ENSEK Privacy Notice for Job Applicants & candidates
Effective Date 7th May 2026
This document is ENSEK's privacy notice for the purposes of Articles 13 and 14 of the UK GDPR, with respect to job applicants' personal data.
1. WHO IS THIS PRIVACY NOTICE FOR?
2. WHAT THIS THIS PRIVACY NOTICE ABOUT?
3. WHO IS THE CONTROLLER OR PROCESSOR OF YOUR DATA?
4. WHAT DATA DO WE HOLD ABOUT YOU?
5. HOW DO WE OBTAIN YOUR DATA?
6. WHAT IS OUR LAWFUL BASIS FOR PROCESSING YOUR DATA?
7. WHAT PURPOSES DO WE PROCESS YOUR DATA FOR?
8. WHO DO WE SHARE YOUR DATA WITH?
9. WHERE DO WE KEEP YOUR DATA?
10. HOW LONG DO WE KEEP YOUR DATA FOR?
1. WHO IS THIS PRIVACY NOTICE FOR?
Introduction
This privacy notice is addressed to the types of individuals listed below (the data subjects). PLEASE ENSURE THAT YOU READ THIS NOTICE.
Job Applicants
(1) This privacy notice applies to individuals who are applying for or are being considered as candidates for a job with us.
(2) We are a controller in respect of your data.
Job Candidates
(1) This privacy notice also applies to individuals who ENSEK identifies through searching, as potential persons to make unsolicited approaches to, about working for ENSEK, including through any third party search services.
(2) For example we may use services that search the internet for job candidates.
(3) We are a controller in respect of your data.
Other Notices
(1) We have a privacy notice for employees, which is published internally only.
(2) We have a privacy notice for contractors, published internally and on our website.
(3) We also have a general privacy notice, for any data processing not coved by this notice or the above notices, which is published on its website.
Any Questions?
(1) If you have any questions, please contact our People Team in the first instance, and then our data protection officer if your question has not been resolved.
(2) Contact details can be found later in this notice.
2. WHAT THIS THIS PRIVACY NOTICE ABOUT?
Introduction
(1) This privacy notice explains what personal data we hold about you, how we collect it, how we use it, who we share it with, and what your rights are.
(2) We are required to notify you of this information, under data protection legislation.
(3) Set out below are some general points to note before reading further.
What is the applicable law?
(1) This document is a privacy notice is published to comply with Article 13 and Article 14 of the UK GDPR, as updated by the Data (Use And Access) Act 2025.
(2) You can find out more information through the useful links section of this document.
What is our commitment as controller?
(1) The controller of your data is the person ultimately responsible for the processing of your data.
(2) As the controller of your data, we are committed to complying with our legal obligations as controller of your personal data, and to transparency about what we use your data for.
(3) Our legal obligations are set out in: (a) the UK GDPR; (b) the Data Protection Act 2018 (supplements the UK GDPR); and (c) the Data (Use And Access) Act 2025.
(4) As controller, we comply with the data protection principles in the UK GDPR when gathering and using personal information.
(5) We seek to ensure that our information collection and processing is always proportionate.
(6) We will inform you of any material changes to information we collect or to the purposes for which we collect and process it, through updates to this policy.
Recruitment Agents
(1) If you apply for a role with us through a third party recruiter, then they will also process your data in accordance with their own privacy notice.
(2) They will be the data controller for their processing, and we will be the data controller for our processing.
(3) Please contact them to ask for a copy of their privacy notice.
Must you provide data?
(1) For job applicants, we need you to provide the personal data, including through any recruitment agency used, in order to operate the recruitment process, verify your identity and right to work, check your background, obtain references, and assess your suitability, and negotiate any employment contract. If you do not provide the personal data we reasonably ask for, we may terminate the recruitment process.
(2) For job candidates, where we collect your data from public sources to identify potentially candidates for openings that we have, you do not need to provide your personal data, and you can ask us to stop processing your data at any time.
No automated decision making
(1) We do not use automated decision-making tools or processes to arrive at employment related decisions.
(2) However, for job candidates, we may use cloud services that filter and rank candidates for our recruitment team.
Contracts
When we refer to a contract in this privacy notice, we mean the employment contract you are applying for.
3. WHO IS THE CONTROLLER OR PROCESSOR OF YOUR DATA?
The controller of your data is ENSEK LTD, and our contact details are set out blow.
