hero-pattern

GDPR Policy

Personal data we collect

 1.        Candidates When you register with us as a candidate to provide work finding services to you, we process your personal data, including but not limited to your name, contact details, information from your CV as well as information you provide in relation to your right to work documentation (confirmation of your right to work in the UK and any conditions on it OR your identity documents to comply with right-to-work checks required by law).

 

Where permitted by law, we may also collect information relating

  • your health (for example, disability information for reasonable work adjustment purposes),
  • diversity information, including race, ethnic origin, sexual orientation and religion (for equal opportunity monitoring purposes), and
  • details of any unspent criminal convictions or educational records where required by a client or by us if you apply for a role with us.

If you use our website, click on links in emails we send to you, open or forward them, or sign up to receive job alerts or other content from us, we also collect personal data from those interactions.

We also obtain personal data about you from third parties, including,

  • referees - when you are offered a job;
  • former employers - to confirm dates of employment;
  • educational institutions - to check your academic qualifications;
  • the Disclosure and Barring Service or Disclosure Scotland - if we need to obtain details of unspent criminal convictions;
  • credit reference agencies - if we need to check your financial standing;
  • publicly available sources such as LinkedIn and social media sites to enhance the information we hold about you, in order to help us find more suitable roles for you;
  • clients to whom we have provided your CV and who have engaged with you as part of a job application or who have given feedback on your CV.
  •  Clients or prospective Clients with whom we are negotiating with for the purpose of carrying out pre-contract negotiations, audits and other monitoring/assessment tasks.

2.        Prospective Candidates We collect personal data about you, including your name and contact details and professional biographical details obtained from publicly available sources such as LinkedIn and social media sites, so that we can contact you if we think you may be interested in our work finding services at a future date. We may also obtain your personal data through another candidate or an employer who recommends you as a contact. We may also obtain your personal data through Clients or prospective Clients with whom we are negotiating with for the purpose of carrying out pre-contract negotiations, audits and other monitoring/assessment tasks.

 

3.        Users of our website or apps We collect personal data such as your IP address and other data about your device which we need to provide our online content to you. We also collect data about your engagement with our website or apps such as the pages you view. If you contact us, we will also collect information about your enquiry. We use cookies and similar technologies to collect a lot of this information and our cookie policy tells you more about this.

 

 4.        Clients We collect personal data such as your name, job title and contact details. We also process personal data about what communications we have had with you, including whether you have opened or forwarded any emails, newsletters or other content we have sent to you. We also process feedback that you provide about our candidates.

If you provide information to us about a candidate (for example, if you confirm a candidate has worked with you or if you provide a reference), then we will obtain your details from the candidate and we will keep a record of the personal data that you provide to us about that candidate.

We process personal data about you from public domain sources such as LinkedIn and social networking sites or because you were a delegate at one of our events or at an event where the event organiser is permitted to share delegate details with us.

 

5.        Suppliers We typically collect your name and contact details as a business contact for your organisation but sometimes we may need to obtain the details of Candidates for the purpose of carrying out pre-contract negotiations, audits and other monitoring/assessment tasks with our Clients or prospective Clients.

 

Providing your personal data

In some cases, it will be necessary for you to provide personal data to us. If you don’t provide us with the personal data we ask for, we may not be able to provide you with our services.

 

How we use your personal data

1.        Candidates

We use your personal data to:

  • provide you with work finding services;
  • communicate with you;
  • enable you to upload your CV and apply for jobs;
  • personalise your experience by creating a candidate profile;
  • enable us to monitor equality and diversity;
  • provide you with interviewing and salary advice; and
  • send you direct marketing for the purposes of informing you about job opportunities, industry reports and insights, events, promotions and competitions, and other content in accordance with your marketing choices. We also run targeted and relevant banner advertising on our website and within your social networks to present you and people like you with jobs and content that we believe will be of interest. We target these ads based on your previous interactions with our website, emails and through your engagements with our consultants. Your interaction with our ads may be used to measure the effectiveness of our ad campaigns and to improve our marketing strategy.

Assist Client or Prospective clients with market and financial analysis, contract negotiation, audits, pricing strategy, bids and tenders.

