Job Applicant Privacy Notice
Last updated: 22nd December 2025
Introduction
XM.WORKS Ltd (“XM.WORKS”, “we”, “us”, “our”) are committed to protecting your privacy and meeting our legal obligations when you apply for a job or you (or an agent acting on your behalf) share your employment details with us. We are further committed to ensuring we meet our legal obligations when processing your Personal Data under the UK General Data Protection Regulation and the Data Protection Act 2018.
The purpose of this privacy notice is to explain what Personal Data we collect and use during the recruitment process. We are a company registered in England and Wales, registration number 10987594, with our registered office at Brightwell Grange, Britwell Road, Burnham, Buckinghamshire, England, SL1 8DF.
We are registered as a Controller with the UK supervisory authority, the Information Commissioner’s Office (“ICO”), in relation to our processing of Personal Data under registration number ZB937878.
We may update this privacy notice from time to time in response to any changes in the applicable privacy laws and regulations, as well as our own processing practices (and to products and services we offer). When changes are made, we will update the date at the top of this document.
What Personal Data do we process?
Personal Data means any information about an individual from which that person can be identified, therefore does not include data where the identity of the person has been removed (anonymous data). There are also special categories of more sensitive Personal Data which require a higher level of protection.
When you apply for a position, whether as an employee, worker, consultant, contractor or intern, or submit your CV (or similar employment information), whether directly or through an agency, or attend an interview in person or by remote means, we will collect your Personal Data.
This includes (but is not limited to):
name and contact details (address, mobile phone number and email address);
company details (where applicable);
date of birth and gender;
curriculum Vitae;
work history and employment positions held;
salary, other compensation, and benefits information;
nationality / visa / right to work information (where applicable);
academic and professional qualifications, education, and skills;
photographs you may submit with your application;
demographic information;
records we create during interviews or correspondence with you;
results of pre-employment screening checks such as references or DBS checks (where applicable); and
any other information you choose to give us.
We may also collect special category data in accordance with the Equality Act 2010 and other equality laws. We will only do this to make reasonable adjustments to enable all candidates to apply for vacancies, attend interviews and to commence employment. This is also necessary to ensure we meet our legal obligations when recruiting.
How we collect your Personal Data
We collect most of the Personal Data directly from you in person, by telephone, text or email.
However, we may also collect your Personal Data from third parties, such as referees and recruitment agencies.
Purposes and bases for using your Personal Data
We will process your personal information for the following purposes and under the following lawful bases:
| Purpose | Lawful Basis for Processing |
|---|---|
| To respond to your employment enquiry. | We have a legitimate interest to contact you regarding your application, to arrange an interview and to inform you of your progress through the recruitment process. |
| To assess your suitability for the role. | Processing is necessary for taking steps to enter into a contract with you or for the performance of our contract with you. For special category data, the additional basis that we rely on relates to our obligations in the field of employment and the safeguarding of your fundamental rights. |
| To make reasonable adjustments for you during the interview process and comply with our legal obligations under the Equality Act 2010. | Processing is necessary for us to comply with our legal obligations. For special category data, the additional basis that we rely on relates to our obligations in the field of employment and the safeguarding of your fundamental rights. |
| To conduct pre-employment screening checks including checking your identity and your right to work in the UK (where necessary). | Processing is necessary for us to comply with our legal obligations. For special category data, the additional basis that we rely on relates to our obligations in the field of employment and the safeguarding of your fundamental rights. |
| To contact unsuccessful applicants about future suitable vacancies. | Processing is necessary through our legitimate interest of searching for suitable candidates for future vacancies, based on their skills set out in the records we hold about candidates. OR We will carry out this processing where you have consented to us retaining your data and contacting you about future vacancies based on the skills set out in the records we hold about you (Article 6(1)(a) of the UK GDPR). |
| CCTV image capture (which includes Ring Doorbells) to ensure the health, safety and security of employees and visitors. | Processing is necessary in our legitimate interest to protect the health, safety and security of employees and visitors. |
Sensitive Personal Data
We will only process sensitive special category Personal Data where we meet one of the conditions required by law for doing so. This includes complying with legal obligations or exercising specific rights in the field of employment law. We may also ask for your explicit consent to process some special categories of Personal Data, but this is rare.
We process special categories of Personal Data when we collect or process information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work and to provide appropriate workplace adjustments.