Company Name
ENSEK Ltd
Company Number
UK Companies House: 07167027
Country of Registration
England and Wales
Registered Office
(1) Hounds Gate, 30-34 Hounds Gate, Nottingham, England, NG1 7AB.
(2) This is also our postal address and head office.
Website
Careers Email
HR Email
Data Protection Email
Our Data Protection Officer
Our Data Protection Officer can be contacted through the email address provided above
4. WHAT DATA DO WE HOLD ABOUT YOU?
This section lists what data we hold about you, as a job candidate and/or job applicant.
4.1 Job Candidate Data
This section lists what data we hold about you if we research and identify you as a Candidate to approach to work for ENSEK.
Activity History
We will maintain a history of activity relating to you, including history of past engagement.
Average Time In Post
We may calculate an average time you spend in a role, to understand how suitable you might be for roles that need a longer term commitment.
Communications
We will have a record of communications with you, if we reach out to you to engage with you.
Contact Information
Your contact information, such as phone numbers and email addresses (home and work).
Current Work
Your current workplace and job title, and information about the job that you do in more specifics day to day.
CVs & Resumes
CVs and resumes that are publicly available or obtained from you.
Education
Your educational history, and notes on any gaps.
Geographic Location
Your geographic location, such as country, city, and state).
Grouping and Tagging
(1) We may store grouping and tagging information about you as part of grouping candidates into lists, such as by role or stage.
(2) We may record prioritisation information, to prioritize candidates according to likelihood of engaging.
Highlights & Summary
We may create highlights, insights, and summaries about you, including using AI, to support our recruitment teams.
Name
Your first, middle, and last names.
Notes
We may record our own notes and comments about you in our systems.
Opinions
We may generate opinions, including using AI, such as your likelihood of being interested in a role at ENSEK.
Professional Characteristics
(1) We may infer professional characteristics about job candidates based on the information collected, such as: seniority level, industry expertise, or likelihood of interest in new opportunities.
(2) We may obtain activity signals from GitHub, publications, speaking engagements, and other activity of yours visible on the internet.
Qualifications
Your professional or employment-related qualifications,
Sensitive Data
We do not collect sensitive data about you (such as health or political affiliation).
Social Networks & Public Profiles
Any public facing social media accounts and other public profiles you have, including Linked-In, Instagram, and Facebook.
Work History
Your work history, periods of working at different employers, roles held, skills, experience, publications, job titles, promotions, employment related experience, and total work experience.
4.2 Job Applicant Data
This section lists what data we hold about you, in connection with any job application you make.
Some of this data will only be used after you have received an offer of employment, as part of the pre-employment checking process.
Academic History
Information about your academic history, including schools and higher education, degrees and post-graduate education, and vocational training.
Account Data
Account information when you sign-up for an account with us in any of our people systems, including any job candidate system, recruitment system, employee management system or performance management system.
Actions
Records of action and to-do lists made in relation to you.
Activity
Records of activity relating to your job application.
Application
Your application details, including cover letter, and the location and role applied for.
Assessments
Assessments, opinions, judgements, and decisions made in respect of your job application and suitability for the job.
Background Checks
Results of any background and right to work checks, and any supporting documentation:
(1) digital identity verification and passport validation;
(2) right to work checks and supporting documentation;
(3) address confirmation and electoral roll checks.;
(4) financial status search including county court judgements, insolvencies, and bankruptcy orders;
(5) checks with global and other sanctions lists, enforcement agency checks, and checks for PEP status (politically exposed persons);
(6) employment history verification, over 5 years, with an explanation of and evidence for gaps;
(7) criminal convictions and disclosure checks, including DBS certificates.
Biography
Biographical details, including hobbies, interests, and background, from your CV.
CCTV
(1) You may be captured on CCTV if you visit our premises.
Claims
Information relating to any legal claims made by you in connection with your recruitment for use in dealing with and defending or settling those claims.
Comments
Internal comments recorded relating to your application in our recruitment system.
Consents
(1) (1) Your consents to our processing of your data in connection with our application.
(2) (2) Your consents to receiving updates about job opportunities.
Contact Details
(1) Your contact details.
(2) Your personal and work email addresses.
(3) Your personal and work telephone and mobile numbers.
CV
The information contained in your CV, including employment and education history, and leisure, interests, skills, and hobbies.
Employment History
(1) Your employment history.
(2) You previous employers and your role with those previous employers.
(3) Start and end dates of previous employments.
(4) Salary, benefits, and notice period with current/previous employer.
Health
Information regarding your health, medical conditions, disabilities, if included in your CV, or where needed in order to make appropriate adjustments and arrangements for interviews to account for these.
