PRIVACY NOTICE FOR WEBSITE USERS

At Norton Loxley Ltd, we’re committed to protecting and respecting your privacy. This applies to our wider business as well as our website.

Our privacy notice below explains how, when and why we collect personal information about who visits our website – including how we use it and how we keep it secure.

Who are we?

We are a Human Resources and Recruitment Consultancy with the aim of providing a fresh take on HR and recruitment support to businesses. Our registered address Norton Loxley, 46 Park Place, Leeds, LS1 2RY and our telephone number is 01904 373105.

How do we collect information from you?

When you use our website, including when you contact us about our services or sign up for our newsletter, we collect information from you.

What type of information is collected from you?

We collect personal information that might include your IP address, geographical location, browser type, source of referral as well as which pages you looked at and for how long. It also includes contact information that you give us when you register with us so that we can send you email updates and newsletters.

How is your information used?

We may use your information to:

• improve your browsing experience by personalising the website;

• seek your views or comments on the services we provide;

• notify you of changes to our services;

• send you communications which you have requested and that may be of interest to you.

• provide third parties with statistical information about our users – but this information will not be used to identify any individual user;

• deal with enquiries and complaints (incredibly rare…) made by or about you relating to the website.

Who has access to your information?

We will not sell or rent your information to third parties.

We will not share your information with third parties for marketing purposes other than what is set out in Disclosures.

Social Media

If you make comments or posts on social media (our Linkedin page, for example), then the rules of that platform apply, so please be aware that your comments or reactions could be made public.

If you add a comment to any of our own blogs or reviews, these will be shared with other users and the wider general public. So please don’t be offensive, insulting or defamatory. In addition, you’re responsible for ensuring that any comments you do make comply with relevant policies on acceptable use.

We don’t control any social media platforms, such as LinkedIn and Facebook so please make sure you review their privacy notices as well as the terms and conditions of any social media platforms you use. It’s important that you understand what they do with your information – and it means you can adjust your privacy settings if you don’t want things shared or in the public domain.

Disclosures

We may disclose information about you to any of our employees, officers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes as set out in this privacy notice.

In addition, we may disclose information about you:

• to the extent that we are required to do so by law;

• in connection with any legal proceedings or prospective legal proceedings;

• in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk); and

• to the purchaser (or prospective purchaser) of any business or asset which we are (or are contemplating) selling.

Peace of mind about your choices

We may contact you for marketing purposes by post, email or phone.

You can change your marketing preferences at any time by contacting us by email at sayhello@nortonloxley.com.

How you can access and update your information

If you change email address, or any of the other information we hold is inaccurate or out of date, please email us at sayhello@nortonloxley.com.

What we do to protect your personal information

When you give us personal information, we take great care to ensure that it’s treated securely.

We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We take great care to ensure any confidential information remains protected, but we cannot guarantee the security of data sent over the Internet.

Use of ‘cookies’ (not the interesting, edible kind)

Like many other websites, ours uses cookies – small pieces of information that enable us to recognise you when you visit. They collect statistical data about your browsing actions and patterns and do not identify you as an individual. Cookies help us to improve our website and deliver a better service.

We use both “session” cookies and “persistent” cookies on our websites. We will use the session cookies to keep track of how you move around our website and to monitor user behaviour for statistical and marketing purposes. We will use the persistent cookies so that we recognise you when you visit our website.

Session cookies will be deleted from your computer when you close your browser. Persistent cookies will remain stored on your computer until deleted, or until they reach a specified expiry date.

We use Google Analytics to analyse how our website is used. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated relating to our website is used to create reports about the use of the website.

You can switch off cookies by changing your browser preferences. Be aware that this might affect functionality when using our website.

Links to other websites

Our website may contain links to other websites run by other organisations. This privacy notice applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit – we are not responsible for the privacy notices and practices of other websites, even if you access them using links from our website.

16 or Under

If you are aged 16 or under‚ please get your parent/guardian’s permission beforehand whenever you provide us with personal information.

Review of this Privacy Notice

This Notice was last updated in February 2024.

We review our policies on a regular basis and may update this Privacy Notice by posting a new version on our website.

You should check this page occasionally to make sure you are happy with any changes. We may also notify you of changes to our privacy notice by email.

PRIVACY NOTICE FOR CANDIDATES & JOB SEEKERS

The Company is aware of its obligations under the General Data Protection Regulation (GDPR) and current data protection legislation, and is committed to processing your data securely and transparently.

This privacy notice sets out, in line with data protection obligations, the types of data that we collect and hold on you as a job applicant. It also sets out how we use that information, how long we keep it for and other relevant information about your data.

This Privacy notice should be read in conjunction with the Data Protection policy.

Data controller details

The Company is a data controller, meaning it determines the processes for handling your personal data. Our contact details are as follows: Managing Director, 46 Park Place, Leeds, LS1 2RY.

Data Protection Principles

• In relation to your personal data, we will:

• Process it fairly, lawfully and in a clear, transparent way.