Sharing of your information
We may share your Personal Data with service providers and suppliers to our business who process data on our behalf. In such cases, our service providers and suppliers are Processors and may only use the data in line with our instructions and not for any other purpose. This and other obligations are agreed in the written contract between us and our service providers and suppliers.
Within XM.WORKS, your Personal Data will only be shared with those who need to have access to it, which will primarily be our HR function, hiring managers and IT staff.
International Transfers
Your Personal Data may be processed outside of the European Economic Area (EEA) as the organisations we use to provide our service to you may be based outside of the EU or UK (Recruitment Management Platform – Squarespace.com for example).
We have taken appropriate steps to ensure that any Personal Data processed outside the EEA has an essentially equivalent level of protection to that guaranteed in the EU or UK. We do this by ensuring that:
Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation);
We enter into an International Data Transfer Agreement (“IDTA”) with the receiving organization and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here) or;
We enter into Standard Contractual Clauses (“SCCs”) with the receiving organizations and adopt supplementary measures, where necessary. (A copy of the SCCs can be found here Standard Contractual Clauses (SCCs)).
We may also utilise the services of providers who have chosen to certify themselves under the EU/US Data Privacy Framework (with UK extension).
How long will we retain your information?
We will retain your Personal Data for only as long as is necessary for the recruitment process. If your candidacy is successful and you are employed or hired by us, your data will be processed and retained as set out in our employee privacy notice (which will be provided alongside your employment paperwork).
If your candidacy is not successful, we will retain your CV, application details, and interview notes for 6 months from the date we notified you we would not move forward with your application. We will retain this information to inform you about any future vacancies we have that we believe may be of interest to you. Please let us know if you would like us to delete your records before our retention period lapses and we will do so.
We will also retain Personal Data where it is necessary to comply with our legal obligations or as necessary in relation to legal claims. This is rare but may mean we need to retain your data for longer than 6 months.
Your rights
There are certain rights that you have in respect of your Personal Data:
| Rights | Description |
|---|---|
| Right to be informed | Individuals have the right to be informed about the collection and use of their Personal Data |
| Right to rectification | Individuals have the right to have inaccurate Personal Data rectified or completed if it is incomplete |
| Right to erasure | Individuals have the right to request their personal information to be erased, in certain circumstances |
| Right to restrict processing | Individuals have the right to request the restriction or suppression of their Personal Data, in certain circumstances, in particular: - if your data is not accurate; - if your data has been used unlawfully but you do not want us to delete it; - if your data is no longer needed, but you want us to keep it for use in legal claims; or - if you have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request |
| Right to data portability | Individuals have the right to obtain and reuse their Personal Data, in a machine-readable format, for their own purposes across different services, in certain circumstances |
| Right to object | Individuals have the right to object to the processing of their Personal Data, in certain circumstances
Where we are using your Personal Data because it is in our legitimate interests to do so, you can object to us using it this way Where we are using your Personal Data for direct marketing, including profiling for direct marketing purposes, you have an absolute right to ask us to stop doing so |
| Rights with respect to automated decision-making and profiling | Individuals have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you |
In addition to the above, you also have the following rights:
| Rights | Description |
|---|---|
| Right to withdraw consent | Where we are using your Personal Data based on your consent, you can withdraw your consent at any time |
| Right to register a complaint with the Controller | You have the right to register a complaint with the Controller if you feel we are not processing your Personal Data in accordance with this notice or data protection law. |
| Right to lodge a complaint with the ICO | You have the right to raise a complaint about how we handle your personal information with the ICO. |
We sometimes use automated screening tools as part of our application process. The answers you provide to one or more of the questions (excluding any special categories/equal opportunity questions) may result in your application being automatically declined. This technology is used to help us manage the high volume of applications we receive.
Please note, we treat all references received as strictly confidential, and therefore, these references will not be available to you under the right of access.
How to exercise your rights
If you wish to exercise any of your rights, please contact: DPO@xm.works.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
As mentioned above, data subjects in the UK have the right to lodge a complaint with the ICO if you believe we are infringing UK data protection laws. You also have the right to make a complaint at any time to the Information Commissioner’s Office if you are concerned about the way in which we are handling your Personal Data (https://ico.org.uk/make-a-complaint/).
Contact
You can contact us in relation to data protection and this privacy notice by emailing the Data Protection Lead at: DPO@xm.works.