Identity Details
(1) Your name, home location, address, date of birth, and age.
(2) Your image, in photographic form, if you chose to provide it in your CV or in our online application system.
(3) We use these at the interview stage simply to establish initially who is applying for the role. Full verification checks are carried out if you are offered the job.
Interest In Notifications
You may register with us to get notifications for jobs of different kinds.
Job Candidate Data
If we collected or created any data relating to you in relation to searching for job candidates and reaching out, then this will become part of your job applicant data if you subsequently go on to apply for a job.
Messages
Messages exchanged in our recruitment system or by email relating to your application.
Recruitment Agency
(1) The recruitment agency you were introduced through.
(2) Any other channel you were introduced or applied through.
References
(1) Details of your referees.
(2) If you are offered the job, then we may also take up and store references.
Right to work
(1) Information about your right to work in the country where the role is based.
(2) At the interview stage this is to give us an indicative view.
(3) If you are offered the job, then we will also ask for proof (including your share code from HMRC).
Skills and Qualifications
Your professional qualifications, skills, and experience.
Social Media
Details about you from your LinkedIn account as published by you, to help us prepare for interviews with you and assess you for the role applied for.
Subject Access Requests
Details of subject access requests you make comprising communications with you, and responses we give.
Tests and Assessments
Tests and assessments we administer with you, to test your skills and capabilities, including scores.
5. HOW DO WE OBTAIN YOUR DATA? INTRODUCTION: This section sets out how we obtain job prospect and job applicant data.
AI Usage
(1) (1) We may use AI to generate candidate summaries highlighting relevant skills, experience, and match to the roles we need..
(2) (2) We may use AI for a variety of recruitment processes, including ranking and filtering.
Cloud Search Services
We may use third party cloud services to obtain publicly available information about you, that is relevant to our search for job candidates.
Communications With You
We obtain it from communications and conversations with you, which may include phone calls, video calls, interviews, emails, and instant messaging.
Forms You Complete
(1) We obtain it from forms you complete.
(2) You may have provided it through a job application form online.
(3) You may have provided it through an online job board or other third party recruitment service (such as LinkedIn jobs).
(4) You may have provided it in a computer file you have filled in.
(5) You may have provided it through a paper form you have completed.
Interaction Information
(1) (1) We our any services we use may maintain pages on social media platforms.
(2) (2) When you visit or interact with those pages on those platforms, you or the services/platforms may provide us with information about you.
Job Candidate Process
If you started as a job candidate, then we may also have obtained data through the methods noted for job candidates.
Our Staff
We may obtain information about you where our own staff provide us with your CV and/or other details, as part of any referral scheme we operate internally.
Publicly Available Information
(1) We may search the internet for public information that is published about you, including using third party tools and services to do this, which may include AI.
(2) If you have a public or published profile, resume, or CV on a website, we may collect information from that.
Recruitment Agencies
We obtain data from a recruitment professional that was involved in your recruitment with us, or who put you forward as a candidate.
Third Parties Generally
We may obtain information about you from the following third parties:
(1) Recruitment professionals involved in your recruitment with us.
(2) Our own staff referring you as a potential job candidate.
Verification By Third Parties
Also, if you are offered the job, we may obtain information from third parties for verification purposes including:
(1) HMRC
(2) Home Office
(3) Referees.
Your Messages and Documents
(1) We obtain it from any CV you provide, or from any other documents or documentary evidence you provide, such as passports and proofs of address, identity and right to work.
(2) We obtain it also from emails and written messages you send to us (including enquiries you may send about jobs and placements).
(3) We obtain it from your public LinkedIn account.
6. WHAT IS OUR LAWFUL BASIS FOR PROCESSING YOUR DATA?
To be able to process your data we need to have a lawful basis for doing so under the law. This part sets out the types of lawful basis we can use, and then sets out the purposes for which we process your data and the main lawful basis for doing so.
Contract
(1) We need to use your data to enter into or perform a contract with you.
(2) This includes entering into and performing any employment contract or service contract.
Legal Obligation
(1) We need to do so to comply with a legal obligation or exercise a legal right. This could be a statute.
(2) For example, we need to verify your right to work.
Legitimate Interests
(1) In most cases we process on the basis of our "legitimate interests"
(2) This is flexible ground which we must be able to demonstrate.
(3) It requires a judgement on our part, but is typically doing something you would normally expect a business, or there is a compelling justification.
