Candidate privacy policy
What is the purpose of this document?
This notice describes how Mind Gym plc (“we”) process the personal data we obtain about people who apply to work with us. Please read this notice to understand our practices regarding this personal data and how we will treat it.
For the purposes of the data protection laws applicable in the United Kingdom, the data controller of the processing described in this notice is Mind Gym plc, a company registered in England and Wales with company number 3833448, whose registered office is at 160 Kensington High Street, London, W8 7RG, United Kingdom.
As the data controller we are responsible for deciding how we hold and use personal data about people who apply to work with us.
We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice applies to anyone applying for work with us (whether as an employee, worker or contractor).
Data protection principles
We will comply with data protection law and principles, which means that your data will be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
The kind of information we hold about you
In connection with your application for work with us, we will collect, store, and use the following categories of personal data about you:
- The information you have provided to us in your curriculum vitae and covering letter.
- The information you have provided on our application form, including name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications, your desired level of remuneration, your previous remuneration including benefit entitlements.
- Any information you provide to us during an interview.
- The results of any assessments we give you, including online tests.
- Information given in any diversity, inclusion and equality monitoring questionnaires you choose to complete, which may include, age, education, gender, race or national or ethnic origin, information about your disability, religious, philosophical or moral beliefs and sexual orientation.
- If you have asked us to make reasonable adjustments during the recruitment process, information about your disability.
How is your personal information collected?
We collect personal information about candidates from the following sources:
- You, the candidate.
- Recruitment agencies.
- Your named referees, from whom we collect information relating to your performance on the job, but only after you’ve accepted our conditional offer.
- Third party publicly accessible sources such as LinkedIn.
How we will use information about you
We will use the personal information we collect about you to:
- Assess your skills, qualifications, and suitability for the role or work that you are applying for.
- Communicate with you about the recruitment process.
- Keep records related to our recruitment processes.
- Comply with legal or regulatory requirements.
- Decide whether to enter into a contract of employment with you.
Having received your CV and any covering letter or application and potentially the results of any assessments from any telephone calls or email exchanges with you, we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role.
If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you work. If we decide to make you an offer, we will then take up references before confirming your appointment.
If you fail to provide personal information
If you fail to provide information that is necessary for us to consider your application (such as evidence of qualifications or work history) when requested, we will not be able to process your application successfully.
Our legal basis for this processing
Our legal basis for processing the information we receive about candidates for the purposes described above is that it is necessary for the purposes of our legitimate interests, namely ensuring you are a fit and proper person to be engaged or employed by us and, where relevant, provide services to our clients. This legal basis is set out in Article 6(1)(f) of the GDPR.
How we use sensitive personal information
We will use your sensitive personal information in the following ways:
- We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.
- We will use information about your age, education, gender, health, race or national or ethnic origin, information about your disability; religious, philosophical or moral beliefs, your sex life and sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
Our legal bases for processing sensitive personal information
Under applicable data protection law, controllers need to have additional legal bases and comply with certain additional conditions to process the types of personal information described above.
The legal bases are set out in the GDPR and additional conditions relating to processing special category personal data and data relating to criminal convictions and offences are set out in Schedule 1 of the UK Data Protection Act 2018.
The legal bases and conditions we rely on for processing the sensitive information we receive about candidates for each purpose described above is set out below:
Purpose: Providing appropriate adjustments during the recruitment process
Personal data used: Data concerning health, including disability
Legal bases:
Under Article 6(1) GDPR
· Compliance with a legal obligation: our processing is necessary for compliance with a legal obligation, namely our responsibilities under laws relating to equality and health and safety (Article 6(1)(c) GDPR.)
Under Article 9(2) GDPR
· Employment, social security and social protection: our processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or data subject in the field of employment and social security and social protection law, namely our legal obligations under laws relating to equality and health and safety and candidates’ rights not to be discriminated against, to have reasonable adjustments made for them, and to be protected from harm (Article 9(2)(b) GDPR.)
Condition under Schedule 1 of the Data Protection Act
· Employment, social security and social protection: our processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, namely our legal obligations under laws relating to equality and health and safety and candidates’ rights not to be discriminated against, to have reasonable adjustments made for them, and to be protected from harm (Paragraph 1(1)(a), Schedule 1, DPA 2018.)
Purpose: Equal opportunity monitoring and reporting
Personal data used: age, education, gender, racial or ethnic origin; information about your disability; religious, philosophical or moral beliefs; sex life or sexual orientation; data concerning health, including disability.
Legal bases:
Under Article 6(1) GDPR
· Compliance with a legal obligation: our processing is necessary for compliance with a legal obligation, namely our responsibilities under laws relating to equality and health and safety (Article 6(1)(c) GDPR.)
· Legitimate interests: our processing is necessary for the purposes of our legitimate interests, namely ensuring meaningful equal opportunity/diversity in our organisation (Article 6(1)(f) GDPR.)
Under Article 9(2) GDPR
· Employment, social security and social protection: our processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or data subject in the field of employment and social security and social protection law, namely our legal obligations under laws relating to equality (Article 9(2)(b) GDPR.)
· Public interest: our processing is necessary for reasons of substantial public interest (Article 9(2)(g) GDPR), namely:
o identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with a view to enabling equality to be promoted or maintained.
o identifying suitable individuals to hold senior positions in our organisation.
o promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in our organisation.