Confirm your right to work in the Location of Services and any conditions on it OR your identity documents to comply with right-to-work checks required by law).Conduct background checks and any other specific compliance checks requested by our clients

 

2.        Prospective Candidates

We use your personal data to:

  • determine if you may be interested in our services and how we can assist you;
  •  to contact you and find out if you are interested in our services.
  • To Assist Clients or Prospective clients with market and financial analysis, contract negotiation, audits, pricing strategy, bids and tenders.

 

3.        Users of our website or apps

We may use your personal data to:

  •  improve and personalise your experience when you use our website or apps; and
  •  personalise advertising you receive from us. Confirm your right to work in the Location of Services and any conditions on it OR your identity documents to comply with right-to-work checks required by law). Conduct background checks and any other specific compliance checks requested by our clients;

 

4.        Clients

We may use your personal data:

  •  to provide recruitment services to you;
  •  to communicate with you;
  • to get feedback from you on our services through client satisfaction surveys, in order to improve our services and to develop new services;
  • to maintain our business relationship with you;
  •  to answer your enquiries when you contact us;
  • to fulfil contractual obligations to you;
  •  to establish, exercise or defend legal claims; and
  •  for direct marketing purposes.

 

5.        Suppliers

We use your personal data:

  • to communicate with you;
  •  to maintain our business relationship with you;
  • to answer your enquiries when you contact us;
  • to fulfil contractual obligations to you;
  • to establish, exercise or defend legal claims;
  •  for direct marketing purposes;
  •  Confirm your right to work in the Location of Services and any conditions on it OR your identity documents to comply with right-to-work checks required by law; and
  • Conduct background checks and any other specific compliance checks requested by our clients.

You can unsubscribe from receiving marketing communications from us, using the unsubscribe methods contained in communications we send to you or by contacting us. We have also established a marketing preference centre where you can view and make decisions about your marketing preferences and opt out of receiving marketing from us at any time.

 

Legal Grounds for processing your Personal Data

Under the GDPR, we rely on the following legal grounds to process your personal data:

(a)    Performing a contract - where, in order to perform our obligations under a contract with you or to take steps at your request to enter into a contract with us, it is necessary for us to process your personal data;

(b)    Compliance with a legal obligation - where we need to process your personal data to comply with legal or regulatory obligations.

(c)    Our legitimate interests or those of a third party - including:

  • providing our services to you;
  •  responding to your requests and enquiries;
  •  optimising the performance of our website and user experience;
  • informing you about our services and;
  • ensuring that our operations are conducted in an efficient manner.

(d)  Consent In some circumstances, we will ask for your consent to process your personal data in a way. For example, if you create a user profile or register for our job alerts or other content. To the extent that we are processing your personal data based on your consent, you have the right to withdraw your consent at any time. Please contact us, if you would like to withdraw your consent.

 

Automated Decision Making

We use a CV parsing tool that enables us to filter through CVs when we receive many applications for roles that we advertise, and to enter relevant key words such as years of experience or field of practice. It then analyses all the CVs uploaded into it and delivers a smaller pool of candidates by matching the key words in candidates’ CVs and ranking the candidates according to their suitability for the role. By doing this, it also eliminates candidates who do not meet the search criteria. Our legal basis for this processing activity is necessity for entering into a contract.

 

As part of its compliance processes, ERSG’s third-party compliance software, including Tifo, may conduct automated checks on personal data to expedite verification processes, such as right-to-work and background checks. While automated processes are in place to ensure efficient and compliant service delivery, decisions are not based solely on automated processing that has a significant impact on individuals.

 

You have the right to object to the use of automated decision making and to request human intervention. If you would like to exercise this right, please contact us.

 

 

Who we share your personal data with

In certain circumstances we will share your personal data with:

Other companies within our Group

ERSG is part of the ERSG Holdings Group of companies which operates globally. We may share with or give access to your personal data to other companies within ERSG Holdings Group in the EEA. The UK recognises that after Brexit, countries in the EEA provide adequate protection for personal data.

We have in place an intra-group data transfer agreement containing clauses approved by the European Commission which permit cross-border transfers of personal data from within the EEA to third countries outside the EEA, (as data protection laws outside the EEA may not provide an equivalent level of protection to EEA data protection laws).

 

Where we need to transfer personal data from any ERSG Holding Group company outside the EEA to another ERSG Holdings Group company outside the EEA for the purposes set out above, we will comply with any local law transfer requirements.