(4) You have a right to object if you don't agree with our judgement (see later in this notice), and we must stop if it is clear you have overriding reasons for asking us to stop.
Our Legitimate Interest - Job Applicants
(1) Legitimate Interest. Most of our processing would fall within the following legitimate interests in the field of recruitment: (a) to verify your identity, address, history, suitability, reliability and right to work; (b) to operate a fair recruitment process; (c) to make an informed decision and select the right person for our business; (d) to operate our equal opportunities obligations and policies; (e) to comply with legal obligations and carry out statutory background and right to work checks / provide data to third parties as required by law; (f) to insure our business.
(2) Considerations. In order to recruit, we have to follow a well reasoned and sophisticated process.
(3) Your interests. It is in your interest that we carry out a proper and fair recruitment and engagement process, and that we engage only with suitable staff.
Legitimate Interest - Job candidates
(1) Legitimate Interest. Our legitimate interests in finding candidates to fill roles that we have in our business, in an efficient manner, for the success of our business.
(2) Considerations. We collect a range of data and use cloud services to support this, to ensure that we are targeting the right individuals and match individuals efficiency, which means that we are not processing data unnecessarily, and we only reach out to candidates in a targeted way, streamlining the process and improving hiring outcomes. By using search services we gain access to a wider pool, and support efficiency.
(3) Your interests. This is in your interest in that it indirectly supports you if you are looking for alternative roles, saving you the time of searching. However, you want to know about when and how your data is being processed, so this notice supports that, and you can ask for us to stop processing it at any time.
Legitimate Interests - Security
(1) Legitimate Interest. Our business handles a lot of security sensitive data, can access smart meters, and aims to be certified to ISO 27001 (security).
(2) Considerations. Accordingly, we need to carry out background checks on all our staff, including criminal convictions, credit check, global watch list , electoral roll, and 5 years address and employment history.
(3) This will be covered by our employee privacy notice as well.
(4) We only process criminal convictions if you are awarded the job.
Sensitive Data
(1) More restrictive rules apply to sensitive data about "racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning health; and data concerning a natural person's sex life or sexual orientation".
(2) We can only process it for one of the following reasons: (a) Employment Law - The processing is in the field of employment and social security and social protection law and be authorised by law; (b) Occupational Health - The processing is necessary for preventative or occupational medicine, assessing your fitness to work, provision of health or social care; (c) Public Data - You placed the data into the public domain intentionally; (d) Claims - The processing is needed to make or defend a legal claim; (e) Consent - If none of the above apply, you have given a clear explicit and informed consent to the specific use.
(3) In your case, we only process health data, for the purposes of assessing your fitness to work and any reasonable adjustments we may have to make if you have a disability.
Your Vital Interests
(1) We need to do so, to protect you vital interests.
(2) This could include care for your health and safety.
Your Consent
(1) If the above do not apply, we would need to get your consent to the specific use.
(2) This could be an explicit documented consent, or it could be implicit because you have requested some action to be taken involving your data.
7. WHAT PURPOSES DO WE PROCESS YOUR DATA FOR?
This part sets out the key purposes we use your data for.
7.1 Job Candidate Purposes
This part sets out the key purposes we use job prospect data for.
# OVERVIEW
(1) Purpose. To discover and engage with individuals who may be candidates for jobs that ENSEK has.
(2) Examples. Searching the internet for your published information, assessing your suitability, and reaching out to you.
(3) Lawful Basis. Legitimate Interests - Finding candidates to fill roles that ENSEK through as wide a pool as possible, along side other methods such as recruitment agents and advertising, and doing this as efficiently and accurately as possible.
# SEARCH
Searching
(1) Purpose. Searching for job candidates to reach out to.
(2) Examples. We may using search services and AI search to support this. Search is Calibrated for our hiring goals We may organise identified candidates by seniority, skills, roles, activity level, and education.
(3) Lawful Basis. Legitimate Interests - To not waste our time or yours approaching individuals who are not likely to be interested or suitable, and to identify staff candidates efficiently to fulfil our business needs.
Re-Discovery
(1) Purpose. Maintain your details for potential future roles.
(2) Examples. We do not want to overlook past applicants who were strong fits but not selected, or did not progress due to changes in our business, or did not
(3) Lawful Basis. Legitimate Interests - To not lose sight of potential candidates, and save time re-finding your. Benefits you in that you may be re-approached by us.
Filtering
(1) Purpose. Targeting, filtering and ranking candidates against suitability criteria and fit.