Condition under Schedule 1 of the Data Protection Act
· Employment, social security and social protection: our processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security or social protection, namely our legal obligations under laws relating to equality (Paragraph 1(1)(a), Schedule 1, DPA 2018.)
· Equality of opportunity or treatment: our processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained (Paragraph 8(1)(b), Schedule 1, DPA 2018.) · Racial and ethnic diversity at senior levels of organisations: our processing is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally (Paragraph 9(1)(b), Schedule 1, DPA 2018.) · Racial and ethnic diversity at senior levels of organisations: our processing is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation (Paragraph 9(1)(c), Schedule 1, DPA 2018.)
Other processing purposes
In addition to the processing purposes described above, we may also process the personal data described in this notice if and to the extent necessary for the following purposes:
| Purpose | Legal basis |
|---|---|
| Establishing, exercising or defending legal claims | Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of others |
| Obtaining or maintaining insurance cover, managing risks or obtaining professional advice | Our legitimate interests in protecting our business against risks |
| Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator | Compliance with a legal obligation |
| Protecting a person’s vital interests | Protection of vital interests, for example, a medical emergency during an interview or assessment |
If it is necessary to use sensitive personal data for the purposes described above, we would ensure we have an additional legal basis for processing that sensitive data before doing so.
Automated decision-making
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
Data sharing
Why might you share my personal information with third parties?
We will only share the personal information described in this notice in the following circumstances:
- We may share information provided in your curriculum vitae, covering letter and/or application form with other companies within our group if job opportunities arise in those companies which we think you would be suitable for if you have consented to this.
- Our third-party service providers receive the information described in this notice to the extent necessary for them to provide their services in connection with our recruitment purposes, for example Microsoft Corp who provides our Microsoft Office software and data hosting.
All of our group companies are required to take appropriate security measures to protect your personal information in line with our policies.
We do not allow our third-party service providers to use your personal information for their own purposes.
We only permit them to process your personal data for specified purposes and in accordance with our instructions, subject to legally binding data processing agreements between us and our service providers.
Additionally, we may disclose personal data to other organisations or individuals where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above, for example if we are under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply the terms of any agreement to which we are a party, or to protect the rights, property, or safety of Mind Gym, our staff, customers, people who attend our courses, or others. In all cases, we will only share personal data with such recipients where and to the extent necessary for the relevant processing purpose and in accordance with applicable data protection law.
International transfers of personal data
This section describes the circumstances in which the personal data described in this notice may be transferred to countries outside the European Economic Area (EEA) or the United Kingdom and the safeguards in place to protect that data once it has been transferred.
- Mind Gym international group companies: we transfer some personal data to, and share access to databases containing personal data with, our group companies. Our group companies currently include Mind Gym (USA) Inc., based in the U.S.A., and Mind Gym Performance (Asia) Pte. Ltd, based in Singapore. We have entered into Standard Contractual Clauses with our group companies to ensure that any personal data transferred/shared is subject to suitable safeguards. The Standard Contractual Clauses can be obtained by emailing dpo@themindgym.com.
- Third-party service providers: our use of service providers involves some processing of personal data by our service providers in countries outside the EEA or the UK. We use legally binding agreements with our service providers to ensure that such transfers comply with the conditions for international transfers stipulated by applicable data protection law.
In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based outside the EEA or the UK in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.
Data security
We have put in place appropriate security measures to prevent your personal information from being accidentally or unlawfully destroyed, lost or altered, or disclosed or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who need to access it in order to carry out their duties in connection with the purposes described in this notice.
The third-party service providers we use will only process your personal information on our instructions and they are subject to a duty of confidentiality and required to implement appropriate security measures under legally binding data processing agreements we have with them.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Data retention
How long will you use my information for?
We will retain the personal information described in this notice for a period of 6 months after we have communicated to you our decision about whether to appoint you. We retain your personal information for 6 months so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy.
If we wish to retain your personal information on file beyond the 6 months, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period of up to two years from the time you consent. You can withdraw your consent at any time by contacting careers@themindgym.com.
Your rights in connection with personal information
Under certain circumstances, data protection law gives you the rights to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are processing it lawfully.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Withdraw consent to our processing of your personal information, but only where our legal basis for processing that information is your consent.
If you want to exercise any of these rights, please contact careers@themindgym.com.
We may ask you to provide further information in order to confirm your identity. Please also note that if you submit unfounded or excessive (for example repetitive) requests to exercise any of these rights, we are permitted under applicable data protection law to charge a reasonable fee for providing the requested information or taking the requested action, or to decline your request.
Complaining to a supervisory authority
You also have the right to lodge a complaint about our processing of your personal information with a supervisory authority if you are concerned that our processing breaches data protection legislation or does not respect your rights under data protection law. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. The Information Commissioner’s Office (www.ico.org.uk) is the supervisory authority in the UK that is responsible for overseeing the application of, and enforcing, data protection law. Relevant contact details for the ICO can be found here: https://ico.org.uk/concerns/.
Questions about this notice
If you have any questions about this privacy notice or how we handle your personal information, please contact dpo@themindgym.com.
Changes to this privacy notice
Any changes we make to this privacy notice in the future will be posted on the candidate pages of our website and, where appropriate, notified to you by e-mail or other suitable method.