Recruitment Privacy Notice

1. Purpose

Thought Machine Group gathers and processes personal information for the purposes of recruitment in accordance with this privacy notice and in compliance with the relevant data protection laws and regulations. This notice provides all candidates with the necessary information regarding their rights, and explains how, why and when Thought Machine processes their personal data.

2. Definitions

A “Data Subject” is a living individual who can be identified from the personal data or from additional information held or obtained. 

“Personal Data” (“PD”) or “Personally identifiable information (PII)“ is any information that relates to an identifiable person (or “Data Subject”) and that can be used to identify the person directly, or indirectly when used with other information. It includes, but is not limited to:

  • A person’s name
  • Job title
  • Postal or email address

“Processing” relates to all actions or handling of personal data by manual or automated means (e.g. data collection), erasure and destruction plus everything in between including recording, use, disclosure, sharing and storage. 

A “Data Controller” is an individual or organisation who:

  • Decides to collect or process personal data
  • Decides what the purpose or outcome of processing is to be
  • Decides what personal data should be collected
  • Decides which individuals to collect personal data about
  • Whose data subjects are candidates of Thought Machine
  • Has a direct relationship with the data subjects

Thought Machine is considered a Data Controller when it processes candidate personal data.

3. Data Protection Principles

Thought Machine is committed to comply with the principles of data protection enumerated in the GDPR and other data protection regulations. Thought Machine will make every effort possible to comply with these principles. Personal data must:

  1. Be processed lawfully, fairly and in a transparent manner (Lawful, fair and transparent)
  2. Be obtained only for a specific, lawful purpose (Purpose limitation)
  3. Be adequate, relevant and limited to what is necessary (Data minimisation)
  4. Be accurate and, where necessary, kept up to date (Accuracy)
  5. Not be held for any longer than necessary (Storage limitation)
  6. Be protected and safeguarded in appropriate ways (Integrity, confidentiality and security)

4. Candidate Personal Data

As a Data Controller, Thought Machine is responsible for obtaining and processing candidate data. Thought Machine needs to keep and process information about candidates for normal recruitment purposes. The information it holds and processes will be used lawfully, fairly and transparently. Some information may need to be retained after the recruitment process. Thought Machine may retain the following data after the recruitment process has ended:

  • Unsuccessful applicants: Data provided by the candidate in the recruitment process will be retained for 12 months
  • Successful applicants: Data provided by the candidate in the recruitment process will be retained during the course of employment. Please see the employee privacy notice which outlines how we handle employee data

Thought Machine will never collect any unnecessary personal data from candidates and does not process personal information in any other way, other than as specified in this notice. 

The type of candidate data that is recorded may include the following:

  • Name
  • Date of Birth
  • Home Address
  • Personal Email
  • Home Telephone Number
  • Mobile Telephone Number
  • Correspondence with or about candidates, for example letters/emails
  • Salary data (in some regions)
  • Information needed for equal opportunities monitoring 
  • Records relating to career history, such as training records, appraisals, other performance measures 
  • Photos
  • Audio and video footage/recordings (e.g. CCTV obtained during in person interviews)

Thought Machine predominately collects personal information in the following ways:

On applications: 

  • Your name and contact details (your address, phone number and email address)
  • Your work and educational history (typically in your resume) 
  • The country you’re applying from and your right to work status
  • Your responses to application questions and other information you give us through potential challenges / technical tests / etc.  
  • Details of your current and/or desired salary and other things relating to financial compensation and benefits packages 
  • Your current notice period

At interview stage, we collect: 

  • Details of any special needs you want us to know about, so we can make adjustments for your interview
  • any other information you give us, or observations we make through interviews, that are relevant for your application

At onboarding, we collect: 

  • A form of identification, proof of address and current and previous addresses, and insurance numbers so that we can carry out ‘Right to Work’ checks
  • Details about former managers or colleagues you want us to contact as referees and references from previous employers, managers or colleagues we contact to learn about you
  • The results of your background checks from background checking agencies we work with. This will include information about potential criminal convictions and your financial integrity

Information we obtain from third party sources

We may also get your contact details and professional profile from:

  • Recruitment or executive search agencies
  • Professional networking sites or other public sources such as social media and job boards

How we obtain your data: 

  • Submitted Resumes
  • Job Forums & Recruitment Agencies
  • Direct from Candidates & Employees
  • Postal and Email Applications
  • Implementation of security measures (e.g. CCTV and access control) 

4.1. Legal Basis for Processing Candidate Personal Data

Thought Machine processes personal data fairly and lawfully, the data that is processed is done transparently and with consent when applicable, this generally means that Though Machine will not process personal data without consent. In the event a lawful basis cannot be determined for data collection, the data should not be collected or processed. Candidates have a right to have any data unlawfully processed data erased.