(2) Examples. Maintaining a prioritised list of suitable and likely candidates for a given role.
(3) Lawful Basis. Legitimate Interests - Not wasting your time our ours by approaching the most likely candidates.
Evaluation
(1) Purpose. Evaluate and stack-rank profiles by criteria.
(2) Example. We may automatically rank your profile with others, to identify which candidates are the best match for an open role.
(3) Lawful Basis. Legitimate Interests - So that we only reach out to the best-fit candidates, and save time on manual review by using AI.
Talent Market
(1) Purpose. To understand the talent market map
(2) Example. We may use our data to help us monitor the talent market, to understand where candidates are located, most common skills, average tenure, and other points of measurement.
(3) Lawful Basis. Legitimate Interests - Improve recruitment planning with real-time insights with data-backed decisions.
# OUTREACH
Invite Applications
(1) Purpose. To invite you to apply for jobs with ENSEK, or to invite you to sign up for notifications about openings or stay in touch.
(2) Lawful Basis. Legitimate Interests - To identify and build relations with job candidates.
Communications
(1) Purpose. To engaged in outreach conversations and communications with you via email and messaging, some of which may be initiated by AI. Management of those communications, and recording of steps in those communications and follow-ups.
(2) Example. Reaching out to you to gage your interest in a role, and in being in touch with us.
(3) Lawful Basis. Legitimate Interests - To identify and engage with potential job candidates and rule out persons not interested in further contact.
Analytics
(1) Purpose. To build up analytics about how we are doing with reaching out to candidates.
(2) Example. We may use real-time analytics on open rates, click-throughs, replies, and bounces.
(3) Lawful Basis. Legitimate Interests - To refine our messaging to improve response and minimize drop-off, and optimize our outreach, and to make data-backed decisions to improve campaign effectiveness over time.
Status Monitoring
(1) Purpose. To track status by step, to see who has replied.
(2) Example. We may monitor and filter by campaign, sender, or role.
(3) Lawful Basis. Legitimate Interests - To ensure that we target active and interested persons, and do not waste our time our yours pursuing candidates who are not interested.
# PROFILES
History
(1) Purpose. To maintain a history of job candidates identified and engaged with.
(2) Example. We may organised candidates into unified records with notes, tags, and full activity history, and review these.
(3) Lawful Basis. Legitimate Interests - To review our talent identification processes, to know who we have engaged with and identified, to avoid re-contacting persons not interested, to re-consider for future roles that come up, and to ensure we engage with you appropriately based on what we have learned from previous engagements.
Tracking
(1) Purpose. Tracking engagement with a candidate.
(2) Example. Logging interactions, including notes, activity, tasks and similar.
(3) Lawful Basis. Legitimate Interest - Effective and efficient, and respectful, management of engagement with job candidates.
AI
(1) Purpose. We may use AI with your data for a range of purposes connected with identifying and reaching out to job candidates, including: (a) to generate search queries for roles; (b) to run searches and look for candidates across the internet; (c) to assess job candidates against role criteria; (d) to send initial out-reach emails; (e) to support with reporting and feedback; (f) to support with analytics on candidate quality, response rates, and AI performance & behaviours.
(2) Lawful Basis. Legitimate Interest - Effective and efficient, and respectful, management of engagement with job candidates.
Integration
(1) Purpose. We may integrate with our recruitment and employee management systems, to pass data between them if you apply for a role.
(2) Example. We may save profiles directly into our other systems, including contact details, current company and job, and profile URLs.
(3) Lawful Basis. Legitimate Interests - Ensuring your information is available and consistent across our systems in future stages of a recruitment process.
7.2 Job Applicant Purposes
This part sets out the key purposes we use job applicant data for.
Administration
(1) Purpose. To administer the recruitment process.
(2) Examples. Keeping a record of your application. Arranging and holding interviews, making decisions, informing you and keeping records. Auditing our recruitment and other processes and reviewing decisions made.
(3) Lawful Basis. Contract - Preparing for a contract with you. Legitimate Interest - Operating a fair and well run recruitment process.
Assessment
(1) Purpose. To make an assessment of your suitability and a decision as to your appointment.
(2) Examples. Considering your skills, experience, and qualifications. Assessing your general aptitude and attitude and personal qualities. Comparing you with other applications.
(3) Lawful Basis. Contract - Preparing for a contract with you. Legitimate Interests - Operating a fair and well run recruitment process.
