Phone: +44 (0)121 778 2400 Email:

Privacy Policy

Privacy Policy
Introduction & Background
E2E HRC Ltd has reviewed its policy on data protection in line with the forthcoming General Data Protection Regulation (GDPR) which was approved by EU Parliament in April 2016 and must be fully implemented by UK companies by May 25th 2018.

The GDPR seeks to improve individual’s data rights primarily with regard to collection, usage, storage and disposal. In order to be compliant, it is necessary for us to completely review procedures and controls.

We can confirm that :
  • data will be kept safe and secure
  • data will be handled legally, responsibly and ethically
  • people are open and transparent about what data they are using and why
  • data will be processed lawfully, fairly and transparently.
  • Data will be collected only for specific legitimate purposes.
  • Data will be adequate, relevant and limited to what is necessary.
  • Data must be accurate and kept up to date.
  • Data will be stored only as long as is necessary.
  • We will ensure appropriate security, integrity and confidentiality.
  • A Designated Data Officer (DDO) will be responsible for this important subject

GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
  • Information must ‘relate to’ the identifiable individual to be personal data.
  • This means that it does more than simply identifying them – it must concern the individual in some way.

Designated Data Officer (DDO) : we have appointed David Robertson as DDO

Lawful Basis
  • We must have a valid lawful basis in order to process personal data.
  • ThePrivacy Notice include our lawful basis for processing as well as the purposes of the processing.
    1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
    2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
    3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
    4. Vital interests: the processing is necessary to protect someone’s life.
    5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
    6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

We have selected Legitimate Interests as our lawful basis for processing:

Article 6(1)(f) of the Regulation:

"processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

This can be broken down into a three-part test:
  1. Purpose test: are you pursuing a legitimate interest?{ yes, the nature of our business requires us to collect, store and process personal data on employees for the purpose of forming contracts of employment, maintaining emergency contacts and registration etc with various legal and regulatory bodies such as HMRC, Workplace Pension provider, UKVI. . The nature of our business requires us to collect, store and process personal data on clients for the purposes of finding them a new job with prospective employers. }
  2. Necessity test: is the processing necessary for that purpose?{ Yes }
  3. Balancing test: do the individual’s interests override the legitimate interest?{ No, we cannot employ someone without processing personal data and we cannot carry out our business activities without processing certain personal data}

We use data in ways that people would reasonably expect and that have a minimal privacy impact. This further supports our choice of legitimate interests as our lawful basis.

GDPR provides the following rights for individuals:
  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

The Right to be Informed:
  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

Right of Access:
  • Individuals have the right to access their personal data.
  • This is commonly referred to as subject access.
  • Individuals can make a subject access request verbally or in writing.
  • You have one month to respond to a request.
  • You cannot charge a fee to deal with a request in most circumstances.

Right of Rectification:
  • GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
  • An individual can make a request for rectification verbally or in writing.
  • You have one calendar month to respond to a request.
  • In certain circumstances you can refuse a request for rectification.

Right of Erasure:
  • GDPR introduces a right for individuals to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’.
  • Individuals can make a request for erasure verbally or in writing.
  • You have one month to respond to a request.
  • The right is not absolute and only applies in certain circumstances.
  • This right is not the only way in which GDPR places an obligation on you to consider whether to delete personal data.

Right to Restrict Processing:
  • Individuals have the right to request the restriction or suppression of their personal data.
  • When processing is restricted, you are permitted to store the personal data, but not use it.
  • An individual can make a request for restriction verbally or in writing.
  • You have one calendar month to respond to a request.

Right to Data Portability:
  • The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.

    Right to Object:
    • GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
    • Individuals have an absolute right to stop their data being used for direct marketing.
    • In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
    • You must tell individuals about their right to object.
    • An individual can make an objection verbally or in writing.
    • You have one calendar month to respond to an objection.