IDR Partners Limited Ltd is committed to complying with the EU General Data Protection Regulation (GDPR) 2018 policy. As an organisation, IDR Partners Limited is required to gather and use certain personal information about individuals. These individuals can include any type of contact in the field of Recruitment and other people IDR Partners Limited has a relationship with or may wish to approach to forge a relationship with. This policy describes how such personal data is collected, handled and stored to meet the GDPR standards, and to comply with the law.
Why does this policy exist?
This GDPR policy ensures that IDR Partners Limited:
- complies with data protection law and follows good practice;
- protects the rights of all business contacts, whether currently known or prospective;
- Is open about how it stores and processes individuals’ data;
- Protects itself from the risks of a data breach.
The GDPR Act 2018 describes how organisations — including IDR Partners Limited— must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. GDPR is underpinned by six important principles.
These say that personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability and Transparency
- IDR Partners Limited adopts the principals of Accountability and Transparency and as such:
- has implemented appropriate technical/organisational measures to ensure compliance;
- has a designated data controller
- has implemented measures that meet the principles of data protection by design and data protection by default.
IDR Partners Limited holds personal data on the lawful basis of Legitimate Interest. Data is sourced for the purpose of providing resourcing, Talent Pipelining and Professional recruitment services to global clients, and as such only data already available in the public domain is held. It is deemed that seeking consent to hold such personal basic information would be disproportionately balanced. Verbal permission to keep data is requested when engaging with prospective business contacts/candidates for the first time. Consent, by the process of signing the IDR Partners Limited consent documentation is requested when a candidate chooses to engage in the process and potentially be introduced to a client of IDR Partners Limited.
Data is stored on a proprietary database which is securely server based and accesses by password through a computer, then a separate and different application password. Resetting of passwords initiates a secure 2-step authentication. Only employees & associates of IDR Partners Limited receive access to the database. No details that could be considered high-risk (such as financial details, date of birth, passport, identification, full home addresses, sexual orientation, political/religious beliefs, biometric data) will be requested or held.
Sharing of Data
IDR Partners Limited may share personal data with clients where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights are enforceable and effective legal remedies for individuals are available following the transfer. Clients of IDR Partners Limited are required to agree to the data sharing agreement set out in the client-signed terms of business, and such confirm that their organisation is GDPR compliant and will handle the shared data under the basis of their own GDPR policy.
Basic personal data obtained under the lawful basis of Legitimate Interest may be shared without notification.
Full and detailed personal data obtained under the lawful basis of Consent will only be shared once the individual has signed the IDR Partners Limited Declaration, agreeing to such sharing of data.
Transfer of Data
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Basic personal data obtained under the lawful basis of Legitimate Interest may be transferred outside of the EU without notification to UK-based clients who may have offices in other non-EU territories.
Full and detailed personal data obtained under the lawful basis of Consent may only be transferred once the individual has signed the IDR Partners Limited Consent form, agreeing to such transfer of data.
If IDR Partners Limited merges with or is acquired by another business or company in the future, (or is in meaningful discussions about such a possibility) we may share your personal data with the (prospective) new owners of the business or company.
GDPR provides the following rights for individuals:
- right to be informed;
- right of access;
- right to rectification;
- right to erasure;
- right to restrict processing;
- right to data portability;
- right to object.
Procedure for access
Any access requests should be made to the Data Controller via email: email@example.com. Requests are free of charge and will be handled within 40-days. Data will have been recorded and ultimately delivered in a concise, transparent and intelligible manner, written in a clear and plain language. After receipt of the data, any of the Individual Rights can be requested and as such will be actioned in 40-days.