Job Applicant Privacy Notice

 

This privacy notice describes how XM.Works Ltd collects and uses personal data, in accordance with, General Data Protection Regulation (GDPR), the Data Protection Act 2018 and any other applicable data protection law in the United Kingdom.

It applies to personal data provided to us, directly by you, or from third parties, such as references supplied by former employers or agencies, and information from criminal record checks permitted by law.

We provide individuals with privacy information at the time we collect their personal data. This privacy policy explains how we use any personal information we collect.

 

Why is your personal data processed?

We process your data at the job application stage because:

  • we have a legitimate interest in processing your personal data during the recruitment process and for keeping records of the process, as processing data from job applicants allows the organisation to manage the recruitment process to assess and confirm a candidate’s suitability for employment and decide who should be offered the position

  • we may need to process data from job applicants to respond to and defend against legal claims

  • in some cases, we need to process data to ensure compliance with our legal obligations, for example ensuring your entitlement to work in the UK

  • we may need to make reasonable adjustments to the recruitment process for candidates who have a disability, carrying out our obligations and exercising specific rights in relation to employment

  • where we need to process other special categories of data, such as information about ethnic origin, sexual orientation or disability, to fulfil our obligations under equalities legislation, this information will be collected and held on an anonymised basis

  • for some roles, we are obliged to seek information about criminal convictions and offences, because it is necessary for us to carry out our obligations and exercise specific rights in relation to employment to establish whether an individual has committed an unlawful act or been involved in dishonesty or other improper conduct.

 

What information do we collect about you?

The information you will be asked to provide will be about you and your circumstances as relevant to your application, such as your:

  • contact details

  • educational qualifications and experience

  • employment history

  • date of birth

  • right to work in the UK

  • unspent criminal convictions

  • carer commitments.

Some types of personal data are defined as special. We will only use these types of information where we need to for equalities purposes and if the law allows us to. Special categories of personal data include:

  • Racial or ethnic origin

  • Political opinions, religious or philosophical beliefs

  • Genetic or biometric data used for ID purposes

  • Health data

  • Sex life and sexual orientation

  • Criminal convictions data.

 

Data security

We have put in place appropriate security measures to protect your personal information from:

  • being accidentally lost, used or accessed in an unauthorised way

  • being altered or disclosed.

In addition, we limit access to your personal information to those who have a business need to know.

We have put procedures in place to deal with any suspected data security breach and we will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

 

Data sharing

We will share personal data with third parties where we are required by law or where we have another lawful basis for doing so.

While we would not normally transfer data outside the EU, in exceptional circumstances where this is the case, all personal data will be provided with adequate protection and transferred lawfully. Where we transfer personal data outside the EU, to a country not determined by the European Commission as providing an adequate level of protection for personal data, the transfers will be under an agreement which covers the EU requirements for the transfer of personal data outside the EU, such as the European Commission approved standard contractual clauses.

We will also share personal data with third-party service providers. For example, we use third parties to provide our IT and cloud services which includes our Recruitment portal.

All our third-party service providers are required to take commercially reasonable and appropriate security measures to protect your personal data. We only permit our third-party service providers to process your personal data for specified purposes and in accordance with our instructions.

 

We sometimes need to share the personal information we process with other organisations. When this is necessary, we will comply with all aspects of the relevant data protection laws. The organisations we may share your personal information with include:

  • the police, other law enforcement agencies, HM Revenue & Customs, or where we have a legal or regulatory obligation to do so

  • relevant regulators, including the Information Commissioner’s Office in the event of a personal data breach.

If false or inaccurate information is provided or fraud identified, XM.Works Ltd can lawfully share your personal information with fraud prevention agencies to detect and prevent fraud and money laundering.

We may contact you for research purposes. Participation in such research is entirely voluntary with no obligation to take part.

 

Data Retention

We will retain the personal information we hold about you only for as long as considered necessary for the purpose for which it was collected (including, as required, by applicable law or regulation).

In line with the Data Protection Act 2018 and this Job Applicant Privacy Policy, we keep personal information for unsuccessful candidates for a maximum of six months after the end of the financial year in which it was sent to us (1 July to 30 June).

If applicants have been unsuccessful but we would like to consider them for future roles in the coming three to six months, we will tell them. If they ask, all candidates we interview can have access to any interview notes for up to six months after the date of their interview.

Other records, which are not required to be retained as part of our statutory function, will be kept for a period depending on:

  • the type, amount and categories of personal data we have collected

  • the requirements of our business and the services we provide

  • the purposes for which we originally collected the personal data

  • the lawful grounds upon which we based our processing

  • any relevant legal or regulatory obligations.

We continually review our data retention policies, and we reserve the right to amend the retention periods without notice.

 

Changes to your data

It is important that the personal information we hold about you is accurate and up to date.

Please keep us informed if your personal information changes.

 

 

Your rights

Under the UK General Data Protection Regulation (UK GDPR) you have the right:

  • To be informed about how we collect and use your personal information through privacy notices such as this.

  • To request information we hold about you. This is known as a subject access request and is free of charge. We must respond within one month, although this can be extended by a further two months if the information is complex.

  • To rectification. You are entitled to have your information rectified if it is factually inaccurate or incomplete. We must respond to your request within one month. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner

  • To erasure. You have the right to ask us to delete your information or stop using it. It will not always be possible for us to comply with your request, for example if we have a legal obligation to keep the information. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner.

  • To restrict processing. You have the right to restrict how your data is processed in certain circumstances, for example if the information is not accurate. If a restriction is applied, we can retain just enough information to ensure that the restriction is respected in future. If we decide to lift a restriction on processing, we must tell you.

  • To data portability. If we are processing your personal data with your consent, and it is held in a structured, commonly used, machine readable form, you have a right to ask us to transmit it to another data controller so they can use it. This right does not apply if we process your personal data as part of our public task.

  • To object. You can object to your information being used for profiling, direct marketing or research purposes.

  • To be informed about any automated individual decision making, including profiling, with legal or similarly significant effects and be given an opportunity to request human intervention or challenge a decision.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, request that we transfer a copy of your personal information to another party or request the reconsideration of an automated decision, please contact our Data Protection Officer on DPO@xm.works

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Protection Officer on DPO@xm.works.

 

Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to.

If you are unhappy with the response you get from us, you can ask us to look again at your request – you can write to our Data Protection Officer on DPO@xm.works.

At any time, you are entitled to ask the Information Commissioner to review our decision or to go to court to enforce your rights.

 

Changes to this privacy notice

We keep this privacy notice under regular review. This privacy notice was last updated on 10/12/2025.

 

The Information Commissioner

You can find information about how to report a concern to the Information Commissioner on their website, as well as call or write to them.

 

First Contact Team

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Tel: 0303 123 1113.

Website: ico.org.uk (includes complaints form that you can email to the commissioner).