Background Checks
(1) Purpose. Carrying ENSEK's background checks with third parties to assess your reliability and security risk status. ENSEK's business handles a lot of security sensitive data, and can access smart meters, and accordingly ENSEK carry's out background checks on all ENSEK's staff, to protect security and privacy.
(2) Examples. Digital identity verification and passport validation. Right to work check. Address confirmation and electoral roll checks. Financial status search including county court judgements, insolvencies, and bankruptcy orders. Checks with global and other sanctions lists, enforcement agency checks, and checks for PEP status (politically exposed persons). Employment history verification, over 5 years, with an explanation of and evidence for gaps. Criminal convictions and disclosure checks.
(3) Lawful Basis. Legitimate Interests - ENSEK's business handles security sensitive data, including connections with smart meters, and needs to be able to meet regulatory and client security standards. Legitimate Interests - To protect ENSEK's networks and information security.
Contacting You
(1) Purpose. Contacting you and your next of kin.
(2) Examples. We may contact you by letter, email, or phone where appropriate in relation to your application. We may arrange interviews and inform you of the outcome at all stages.
(3) Lawful Basis. Contract - To enter into an employment or services contract with you. Legitimate Interests - To properly deal with your application.
Entitlement to Work
(1) Purpose. To record your entitlement to work, but without verifying it at the interview stage. If you are offered employment, then we may also require proof of your entitlement to work.
(2) Lawful Basis. Legitimate Interest - To ensure that we are lawfully employing our staff.
Health and Fitness To Work
(1) Purpose. At the interview stage we would use health data to make reasonable adjustments for interviews. If you are offered the job, then we would process health data to assess fitness to work and make reasonable adjustments in the workplace.
(2) Examples. To assess your medical conditions and allergies. To assess any disabilities and reasonable adjustments we may need to make.
(3) Lawful Basis. Legitimate Interest - To ensure that our staff are fit to work. Your Interests - To ensure that your health and safety is properly considered for work.
Identity
(1) Purpose. To record your identity and address, but without verifying this at the interview stage. If you are offered the job, then we may verify your identity and address and require proofs of this.
(2) Examples. If we verify your identity, we may check identity documents, such as a passport and driving licence, and check your address, including through utility bills.
(3) Lawful Basis. Contract - To enter into and perform an employment or services contract with you. Legitimate Interests - To know who our candidate is and where they can be contacted in relation to the application, and to inform our relevant managers of your application.
Recruitment Agents
(1) Purpose. To recruitment agents who introduced you, to let them know the outcome and pay them any commission due. To verify the applicability of any restriction periods preventing us engaging you directly.
(2) Lawful Basis. Legitimate Interests - To be able to use recruitment agents to find staff.
References
(1) Purpose. To capture reference details Assessing your suitability for the role you applied for.
(2) Examples. Obtaining references from your referees. Sharing those references with managers responsible for interviewing you and making decisions. Reviewing those references to assess your suitability and prepare for interviews with you
(3) Lawful Basis. Contract - To prepare for entering into a contract with you. Legitimate Interests - To be able to fairly judge your suitability for the role, and against other candidates.
8. WHO DO WE SHARE YOUR DATA WITH?
This section details who we may share your information with. We will normally share in confidence unless the law requires otherwise
Auditors
(1) Description. We may share your personal data with any third party that is auditing our business and controls, including our security measures and operational controls, for the purposes of evidence, but only to the extent reasonably required for such evidence. It will be shared securely, and under a non-disclosure agreement; and is shared normally to the auditors secure evidence repository.
(2) Recipient Role. They use it as our sub-processor, to provide audit services to us.
(3) Retention. They may retain this in archive for up to 7 years, as evidence of the audit services provided.
Background Check Providers
(1) Description. We will share your information with background check providers (currently Experian) to the extend necessary for them to carry out background checks such as: (a) criminal records; (b) credit; (c) electoral roll, world watch list, and address and employment history.
(2) Recipient Role. They use it as our sub-processor, or provide the background check information to ourselves. A credit search may also go on your credit record and they will do this as controller.
(3) Retention. They will retain this for 12 months in their systems.
Consultants
(1) Description. We may share your information with external consultants that we use to support and operate our recruitment processes and activities. We will normally have them process your data within ENSEK laptops and systems.
(2) Recipient Role. They receive it as a data processor.
(3) Retention. ENSEK retention policies in this notice.
Other Staff
(1) Description. We may share your information where relevant with other staff who are to be involved in: job candidate searches, shortlisting, co-ordination of search campaigns, interviewing you or making decisions on your employment. If you are successful we may share your information with our People Team to commence your joining process with us.
