GDPR Privacy statement

​Data Privacy Manager (DPM) – Andy Simpson /

GDPR Privacy statement 

About GDPR

The General Data Protection Regulation comes into force on 25th May 2018 and supersede the prior UK Data Protection Act.

The new regulations give customers greater rights with regards to the data they give to businesses they deal with. In order for any business to retain your data, they will have to obtain an “opt-in” notice from you.

In practice, the main areas affecting our candidates are the following:

You can:

Ask for a data subject access request – we will provide you with all electronic communications and data we have on you, wherever possible, for free. We will respond within 1 month

You can require us to completely remove all your data from all of our systems (exceptions apply, see below)

How do we store your data?

All of our business uses a secure desktop environment for all candidate and client data processing, and everything is stored in the cloud with providers who meet the necessary standards and criteria set out under GDPR.

We do need to make you aware that we use G-Suite from Google for various business applications and therefore that data is stored in North America, and not in the EU.

Mobile devices have an enforced security policy that means they are locked, and they can be remotely wiped if lost, stolen, or otherwise compromised.

Any system breaches will be reported to the Information Commissioners Office within 72 hours of us becoming aware of the breach.

What data do we get from you?

As a recruitment business, it is necessary for us to obtain, at the very least, your CV and contact details, in order to represent you to opportunities that may be of interest to you.

That’s usually it, but please do take a look at the exceptions section below as well.

How do we obtain your data?

When you apply for an advertised position

We already hold it from an historical application

Referrals from friends or colleagues of yours

From public social networking sites such as Linkedin or Xing

What happens when we obtain your data?

You will receive a communication from us which will require you to opt-in in order for us to hold your data on our systems. If you do not opt-in, we will be required to automatically delete your data.

Our policy is to do this on a monthly basis, but we may follow up with you before that happens to ensure you are aware of what is happening.

What do we do with your data?

We will never share your contact details with a client without first letting you know and gaining your consent to do so.

Your CV can be submitted to our clients or shared with internal contacts at Energon People for other positions, if deemed suitable. Everything we do is tracked on our CRM system.

In some cases, our clients use 3rd party software to manage their recruitment process. In this instance, the 3rd party will have your data if we submit you, and they are operating as a data processor, and possibly also as a data controller. If they hold your data, they will be required to let you know and gain your consent if they intend to keep it.

Data retention & deletion – Privacy by design

We will automatically delete all emails that are older than 365 days.

All downloaded CVs and/ or candidate records are held on our database for 2 years minimum, unless you request deletion earlier, before then being deleted.

Any data records held on Energon People Recruitments cloud servers will be checked and deleted on a quarterly basis.


Data – In general, it is unlikely we will ever need to ask you for anything other than your CV, phone number and email address. However, if we do place you in a permanent position, it may be necessary to obtain documentation as required by either UK/ EU law and/ or our client, to demonstrate your Right To Work in the EU for example, and potentially other means of verifying your identity, such as a utility bill.

If we place you in a contract or interim position, it will be necessary to obtain further information, such as (including but not limited to) your Limited/ Umbrella company information and bank details, as well as proof of right to work and ID etc.

In either of these scenarios, we will hold your basic data (CV, notes, contact information) on our systems indefinitely, for legitimate business interest, as we need to maintain our business records. We can, of course, remove any specific item, such as a copy of a passport, from our systems, once the necessary legal compliance timescales are surpassed (7 years in many cases).

3rd Parties – we will never share your data with 3rd parties outside of Energon People Recruitment Group (which includes The BTN), other than with clients and their data processors, without your consent.