officer: Miranda Maguire
Operations Director
Email: gdpr@eurolondon.com

If you are not satisfied with the response, you can raise your concern with the Information Commissioner’s Office (ICO) via www.ico.org.uk or by calling 0303 123 1113.

Annex -  Legal Bases for Processing Personal Data

a) The lawful bases for processing personal data are:
1. Consent
2. Contract
3. Legal obligation
4. Vital interests
5. Public task
6. Legitimate interests

b) Additional conditions for processing special category data include:
1. Explicit consent
2. Employment and social protection law obligations
3. Vital interests
4. Legal claims
5. Public interest
6. Health and social care
7. Archiving, research or statistical purpose