• Collect your data only for reasons that we find proper for the course of your employment, in ways that have been explained to you.

• Only use it in the way that we have told you about

• Ensure it is correct and up to date.

• Keep your data for only as long as we need it.

• Process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed.

Types of data we process

We hold many types of data about you, including:

• Your personal details, including your name, address, date of birth, email address, and phone numbers

• Your photograph

• Gender

• Marital status

• Whether or not you have a disability

• Information included on your CV, including references, education history and employment history

• Documentation relating to your right to work in the UK

• Driving licence.

We may collect, store and use the following special category data:

• Race, religion, beliefs and sexual orientation: information about your race or ethnicity, religious or philosophical beliefs, sexual orientation and political opinions.

• Trade union membership.

• Health and medical: information about and connected with your health, any medical condition or disability, including:

o Sickness absence records;

o Accident at work records;

o Tailored adjustment records; and

o Correspondence with and information provided to and received from an occupational health service or other medical health professionals.

• Genetic and biometric data: information which includes genetic or biometric data.

How we collect your data

We collect data about you in a variety of ways, including information you would normally include in a CV or job application cover letter, or notes made by our recruiting officers during recruitment interviews.

Further information will be collected directly from you when you complete your forms at the start of your employment, for example, your bank and next of kin details. Other details may be collected directly from you in the form of official documentation, such as your driving licence, passport or other right to work evidence.

In some cases, we will collect data about you from third parties, such as employment agencies, former employers, or credit reference agencies, when gathering references.

Personal data is kept in personnel files or within the Company’s IT systems.

Why we process your data

The law on data protection allows us to process your data for certain reasons only:

• In order to perform the employment contract that we are party to

• In order to carry out legally required duties

• In order for us to carry out our legitimate interests

• To protect your interests and

• Where something is done in the public interest.

All the processing carried out by us falls into one of the permitted reasons. Generally, we will rely on the first three reasons set out above to process your data.

We need to collect your data to ensure we are complying with legal requirements, such as:

• Carrying out checks in relation to your right to work in the UK.

• Making reasonable adjustments for disabled employees.

We also collect data to carry out activities that are in the legitimate interests of the Company. We have set these out below:

• Making decisions about who to offer employment to

• Making decisions about salary and other benefits

• Assessing training needs

• Dealing with legal claims made against us

If you are unsuccessful in obtaining employment, we will seek your consent to retain your data in case other suitable job vacancies arise in the Company for which we think you may wish to apply. You are free to withhold your consent to this, and there will be no consequences for withholding consent.

Special categories of data

Special categories of data are data relating to your:

• Health

• Sex life

• Sexual orientation

• Race

• Ethnic origin

• Political opinion

• Religion

• Trade union membership and

• Genetic and biometric data.

We must process special categories of data in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:

• You have given explicit consent to the processing

• We must process the data to carry out our legal obligations

• We must process data for reasons of substantial public interest

• You have already made the data public.

We will use your special category data for the purposes of equal opportunities monitoring.

We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent, and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time.

There will be no consequences where consent is withdrawn.

If you do not provide your data to us

One of the reasons for processing your data is to enable us to conduct an effective recruitment process. Whilst you are under no obligation to provide us with your data, we may not be able to process or continue with (as appropriate) your application.

Sharing your data

Your data will be shared with colleagues within the Company when necessary for them to perform their duties in relation to recruitment. This includes, for example, those who are responsible for screening your application and interviewing you.

In some cases, we will collect data about you from third parties, such as employment agencies.

Your data will be shared with third parties if you are successful in your job application. In these circumstances, we will share your data to obtain references as part of the recruitment process.

We do not share your data with bodies outside of the European Economic Area.

Protecting your data

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.

Where we share your data with third parties, we provide them with written instructions to ensure your data is held securely and in line with data protection requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

How long do we retain data

In line with data protection principles, we retain your data for as long as we require it, and this will depend on whether you are successful in obtaining employment with us.

If your application is not successful, we will keep your data for 12 months once the recruitment exercise ends. During this period, we may notify you of other potential suitable vacancies.

The data will be permanently deleted once it is no longer required for these purposes. We retain this information to manage the recruitment process, respond to queries, and for legal purposes.

Following the 12 month period, if you have given us consent to keep your data for future job vacancies, we will retain your personal data for a further 12 months for that purpose. You may withdraw your consent at any time. At the end of the applicable retention period, or earlier if your data is no longer required, we will securely delete or destroy your personal data unless we are required to retain it for longer to comply with legal obligations or in connection with legal claims.

If your application is successful, your data will be kept and transferred to the systems we administer for employees. We have a separate privacy notice for employees, which will be provided to you.

Automated decision making

No decision will be made about you solely based on automated decision-making (where a decision is taken about you using an electronic system without human involvement), which has a significant impact on you.

Your rights in relation to your data

The law on data protection gives you certain rights in relation to the data we hold on you. These are:

• The right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice.

• The right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request.

• The right to have any inaccuracies corrected. If any data that we hold about you is incomplete or inaccurate, you can request that we correct it.

