Introduction
This privacy notice is issued on behalf of ERSG Holdings Ltd and all of its subsidiaries.
ERSG Holdings Ltd is registered in the United Kingdom with registration number 09147252, the registered address is 8th Floor, North Tower, 26, Elmfield Road, Bromley, United Kingdom, BR1 1WA.
By submitting any information to us, or by otherwise accessing or using our websites (ersg.co.uk, ersg.nl, ersgtimesheets.com, ersg-global.us, ersg-global.de and any subdomains) (‘websites’), you agree to the terms of this Privacy Policy and consent to the policies and practices described herein for ERSG’s processing of personal data.
Please read this Privacy Policy so that you understand our practices, the protections we put in place and your rights regarding your personal data. We process your personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).
Definitions
In this policy the following terms have the following meanings:
‘company’ means ERSG Limited.
‘consent’ means any freely given, specific, informed and unambiguous indication of an individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘data controller’ means an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘data processor’ means an individual or organisation which processes personal data on behalf of the data controller;
‘group’ means ERSG Holdings Limited and its subsidiaries including but not limited to ERSG Limited, ERSG BV, ERSG GmbH and ERSG US Holdings, Inc.
‘personal data’ means any information relating to an individual, being a natural person, who can be identified, such as by a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;
‘processing’ means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to an individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual;
‘sensitive personal data’ *means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, data concerning health, an individual’s sex life or sexual orientation and an individual’s criminal convictions;
*For the purposes of this policy we use the term ‘personal data’ to include ‘sensitive personal data’ except
where we specifically need to refer to sensitive personal data.
‘Supervisory authority’ means an independent public authority which is responsible for monitoring the application of data protection. In the UK the supervisory authority is the Information Commissioner’s Office (ICO).
Data Controller
ERSG Ltd is registered as a data controller with the Information Commissioners Office (https://ico.org.uk) with reference Z287000X.
What we collect
The Company collects information from our users at several different points on our website. We are the sole owner of the information collected on this site. The Company processes personal data in relation to its own staff, work-seekers and individual client contacts and is a data controller for the purposes of the data protection laws. We will not sell, share, or rent this information to others.
If you register with us, you will be required to provide personal data. The GDPR applies to ‘personal data’
as defined above.
How we use your data
We only process the minimal amount of personal data that is necessary for the relevant purpose(s). The relevant purposes include:
•work finding solutions for candidates;
•fulfilment of contracts between you and us or us and our clients;
•to send your information to clients to apply for and assess your suitability for roles;
•from time to time we may use the information you provide to notify you of potential roles or notify you of new services or offers;
•to third parties we have contracted with, to provide services that you or a client have requested, including reference and qualification checking and background checking services. Before we pass your details to any third parties we will ask for your explicit consent either verbally or in writing. The contracts we have with suppliers continue to protect your rights;
•Internal staff administration, including recruitment, contractual obligations, training and payroll;
•Advertising, marketing and public relations;
•Accounts and records;
•Administration and processing of clients’ personal data for the purposes of supplying/introducing
work-seekers;
We only store your personal data for as long as it is necessary or as is required by law.
Security
We are committed to ensuring that your information is secure. To protect your personal data from unauthorised access we have put in place policies and procedures as well as physical and electronic safeguards.
We are committed to quality procedures and to demonstrate this our management processes are certified to BS EN ISO 9001: 2015.
When registering with our website (or any other) you should use a strong, secure password and try not to use the same password anywhere else. A strong password includes a mixture of uppercase letters, lower case letters, numbers and punctuation. You are solely responsible for the security and proper use of the password, which should be kept confidential at all times and not disclosed to anyone. We never have access to your passwords.
Cookies
Our site may use ‘cookies’ to enhance the user experience.
A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.
Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do then some features of the website may not work as intended.
The cookies are used for:
•our own analytics purposes, to understand how our website is used in aggregate;
•to handle sessions when you are logged into our website to provide continuity and personally relevant information as you navigate around our site.
Legal bases for processing
The Company will only process personal data where it has a legal basis for doing so. Where the Company does not have a legal reason for processing personal data any processing will be a breach of the Data Protection Laws.
The Company will review the personal data it holds on a regular basis to ensure it is being lawfully processed and it is accurate, relevant and up to date.
Before transferring personal data to any third party (such as past, current or prospective employers, suppliers, customers and clients, intermediaries such as umbrella companies, persons making an enquiry or complaint and any other third party (such as software solutions providers and back office support)), the Company will establish that it has a legal reason for making the transfer and that all of your rights remain protected.