 

Third Parties

If you are a candidate, we share your personal data with clients who have vacancies for jobs which you are interested in. We also share your personal data and, where necessary, special category data with third party service providers who perform services and functions on our behalf, such as:

 

  •  conducting employment reference checks;
  •  conducting right to work checks;
  •  conducting education background checks based on the client’s requirements;
  •  conducting qualification checks;
  • carrying out criminal convictions checks (as required);
  •  verifying details you have provided from third party sources;
  •  conducting psychometric evaluations or skills tests;
  • hosting personal data for us;
  • providing professional advice to us;
  • providing data analytics to us;
  • carrying out testing and development work on our business technology systems;
  •  administering surveys or competitions on our behalf;
  •  assisting us to communicate with you; and
  • providing research and mailing house or other direct marketing services.

 ERSG uses Tifo branded as ‘ERSG compliance’, a third-party compliance software to support the contractors’ onboarding process. Tifo streamlines the verification and documentation processes for new hires or contractors, ensuring adherence to regulatory requirements (i.e. right to work checks, Background checks, criminal checks, …) through automated checks and audits of personal and professional credentials. Tifo may use cloud storage services, document management systems, and data verification services, and also conducts periodic compliance assessments and stores data securely to support ongoing regulatory adherence. All personal data processed through Tifo is stored securely in the UK (Microsoft Azure: UK West-Cardiff). Tifo also utilizes several third-party services, such as Experian, First Advantage, GBG Group, and others, to conduct verification and compliance checks on our behalf.

 

For more information about Tifo, please see https://tifo.team/privacy-notice/

 

We contractually require minimum standards of confidentiality and data protection from our third-party service providers, including those engaged by such third-party service providers. If we need to send personal data outside the EEA, we will ensure that adequate safeguards are in place.

 

 

How long we hold your personal data for

We will keep your personal data for as long as we need to in order to fulfil the purpose we collected it for, which may be an ongoing purpose. For example, if you’re a candidate, we will retain your personal data for the duration of our business relationship with you and beyond, as we often support candidates with job placements over many years and potentially throughout their careers.

We keep some personal data for longer than others. To determine the appropriate retention period for personal data, we consider factors such as the purposes for which we process your personal data, including any legal, regulatory, accounting and reporting obligations, the nature and amount of personal data that we hold about you, and the potential risk of harm to you from unauthorised use or disclosure of your personal data.

Where we process your personal data for direct marketing purposes, we will do so until you ask us to stop, and for a short period after this (to allow us to implement your request). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely, so that we can respect your request.

As part of ERSG's compliance processes, personal data processed through third-party software, including Tifo, will be retained only for as long as necessary to fulfil the purposes for which it was collected, including fulfilling compliance checks and meeting legal obligations. After the retention period, data may be anonymised, ensuring it is no longer associated with an individual.

Anonymised data may then be used for legitimate business purposes, such as improving services or developing internal tools for compliance purposes.

 

Where do we store your personal information?

As a general principle, the personal information we collect from you will be stored in servers located in the United Kingdom. However, please note that due to legal and/or technical constraints, we may store your personal information in other locations than the United Kingdom.

 

This is notably the case where we rely on processors located outside the United Kingdom to carry out processing activities on our behalf. While ERSG’s third-party compliance software, including Tifo, primarily stores personal data in the United Kingdom or within the European Economic Area (EEA), there may be instances where data is transferred outside these regions. This could occur, for example, when Tifo works with external providers based in other jurisdictions. In such a case, your personal information is then deemed transferred to such countries. When such transfers occur, we ensure that appropriate safeguards are in place, in accordance with applicable data protection laws. Specifically, our third-party compliance software, including Tifo, rely on mechanisms such as Standard Contractual Clauses (SCCs), approved by the European Commission, to ensure that your personal data receives the same level of protection as it would within the EEA. For more information about the location where your personal information is stored, you can contact us at [email protected].

 

We want to ensure that your personal information is always safely used and available to you, wherever you want to access it and for whatever reason you wish to use it.