• The right to have information deleted. If you would like us to stop processing your data, you have the right to request that it be deleted from our systems, where you believe there is no reason for us to continue processing it.

• The right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing it (whilst still holding it) until we have ensured the data is correct.

• The right to portability. You may transfer the data that we hold on you for your own purposes

• the right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests.

• The right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision-making in a way that adversely affects your legal rights.

Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent.

However, in some cases, we may continue to use the data, where we are permitted to do so by having a legitimate reason,

If you wish to exercise any of the rights explained above, please contact Sian Whelan, 46 Park Place, Leeds, LS1 2RY.

PRIVACY NOTICE FOR CLIENTS AND SUPPLIERS

Norton Loxley Ltd is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to processing your data securely and transparently.

This privacy notice sets out, in line with GDPR, the types of data that we hold on you as a prospective client, client, employee of our client or supplier to the Company. It also sets out how we use that information, how long we keep it for and other relevant information about your data.

Data controller details

Norton Loxley Ltd is a data controller, meaning that it determines the processes to be used when using your personal data. Our contact details are as follows:

Sian Whelan, Company Director, sayhello@nortonloxley.com.

Data protection principles

In relation to your personal data, we will:

• Process it fairly, lawfully and in a clear, transparent way.

• Collect your data only for reasons that we find proper for the course of our business relationship.

• Ensure it is correct and up to date.

• Keep your data for only as long as we need it.

• Process it in a way that ensures it will not be used for anything that you are not aware of or have not consented to (where appropriate).

Types of data we process

We process personal data about the following categories of people:

• Clients

• Potential clients

• Other people involved in client matters we are providing HR and recruitment services to

• Referrers of work

• Other third parties we (including our employers, contractors and suppliers) that we have a business relationship with.

We hold many types of data about you, including:

• Your personal details including your name, address, email address, phone numbers.

• Our contracts, correspondence and transaction history as a user of our services or as a supplier.

• Client data, including any information in relation to the services we are providing, business and company relationships, personal circumstances, employment background and circumstances, services provided to clients or could be provided to potential clients and employee or prospective employee relationships.

• Bank details.

• Letters, contracts, meeting minutes and other documentation relating to employment advice and support we provide to our clients.

• Lists of delegates for any training events.

• Any marketing and communication preferences.

How we collect your data

We process and collect data about you in a variety of ways for the purposes of providing HR and recruitment services to our clients and prospective clients or as a supplier to us.

In addition, data about you may be obtained from other workplace sources (including, company systems and correspondence) during the course of providing our services.

Personal data is kept in hard copy files, email correspondence or within our IT systems.

Why we process your data

The law on data protection allows us to process your data for certain reasons only:

• Where we have your consent.

• In order to perform the contract and services that we are party to

• In order to carry out legally required duties.

• In order for us to carry out our legitimate interests.

• To protect your interests or where it is processed in the public interest.

All of the processing carried out by us falls into one of the permitted reasons. Generally, we will rely on performing our contractual obligations to process your data.

We also need to collect your data to ensure we are complying with any legal requirements.

We also collect data so that we can carry out activities which are in the legitimate interests of the Company.

If you have signed up to our newsletter via our website, you have explicitly consented to us processing your data.

Special categories of data

Special categories of data are data relating to your:

• health

• sex life

• sexual orientation

• race

• ethnic origin

• political opinion

• religion

• trade union membership

• genetic and biometric data.

We must process special categories of data in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:

• you have given explicit consent to the processing

• we must process the data in order to carry out our legal obligations

• we must process data for reasons of substantial public interest

• you have already made the data public.

We will use your special category data:

• as required in client workforce matters where relevant.

We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.

If you do not provide your data to us

One of the reasons for processing your data is to allow us to carry out our duties in line with our services provided to you. If you do not provide us with the data needed to do this, we will be unable to perform our services and duties eg providing HR advice.

Sharing your data

We may share your data with third parties involved in providing our services, including (but not limited to) legal and professional advisers with whom we work with, subcontractors and services such as accountancy marketing support services.

Protecting your data

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.

We also limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know and who will only process your personal information on our instruction.

How long we keep your data for

In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of our business relationship and for six years after our contract/s has ended for HMRC record keeping and the defence of potential legal claims.

Automated decision making

No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

Your rights in relation to your data

The law on data protection gives you certain rights in relation to the data we hold on you. These are:

• The right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice.

• The right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request.

• The right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it.

• The right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it.

• The right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct.

• The right to portability. You may transfer the data that we hold on you for your own purposes.

• The right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests.

• The right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in way that adversely affects your legal rights.

Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.

If you wish to exercise any of the rights explained above, please contact the Data Controller listed above.

Making a complaint

We hope this privacy notice has been helpful in setting out how we handle your personal data. If you have any questions or a query that hasn’t been covered, please contact us by email in the first instance at sayhello@nortonloxley.com.

The supervisory authority in the UK for data protection matters is the Information Commissioner (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO.

Last reviewed: February 2024