Our legal basis for processing personal data is as follows:
•for the purposes of our legitimate interests or those of a third party;
•for the performance of a contract to which you are party or to take steps to enter into a contract;
•for compliance with a legal obligation to which we are subject. This includes for the purposes of detecting crime, the collection of taxes or duties, and to comply with any applicable law;
•where you give your consent to the processing of your personal data for specific purposes. If we rely on your consent we will request it either verbally, by email or an online process and record the response on our systems. Where consent is our legal basis for processing you may withdraw consent at any time. Please refer to the Your Rights section of this Policy for details of how to contact us should you wish to withdraw consent.
We may not be able to enter into a contract with you if certain information is not provided to us. If you refuse to provide the necessary information we have the right to refuse to enter into that contract.
Where is your data held?
Your data is held and processed by our staff entirely in the United Kingdom and European Economic Area (“EEA”). It may be processed outside of the EEA in certain circumstances. This will only happen if one of our clients or service providers is located outside of the United Kingdom.
If we transfer your information outside of the EEA in this way, we will take the appropriate steps to ensure that your privacy rights continue to be protected. In addition, if you use our services while you are outside the EEA, your information may be transferred outside the EEA to provide you with those services.
How long do we retain your data?
ERSG will only retain your data for as long as it is necessary to fulfil the purpose it was collected for, as well satisfying any legal, accounting, or reporting requirements which are dependent upon your relationship to ERSG.
Third Party Processors
The third-party processors that we use are Purple Penguin Media, Bullhorn, RSM and Google Analytics; they comply with relevant legislation to process personal data on our behalf. For the avoidance of doubt, our third-party Data Processors and the Group each have their own, independently determined privacy policies, notices and procedures for the personal data they hold and are each a data controller in their own right (and not joint data controllers).
•Purple Penguin Media develops, maintains and hosts the part of our website that handles the candidate registration and job search. Our agreement with Purple Penguin Media ensures that they abide with all applicable data protection legislation.
•RSM processes our timesheets and expenses for payment and billing. Our agreement with them ensures that they abide by the data protection legislation as a processor of our data.
•Bullhorn provides a CRM system to manage our data. Our agreement with them ensures they process our data as instructed and abide by all relevant data protection legislation. Since Bullhorn is a multi-national company with data centres in Europe and the USA, they may have a need to transfer data outside the EEA for processing. This will only be in exceptional circumstances and we have ensured that they have adequate provisions in place in the USA to protect your data.
•Google Analytics use cookies to evaluate your use of our website and compile reports for users’ activity on our website. For more information on the usage of cookies by Google Analytics please see the Google website. A link to the privacy advice for this product is provided for your convenience: https://google.com/analytics/learn/privacy.html. This data is compiled to provide aggregate data about the use of our website.
Your rights
You have the right to be informed about the personal data the Company processes on you;
Marketing: You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data.
Subject Access Requests: You may request access to the information we hold about you at any time. We may ask you to verify your identity and for more information about your request. We will seek to act on your request in the timescale required by applicable data protection laws.
Rectification: We will use reasonable endeavours to ensure that your personal data is maintained and up to date. However, you are under a duty to inform us of any and all changes to your personal data to ensure that it is up to date and we will update or delete your personal data accordingly.
Erasure: You have the right to ask us to erase your data. If you ask us to erase your data, we will ask if you want to be removed entirely from our database or kept on a list of individuals who do not want to be contacted. If we have a legal basis for holding your data other than consent we may need to keep some or all of your personal data for a certain period, e.g. if you have worked for us we will need to keep accounting and financial records regarding your payments as required by accounting practices and legislation. Where we are legally permitted to do so, we may refuse your request and will give you reasons for doing so.
Data Portability: You have the right to receive your personal data which you have provided to the Company in a structured, commonly used and machine-readable format, where the processing is based on your consent or a contract.
Withdraw Consent: Where we process your data on the basis of consent you have provided to us, you have the right to withdraw your consent at any time and have such data deleted. Where we are legally permitted to do so, we may refuse your request and will give you reasons for doing so.
Profiling: You have the right not to be subjected to automated decision making and profiling.
If you wish to exercise any of these rights or raise a complaint on how we have handled your personal data, you can contact us on [email protected] or write to the Directors of the Group at our registered address.
If you are not satisfied with our response or any of our data processing activities, you can complain to the Information Commissioners Office. The latest contact details can be located on their website (https://ico.org.uk).
Changes to our Privacy Policy
Any changes to this privacy policy will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances if any, we disclose it. Where appropriate, we may notify you by email of the changes. Please check back frequently to see any updates or changes to our Privacy Policy.
Policy Published 16th April 2019