(2) Recipient Role. They will receive it in their capacity as our staff.
(3) Retention. ENSEK retention policies in this notice.
Recruitment Agents
(1) Description. We may share data with recruitment agents who introduced you, to let them know the outcome and pay them any commission due.
(2) Recipient Role. They will receive it as data controller, and will let you have a privacy notice if legally required.
(3) Retention. They will retain this according to their own retention policies.
Referees
(1) Description. To your referees as needed to provide us with a reference.
(2) Recipient Role. They will receive it as data controller, and will let you have a privacy notice if legally required.
(3) Retention. They will retain this according to their own retention policies.
9. WHERE DO WE KEEP YOUR DATA?
Introduction
(1) Your data is kept in the systems and locations referred to below.
(2) We no longer keep any paper records and all of your data is created, stored, and retained electronically.
General Location
(1) ENSEK has a supplier on-boarding process that assesses where your data is held, and the security and privacy compliance measures of that supplier.
(2) ENSEK aims to use cloud service providers who store your data in data centres in the UK or European Economic Area, but occasionally also the USA, following EU and UK rules for data transfers.
(3) ENSEK accesses these systems from its networks and staff located in the UK.
Job Candidate Search Systems
Uses job candidate search and recruitment systems, which store data in the UK, EEU and/or USA.
Recruitment System
(1) ENSEK uses a job application system to advertise jobs and manage job applications, which links to our website, our job candidate search systems, and our employee management systems, and can also receive information from recruitment agents.
(2) We currently use the recruitment cloud service provided by Team tailor (https: (a) //www.teamtailor.com/) to store job applicant data, including your CV and application details and track your application; (b) which is hosted in the EEA.
(3) Your CV is shared securely by link from that system to staff who will be involved in your recruitment only.
Office Systems
(1) ENSEK uses Microsoft, Google and other apps for its general email, messaging, document creation, document storage and document sharing and its social and collaborative features.
(2) Your personal data may appear there in an ad-hoc form for a specific use connected with your recruitment, including emails and contacts from you about placements and recruitment .
10. HOW LONG DO WE KEEP YOUR DATA FOR?
This section covers our retention policy.
General Principle
We will only use your data for as long as it is required for the purposes for which it is processed.
Job Candidates
We hold data relating to job candidates, in our talent search systems, for the period of active contact, and for 12 months after the last active contact in those systems; whether or not the candidate subsequently became an employee of ENSEK.
Job Applicants - Unsuccessful
(1) If you are not successful, then we will retain a copy of your data for 18 months after the end of the recruitment process, but we will not use except as follows: (a) if you re-apply for the same role, or apply for a different role; (b) if we need to check whether we are outside any restrictions preventing us from recruiting you directly and not through a recruitment agency; or (c) to maintain evidence in case of claims.
(2) You can ask us to keep your CV and details on file, and your account in our job application system open, longer than this, but we reserve the right to delete it at any time.
Job Applicants - Successful
(1) If you are successful, then our full employee privacy notice will apply and you will be informed of that separately, which has a 7 year retention period from the end of your employment.
(2) Your data and account in our recruitment system will be retained for that same period of time.
Archiving Period - CCTV
CCTV recordings our office reception and public areas are held for 30 days, unless a recording is needed for evidence in relation to an incident that has happened, in which case we may hold the data for as long as may be reasonably required for that incident.
11. HOW DO WE KEEP YOUR DATA SECURE?
This section covers our security measures.
General Principle
(1) We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.
(2) In particular we have the following measures to keep your data secure.
ISO 27001
We are certified to and aim to keep certified to ISO 27001:2022, which requires us to have a security management system, and to maintain a wide range of security controls. See ISO 27001
ISO 27701
We are also certified to and aim to keep certified to ISO 277001:2019, which is an extension to ISO 27701 for privacy information management. See ISO 27701
SOC
We have our security controls audited independently by an auditor under the SOC (service organisation controls) audit standards, as well as under the smart energy code, the retail energy code, and other standards.
Data Breach
(1) We have procedures in place to deal with any suspected data security breach affecting your data.
(2) We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Other Measures and Controls
(1) The above standards and audits require and examine all our security and privacy measures and controls, which we have in place to protect against unauthorised use, access to, change to, or disclosure of your data, against viruses and other malicious software, and against unauthorised access to our equipment, offices, networks, cloud systems, and databases.