 

 

Your rights in relation to personal data we hold about you

You have several rights under UK and EU data protection laws in relation to the personal data that ERSG and its third-party processors, including Tifo, hold about you. These rights include the right to ask us for a copy of your personal data, to access, correct, delete or restrict processing of your personal data; to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format, and to ask us to share (port) this data to another controller: you further have the right to data portability. Specifically, if you object to any automated decision-making processes conducted by Tifo during compliance checks, you may request human intervention to review the decision (see above).

In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process your personal data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).

These rights may be limited, for example, if complying with your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests for keeping. We will inform you of any relevant exemptions we are relying on when we respond to your request. Right to be forgotten requests

 

You can request that your data be forgotten via your ersg candidate account on the website. Alternatively, you can speak to your sales’ consultant, or email [email protected]. Once we receive your request, we will respond detailing the data that we have collected and any statutory obligations that mean we cannot delete your information. These obligations include, but are not limited to, keeping:

 

  • candidate records under Regulation 29 and Schedule 4 of the Conduct of Employment Agencies and Employment Businesses Regulations 2003, pursuant to the Employment Agencies Act 1973;
  •  first-aid training records under Health and Safety (First Aid) Regulations 1981;
  • income tax and NI returns and records under the Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended;
  •  payroll wage and salary records as per the Taxes Management Act 1970 and the Income Tax (Pay As You Earn) Regulations 2003 (SI 2003/2682);
  •  working time records, including overtime and holiday, as per the Working Time Regulations 1998 (SI 1998/1833).

Upon receipt of your right to be forgotten request, ERSG will delete your data within 28 days, and we will inform you once this has been done and the data that was deleted.

 

Subject access requests

 

Similarly to a right to be forgotten request, you can submit a subject access request via your ERSG candidate profile, or by emailing the GDPR email address found in this document. Once we receive your request, we will confirm receipt via email. We have 28 days to provide you with the data that we have on file for you. Once we have collected this, we will send it to you via email, along with a copy of this policy.

 

 

Reporting a data breach

 

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the purposes of ERSG.

 

Any suspected or actual breach must be reported as soon as it is discovered to the GDPR inbox. Please provide as much detail as possible to enable us to investigate the alleged breach, including your name, what has happened, and when you became aware.

 

All breaches big or small, regardless of the harm or potential harm, should be identified and reported. Once the breach has been reported, ERSG Legal has 72 hours to investigate the breach. If the breach is found to be significant, then we will report it to the ICO within the 72-hour period. If the breach does not require further action, it will be logged in our system for future reference, and we will internally respond to ensure that a similar breach does not happen again.

 

 

How to Contact Us

Exercising your rights

To exercise your rights, or to withdraw your consent to processing, or to unsubscribe from receiving marketing communications from us, you can:

 

FAO: Abby Moore ERSG Ltd

North Tower, 8th Floor,

26 Elmfield Road, Bromley London,

BR1 1WA

 

Questions and Complaints

 

If you have any questions about our privacy policy, or about our processing of your personal data, or to make a complaint, you can email us or our DPO at [email protected] or write to us at:

 

ERSG Ltd

UK Data Protection Team North Tower, 8th Floor,

26 Elmfield Road, Bromley London

BR1 1WA

 

If you have unresolved concerns, and you live or work in the UK or believe that a personal data breach happened in the UK, you have the right to complain to the UK Information Commissioner’s Office who can be contacted at:

 

Telephone: 0303 123 11113

Website: https://ico.org.uk/concerns/

Post: Information Commissioner's Office

Wycliffe House Water Lane Wilmslow Cheshire

SK9 5AF

 

If you live or work outside the UK, or you have a complaint concerning our activities outside the UK, you may prefer to lodge a complaint with a different supervisory authority. A list of relevant authorities in the EEA can be accessed here.

While Tifo is a third-party provider for our compliance software, ERSG remains your primary contact for exercising any data rights in relation to your personal data, including processing activities conducted by Tifo. Additionally, you can contact Tifo directly to exercise your rights over personal data they process on behalf of ERSG:

PayStream Mansion House Manchester Road Altrincham WA14 4RW

 

Email: [email protected]

 

Changes to our Privacy Policy

We may change this privacy policy at any time. If we do so, we will post updates on this site. This Privacy Policy was last updated on 27/02/2025

cta-bg
cta-patternget in touch

Ready to start your career journey?