This notice describes how Mind Gym plc (“we”) process the personal data we obtain about people who apply to work with us. Please read this notice to understand our practices regarding this personal data and how we will treat it.
For the purposes of the data protection laws applicable in the United Kingdom, the data controller of the processing described in this notice is Mind Gym plc, a company registered in England and Wales with company number 3833448, whose registered office is at 160 Kensington High Street, London, W8 7RG, United Kingdom.
As the data controller we are responsible for deciding how we hold and use personal data about people who apply to work with us.
We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice applies to anyone applying for work with us (whether as an employee, worker or contractor).
We will comply with data protection law and principles, which means that your data will be:
The kind of information we hold about you
In connection with your application for work with us, we will collect, store, and use the following categories of personal data about you:
We collect personal information about candidates from the following sources:
We will use the personal information we collect about you to:
Having received your CV and any covering letter or application and potentially the results of any assessments from any telephone calls or email exchanges with you, we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role.
If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you work. If we decide to make you an offer, we will then take up references before confirming your appointment.
If you fail to provide information that is necessary for us to consider your application (such as evidence of qualifications or work history) when requested, we will not be able to process your application successfully.
Our legal basis for processing the information we receive about candidates for the purposes described above is that it is necessary for the purposes of our legitimate interests, namely ensuring you are a fit and proper person to be engaged or employed by us and, where relevant, provide services to our clients. This legal basis is set out in Article 6(1)(f) of the GDPR.
We will use your sensitive personal information in the following ways:
Our legal bases for processing sensitive personal information
Under applicable data protection law, controllers need to have additional legal bases and comply with certain additional conditions to process the types of personal information described above.
The legal bases are set out in the GDPR and additional conditions relating to processing special category personal data and data relating to criminal convictions and offences are set out in Schedule 1 of the UK Data Protection Act 2018.
The legal bases and conditions we rely on for processing the sensitive information we receive about candidates for each purpose described above is set out below:
Purpose: Providing appropriate adjustments during the recruitment process
Personal data used: Data concerning health, including disability
· Compliance with a legal obligation: our processing is necessary for compliance with a legal obligation, namely our responsibilities under laws relating to equality and health and safety (Article 6(1)(c) GDPR.)
· Employment, social security and social protection: our processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or data subject in the field of employment and social security and social protection law, namely our legal obligations under laws relating to equality and health and safety and candidates’ rights not to be discriminated against, to have reasonable adjustments made for them, and to be protected from harm (Article 9(2)(b) GDPR.)
· Employment, social security and social protection: our processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, namely our legal obligations under laws relating to equality and health and safety and candidates’ rights not to be discriminated against, to have reasonable adjustments made for them, and to be protected from harm (Paragraph 1(1)(a), Schedule 1, DPA 2018.)
Personal data used: age, education, gender, racial or ethnic origin; information about your disability; religious, philosophical or moral beliefs; sex life or sexual orientation; data concerning health, including disability.
Under Article 6(1) GDPR
· Compliance with a legal obligation: our processing is necessary for compliance with a legal obligation, namely our responsibilities under laws relating to equality and health and safety (Article 6(1)(c) GDPR.)
· Legitimate interests: our processing is necessary for the purposes of our legitimate interests, namely ensuring meaningful equal opportunity/diversity in our organisation (Article 6(1)(f) GDPR.)
Under Article 9(2) GDPR
· Employment, social security and social protection: our processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or data subject in the field of employment and social security and social protection law, namely our legal obligations under laws relating to equality (Article 9(2)(b) GDPR.)
· Public interest: our processing is necessary for reasons of substantial public interest (Article 9(2)(g) GDPR), namely:
o identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with a view to enabling equality to be promoted or maintained.
o identifying suitable individuals to hold senior positions in our organisation.
o promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in our organisation.
Condition under Schedule 1 of the Data Protection Act
· Employment, social security and social protection: our processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security or social protection, namely our legal obligations under laws relating to equality (Paragraph 1(1)(a), Schedule 1, DPA 2018.)
· Equality of opportunity or treatment: our processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained (Paragraph 8(1)(b), Schedule 1, DPA 2018.) · Racial and ethnic diversity at senior levels of organisations: our processing is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally (Paragraph 9(1)(b), Schedule 1, DPA 2018.) · Racial and ethnic diversity at senior levels of organisations: our processing is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation (Paragraph 9(1)(c), Schedule 1, DPA 2018.)
In addition to the processing purposes described above, we may also process the personal data described in this notice if and to the extent necessary for the following purposes:
Purpose | Legal basis |
---|---|
Establishing, exercising or defending legal claims | Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of others |
Obtaining or maintaining insurance cover, managing risks or obtaining professional advice | Our legitimate interests in protecting our business against risks |
Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator | Compliance with a legal obligation |
Protecting a person’s vital interests | Protection of vital interests, for example, a medical emergency during an interview or assessment |
If it is necessary to use sensitive personal data for the purposes described above, we would ensure we have an additional legal basis for processing that sensitive data before doing so.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
Why might you share my personal information with third parties?
We will only share the personal information described in this notice in the following circumstances:
All of our group companies are required to take appropriate security measures to protect your personal information in line with our policies.
We do not allow our third-party service providers to use your personal information for their own purposes.
We only permit them to process your personal data for specified purposes and in accordance with our instructions, subject to legally binding data processing agreements between us and our service providers.
Additionally, we may disclose personal data to other organisations or individuals where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above, for example if we are under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply the terms of any agreement to which we are a party, or to protect the rights, property, or safety of Mind Gym, our staff, customers, people who attend our courses, or others. In all cases, we will only share personal data with such recipients where and to the extent necessary for the relevant processing purpose and in accordance with applicable data protection law.
This section describes the circumstances in which the personal data described in this notice may be transferred to countries outside the European Economic Area (EEA) or the United Kingdom and the safeguards in place to protect that data once it has been transferred.
In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based outside the EEA or the UK in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.
We have put in place appropriate security measures to prevent your personal information from being accidentally or unlawfully destroyed, lost or altered, or disclosed or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who need to access it in order to carry out their duties in connection with the purposes described in this notice.
The third-party service providers we use will only process your personal information on our instructions and they are subject to a duty of confidentiality and required to implement appropriate security measures under legally binding data processing agreements we have with them.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long will you use my information for?
We will retain the personal information described in this notice for a period of 6 months after we have communicated to you our decision about whether to appoint you. We retain your personal information for 6 months so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy.
If we wish to retain your personal information on file beyond the 6 months, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period of up to two years from the time you consent. You can withdraw your consent at any time by contacting careers@themindgym.com.
Your rights in connection with personal information
Under certain circumstances, data protection law gives you the rights to:
If you want to exercise any of these rights, please contact careers@themindgym.com.
We may ask you to provide further information in order to confirm your identity. Please also note that if you submit unfounded or excessive (for example repetitive) requests to exercise any of these rights, we are permitted under applicable data protection law to charge a reasonable fee for providing the requested information or taking the requested action, or to decline your request.
You also have the right to lodge a complaint about our processing of your personal information with a supervisory authority if you are concerned that our processing breaches data protection legislation or does not respect your rights under data protection law. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. The Information Commissioner’s Office (www.ico.org.uk) is the supervisory authority in the UK that is responsible for overseeing the application of, and enforcing, data protection law. Relevant contact details for the ICO can be found here: https://ico.org.uk/concerns/.
If you have any questions about this privacy notice or how we handle your personal information, please contact dpo@themindgym.com.
Changes to this privacy notice
Any changes we make to this privacy notice in the future will be posted on the candidate pages of our website and, where appropriate, notified to you by e-mail or other suitable method.