(2) These measures and controls cover areas such as office access controls, equipment log-in, cloud system log-in and associated roles and permissions, network and access monitoring, staff training, management, staff background checks, usage monitoring, anti-virus and other protective software and devices, and data segregation and encryption.
System Providers
Individual system providers listed in this document have their own separate security and controls with respect to your data in their systems, and we consider these prior to using those systems.
Cloud First
We operate on a "cloud first" basis, which means that your data is stored in secure and reputable cloud systems, rather than at any offices of ours.
Access Controls
We limit access to your personal information to those who have a genuine business need to know it.
Proportionate and Confidentially
Those processing your information will do so only in an authorised and proportionate manner and are subject to a duty of confidentiality.
12. WHAT ARE YOUR RIGHTS?
This section covers your rights in relation to our processing of your data.
Introduction
(1) You have the following rights in relation to our processing of your personal data, but please note that these rights may be subject to conditions and exceptions set out in the law.
(2) If you would like to exercise these rights, please contact the head of human resources or our data protection officer.
(3) If you are not sure, just email us using our contact details in this document.
Our Service Providers
If you ask for the following, we are obliged to pass this request down to the providers of the systems we use and anyone else we use to process your data, as needed. See Article 19 of the UK GDPR.
Right to be informed
(1) You have the right to be informed if your data is being used.
(2) This document is how we are informing you.
(3) See Article 13 and Article 14 of the UK GDPR.
Right to withdraw consent
If any processing is based on your consent, you have the right to withdraw it at any time. Just email using our contact details in this document.
Right to stop direct marketing
You have the right to stop direct marketing at any time.
Right to a copy
(1) You have a right to an update of the information in this document.
(2) You also have a right to a copy of the personal data we hold about you.
(3) See Article 15 - Paragraph 3 of the UK GDPR.
(4) You have the right to ask for your data in a computer readable for, so that you can use it elsewhere.
(5) See Article 20 of the UK GDPR.
Right to a correction
(1) You have the right to request correction of your data (a right to rectification).
(2) See Article 16 of the UK GDPR.
Right to erasure
(1) You have the right to request erasure of your data (also known as the right to be forgotten).
(2) However, there are a range of exceptions to this, which mean that we do not have to erase your data if there are good reasons for retaining a copy of it.
(3) See Article 17 of the UK GDPR.
Right to restriction
(1) You have the right to request that we stop using your data for some purposes.
(2) There are conditions that apply.
(3) This means that we might still hold your data, but we would be stopped from using it for certain purposes.
(4) See Article 18 of the UK GDPR.
Right to object to legitimate interests
(1) If the legal basis for our using your personal data is a "legitimate interest", or we are using your data to market to you, then you can object to the processing.
(2) See Article 21 of the UK GDPR.
(3) We must stop the processing, unless we can show that our interests should take precedence over yours.
Automated Decision Making
(1) If we are making important decisions about using a compute, without any human involvement, then you can ask us to stop, subject to conditions.
(2) See Articles 22 to 22D of the UK GDPR.
Right to complain
(1) We hope that our head of human resources and data protection officer can resolve any quey or concern you have about our use of your personal data or your rights.
(2) In any case, you have the right to complain to the Information Commissioner at any time.
(3) Their details are: (a) Address - Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; (b) Helpline number - 0303 123 1113; (c) ICO website - https://ico.org.uk/make-a-complaint/
13. USEFUL LINKS
Data Protection Act 2018
Contains additional rules to support the UK GDPR.
https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
UK GDPR
The UK's version of the EU GDPR following BREXIT.
https://www.legislation.gov.uk/eur/2016/679/contents
Information Commission - Make a Complaint
Information Commission page for making a complaint.
https://ico.org.uk/make-a-complaint/
Information Commissioner - Your Rights
Information Commission page for noting your right.
https://ico.org.uk/your-data-matters/
Cezanne
A cloud service we use for employee management.
Juicebox
(1) A cloud service we use for talent searching, job candidates, and outreach.
(2) Used to store job candidate data.
(3) You can change or restrict what they see about you by reaching out to them.
(4) Hosted in the USA.
https://juicebox.ai/privacy-center
Linked-In Recruiter
(1) A cloud service we use for talent searching, job candidates, and outreach.
(2) Used to store job candidate data.
(3) You can change or restrict what they see about you by reaching out to them.
(4) Hosted in the USA.
https://business.linkedin.com/hire/recruiter
Teamtailor
(1) A cloud service we use for job application management.
(2) Used to store job applicant data, including your CV and application details and track your application.
(3) Hosted in the EEA.