We must have a legal basis for using your personal data, this may include:   

  • Contractual duty: This is when we need the information to process your application to enter into an employment (or other) contract with you
  • Legal duty: This is when a law or regulation says we must collect the information to decide if we can enter into an employment (or other) contract with you
  • Legitimate interest: This is when we need to use your data for our legitimate interests, or those of a third party. It means using data in a way that you expect us to, for a reason which is in your and/or our (or a third party’s) interest and which doesn't override your privacy rights
  • Public interest: This is when we need the information to perform a specific task in the public interest that’s set out in law
  • Consent: We have your consent

4.2. How We Use Candidate Personal Data

Subject to applicable law, candidates personal data may be stored and processed by Thought Machine for the following purposes:

  • To evaluate applications for employment and make decisions in relation to selection of candidates
  • Pre-employment screening including, where relevant and appropriate, identity check, right to work verification, reference check, credit check, financial sanction check, criminal record checks
  • To make job offers, providing contracts of employment or engagement and preparing to commence your employment or engagement where you accept an offer from us
  • To contact you should another potentially suitable vacancy arise
  • To deal with any query, challenge or request for feedback received in relation to our recruitment decisions

4.3. Sharing and Transferring Personal Data

Thought Machine will only disclose information about candidates to third parties if we are legally obliged to do so or where we need to onboard a candidate. Where we have the requirement to use an intermediary, Thought Machine will ensure that they are fully compliant with GDPR (or equivalent based on jurisdiction) before engaging with them. 

Thought Machine may transfer information about the candidate to other group companies. 

Where candidate personal data is transferred overseas, Thought Machine will take appropriate steps to ensure that there is an adequate level of protection for such personal information in accordance with applicable legal requirements.

4.4. Data Retention

Thought Machine will store your personal information for as long as is reasonably necessary for the purposes for which it was collected and will take all reasonable steps to delete information when it is no longer required. In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory or necessary technical requirements.

In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.

4.5. Safeguarding Measures

Thought Machine takes privacy seriously and takes every reasonable measure and precaution to protect and secure candidate personal data from unauthorised access, alteration, disclosure or destruction.

5. Candidate Rights

Candidates have a number of rights in relation to the personal data that we hold. These rights include:

  1. The right to be informed - to know what information is being processed about the candidate
  2. The right of access - to check what data is being held about the candidate
  3. The right to rectification - gives the candidate the right to correct errors in the information that is held
  4. The right to erasure - under certain circumstances the candidate can ask for their personal data to be permanently erased. This is ‘the Right to be Forgotten’. This would apply if the personal data is no longer required for the purposes it was collected for, or the data subject’s consent for the processing of that data has been withdrawn
  5. The right to restrict processing - the candidate can stop or halt the processing of their information if they deem it’s being used illegally or the data is not correct
  6. The right to object - the candidate can object to information being used if it is not being used in the manner for which it was collected (e.g. profiting, automation, marketing)
  7. Rights in relation to automated decision making and profiling - Thought Machine must respect the rights of individuals in relation to automated decision making and profiling
  8. The right to data portability - Thought Machine must provide individuals with their data so that they can reuse it for their own purposes or across different services. Thought Machine must provide it in a commonly used, machine-readable format
  9. The right to lodge a complaint - The candidate has the right to lodge a complaint with the applicable data protection regulator or supervisory authority (e.g. Information Commissioner’s Office)

If a candidate has provided consent for the processing of PII, they have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before their consent was withdrawn. For any complaints, requests or queries, individuals should contact dpo@thoughtmachine.net. 

If Thought Machine receives a request from a candidate to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.

6. Contact

The Data Protection Officer is entrusted with monitoring and enforcing compliance with all data protection laws so as to ensure that personal data that is collected and processed is handled appropriately. 

The Data Protection Officer can be contacted via the following e-mail address: dpo@thoughtmachine.net

Sign up to our newsletter
Thank you! You will now receive some incredible content in your inbox!
Oops! Something went wrong while submitting the form.
For information about how we use your data please read our privacy policy.