Recruitment Privacy Notice

Recruitment Privacy Notice

1. Purpose

Thought Machine Group Limited and our group companies (“Thought Machine”, “we”, “us”, “our”) are committed to protecting the privacy and security of your personal information. This recruitment privacy notice describes how we gather and process your personal information during our recruitment process, in accordance with the relevant data protection laws and regulations, including the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, the EU General Data Protection Regulation (“EU GDPR”), and any other relevant local data protection laws. 

This notice applies to all candidates who apply directly, through recruitment agencies, or via third-party platforms (whether you are applying for work with us as an employee, worker or contractor).

2. Definitions

A “data controller” is an individual or organisation who:

  • Decides to collect or process personal data
  • Decides what the purpose or outcome of processing is to be
  • Decides what personal data should be collected
  • Decides which individuals to collect personal data about

Thought Machine is considered a data controller when we process candidate personal data during our recruitment process.

A “data subject” is a living individual who can be identified from the personal data or from additional information held or obtained.

personal data” is any information that relates to a data subject and that can be used to identify the person directly, or indirectly when used with other information. It includes, but is not limited to:

  • A person’s name
  • Job title
  • Age
  • Postal or email address
  • IP address, e.g., online identifier
  • Vehicle registration number
  • Bank details

processing” relates to all actions or handling of personal data by manual or automated means, (e.g., data collection), erasure and destruction plus everything in between, including recording, use, disclosure, sharing and storage.

There are “special categories” of personal data and these include but are not limited to data revealing:

  • Race or ethnicity
  • Religious or philosophical beliefs
  • Trade union membership
  • Sexual orientation
  • Genetic or biometric data

3. Data Protection Principles

Thought Machine is committed to comply with the principles of data protection enumerated in the UK GDPR and other data protection regulations, which means your personal data will be: 

  • Used lawfully, fairly and in a transparent way (Lawfulness, fairness and transparency)
  • Collected only for a specific, lawful purpose (Purpose limitation)
  • Adequate, relevant and limited to what is necessary (Data minimisation)
  • Accurate and, where necessary, kept up to date (Accuracy)
  • Kept only as long as necessary for the purposes we have told you about (Storage limitation)
  • Kept securely (Integrity, confidentiality and security)

4. Candidate Personal Data

4.1 The type of personal data we collect

We may collect, store, and process the following categories of candidate personal data:

  • Identity and contact details, (e.g., name, title, photo, address telephone number, email address, date of birth)
  • Recruitment and application information (e.g., CV, cover letter, employment history, qualifications, skills, experience)
  • Interview and assessment information (e.g., interview notes, test results, feedback)
  • Right-to-work and background information (e.g., proof of identity, visa / immigration status, proof of address and current and previous addresses, insurance numbers, reference checks, information about criminal convictions and offences and background screening where legally permitted)
  • Correspondence with or about candidates (e.g., letters, emails)
  • Salary data (in some regions)
  • Special category data, only where relevant and lawful (e.g., equal opportunities monitoring, health information, required for interview and workplace adjustments) 
  • Audio and video footage/recordings (e.g., CCTV obtained during in-person interviews)

4.2 How we collect your personal data

During our recruitment process - the application stage, interview stage(s) and onboarding - Thought Machine predominately collects personal data from:

  • You, the candidate (through your application, CV, forms, interviews and correspondence)
  • Recruitment agencies or platforms where you submitted your application
  • Professional networking sites, e.g., LinkedIn, and other public sources, such as social media and job boards
  • Background check providers, referees, and right-to-work verification services
  • Your named referees that you want us to contact, e.g., previous employers, managers, or colleagues
  • Disclosure and Barring Services (or equivalent) in respect of criminal convictions, only where relevant and lawful
  • Implementation of security measures (e.g., CCTV and access control)

4.3 How we use your personal data

We will use your personal data to:

  • Assess your skills, qualifications, and suitability for the role
  • Communicate with you during the recruitment process
  • Conduct interviews, assessments, and background checks
  • Verify your identity, eligibility to work, and references
  • Keep records of our recruitment process for compliance and monitoring purposes
  • Consider you for future roles (where permitted and unless you object)

4.4 If you choose not to provide your candidate data

If you fail to provide information when requested that is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. This does not include special category data we may collect as part of diversity and equal opportunities monitoring (please see section 5 below for more information on this point).

5. Legal Basis for Processing Candidate Personal Data

We must have a legal basis for using your personal data. We rely on one or more of the following lawful bases:  

  • Legitimate interests: This is where we need to use your data for our legitimate interests, or those of a third party. It means using data in a way that you expect us to, for a reason which is in your and/or our (or a third party’s) interest and which doesn't override your privacy rights, e.g., to manage our recruitment process fairly and effectively
  • Consent: This is where we ask you to consent to specific processing, e.g., optional diversity monitoring, certain background checks
  • Contractual duty: This is where we need the information to process your application to enter into an employment or other contract with you
  • Legal obligation: This is where a law or regulation says we must collect the information to decide if we can enter into an employment or other contract with you, e.g., to verify identity, right to work, and comply with employment laws
  • Public interest: This is where we need the information to perform a specific task in the public interest that is set out in law

‍Where we process special category data (such as health or diversity information), we do so in line with legal requirements and with appropriate safeguards.

In the event a lawful basis cannot be determined for data collection, we will not be collect or processes it.

