rms test no bg

Data Protection

Definitions

In this policy, the following terms have the meanings assigned to them here:

  • ‘the Company’: means RMS Recruitment Limited;
  • ‘consent’: means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • ‘data controller’: means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data;
  • ‘data processor’: means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
  • ‘data subject’: means the identified or identifiable living individual to whom personal data is related;
  • ‘personal data’: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
  • ‘personal data breach’: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
  • ‘processing’: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
  • ‘profiling’: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;
  • ‘pseudonymisation’: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  • ‘special categories of personal data’: means the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

For the purposes of this policy, the term ‘individual’ is used to mean ‘data subject’. The term ‘personal data’ includes ‘special categories of personal data’ except where we specifically need to refer to special categories of personal data.

Data Protection Principles

The Data Protection Laws require the Company, acting as either data controller or data processor, to process data in accordance with the principles of data protection. These principles require that personal data is:

  1. Processed lawfully, fairly, and in a transparent manner.
  2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Kept for no longer than is necessary for the purposes for which the personal data are processed.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  7. The data controller shall be responsible for, and be able to demonstrate, compliance with the data protection principles.

Legal Basis for Processing

The Company will only process personal data where it has a legal basis to do so. The Company will review the personal data it holds regularly to ensure it is being lawfully processed and is accurate, relevant, and up to date.

Privacy by Design and Default

The Company has implemented measures and procedures that adequately protect the privacy of individuals and ensures that data protection is integral to all processing activities. This includes implementing measures such as data minimisation, pseudonymisation, anonymisation, and cybersecurity.

Privacy Notices

The Company provides individuals with privacy notices at the time when it first obtains their personal data, or, if collected from another source, within a reasonable period after obtaining the personal data.

Subject Access Requests, Rectification, and Erasure

Individuals have rights to access their personal data, request rectification of inaccurate data, and request erasure of their personal data under certain conditions.

Data Portability and Object to Processing

Individuals have the right to data portability and the right to object to the processing of their personal data in certain circumstances.

Automated Decision Making

The Company does not subject individuals to decisions based on automated processing that produce legal effects concerning them or similarly significantly affect them, except as permitted by law.

Reporting Personal Data Breaches

All personal data breaches should be reported to the contact listed at the end of this policy. The Company will take steps to contain and recover the breach and notify the ICO and affected individuals where necessary.

Enforcement of Rights

All requests regarding individual rights should be sent to the contact listed at the end of this policy. The Company will act upon any request within the legal timeframe.

If you have a complaint or suggestion about the Company’s handling of personal data, please contact the designated officer within the Company or the ICO directly.