6. Diversity and Equal Opportunities Monitoring

As part of our commitment to equality, diversity and inclusion, we may collect and process special category data relating to:

  • Gender, age, ethnicity, and nationality
  • Disability and health conditions (where relevant to adjustments)
  • Religion or belief
  • Sexual orientation

This information is collected on a voluntary basis and will not affect your application. It is used only for statistical monitoring, reporting, and ensuring compliance with equal opportunities legislation.

Where collected, this information will be:

  • Kept separate from your application and recruitment decision-making process
  • Accessed only by staff with responsibility for monitoring equality data
  • Reported in aggregate and anonymised form wherever possible

We process this information based on your explicit consent or, where applicable, in line with our obligations under employment and equality legislation. You may choose not to provide this information without any impact on your application. 

7. Sharing Candidate Personal Data

We may share your data with:

  • Recruitment agencies and platforms (if you applied through them)
  • Service providers supporting our recruitment systems (e.g., applicant tracking software)
  • Background check providers, referees, and professional advisers
  • Thought Machine group companies
  • Legal or regulatory bodies where required

We do not allow our third party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. We do not sell or rent your personal data to third parties.

8. International Transfers

If your personal data is transferred overseas, Thought Machine will take appropriate steps to ensure there are appropriate safeguards in place to protect your information.

9. Data Security

Thought Machine takes privacy seriously and we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. 

All our third party service providers and Thought Machine group companies are required to take appropriate security measures to protect your personal data in line with our policies. They may include encryption, physical access security or other tools that we believe enhance the security of our data processing systems.

We have security measures and procedures in place to detect, identify and mitigate suspected and actual personal data breaches and will notify you and the relevant supervisory authority of a relevant personal data breach where we are legally required to do so.

10. Artificial Intelligence and Automated Decision-Making

We may use Artificial Intelligence (AI) tools to assist in our recruitment process. These tools may help us to screen applications, assess skills, and support decisions-making. All AI-assisted processes are subject to human oversight, and final hiring decisions are made by our recruitment team.

We ensure that any AI tools we use are designed to support fairness, accuracy, ad transparency. 

We do not rely solely on automated decision-making. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

You have the right to request further information about how AI is used in our application process, as well as the right to contest or seek human review of any decisions that involve AI-assistance.

11. Data Retention

Thought Machine will store your personal data for as long as is reasonably necessary for the purposes for which it was collected and securely delete your personal data when it is no longer required in accordance with our data retention policy. In some circumstances we may store your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory or necessary technical requirements.

We will retain your personal data for:

  • Successful candidates: Your information will be transferred to your employee record and retained in line with our Employee and Staff Privacy Notice
  • Unsuccessful candidates: Your information will be retained for 12 months after the recruitment process, unless a longer period is required by law or you consent to be considered for future opportunities.

12. Candidate Data Protection Rights

You have several rights in relation to your personal data that we hold:

  • Right of access (commonly known as a “data subject access request”) - This enables you to receive a copy of the personal data we hold about you and to check we are lawfully processing it
  • Right to rectification – This enables you have any incomplete or inaccurate information we hold about you corrected 
  • Right to erasure (also known as the ‘right to be forgotten”) – This enables you, in certain circumstances, to ask us to delete or remove personal data where there is no good reason for us continuing to process it
  • Right to restrict processing – This enables you to ask us to suspend processing of your personal data, e.g., if you deem it is being used illegally or the data is not correct
  • Right to object to processing - Where we are relying on legitimate interest, you can object to your personal data being used if it is not being used in the manner for which it was collected (e.g., profiting, automation, direct marketing)
  • Right to data portability - Thought Machine must provide you with your personal data so that you can reuse it for your own purposes or across different services. We must provide it in a commonly used, machine-readable format
  • Right to object to automated individual decision-making – Thought Machine must respect the rights of individuals in relation to automated decision-making and profiling
  • Right to lodge a complaint – You have the right to lodge a complaint with the applicable data protection regulator or supervisory authority (e.g., the UK Information Commissioner’s Office)
  • Right to withdraw consent (where consent is the lawful basis) - If you have provided consent for the processing of your personal data for the purposes of our recruitment process, you have the right to withdraw that consent at any time which will not affect the lawfulness of the processing before their consent was withdrawn. To withdraw your consent, or for any complaints, requests or queries, individuals should contact dpo@thoughtmachine.net

Once we have received notification that you have withdrawn your consent, we will no longer process your application and, subject to our retention policy, we will dispose of your personal data securely. We may ask you to verify your identity before acting on the request - this is to ensure that your data is protected and kept secure.

13. Contact Details 

Our Data Protection Officer is entrusted with monitoring and enforcing compliance with all data protection laws, to ensure that personal data that is collected and processed is handled appropriately.

If you have any questions or concerns about this privacy notice or how we handle your personal data, our Data Protection Officer can be contacted via the following e-mail address: dpo@thoughtmachine.net

Contact address: Data Protection Officer

7 Herbrand St, London WC1N 1EX

14. Complaints

You have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). However, before doing so please make sure you have first made your complaint to us or asked us for clarification if there is something you do not understand.

15. Changes to this Privacy Policy and Your Duty to Inform Us of Changes

We keep our privacy policy under regular review. Historic versions can be obtained by contacting us.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

Sign up to our newsletter
Thank you! You will now receive some incredible content in your inbox!
Oops! Something went wrong while submitting the form.
For information about how we use your data please read our privacy policy.