Privacy Notice

Carousel Consultancy Ltd

The Purpose of this privacy notice is to explain how Carousel Consultancy Ltd processes personal data to fulfil its data protection responsibilities with respect to its recruitment activities. The scope of this statement covers all related activities by the staff of Carousel Consultancy Ltd referred to as Carousel for the remainder of this notice.

    The Role of Carousel in data protection terms is that of a data controller where it determines the purpose and use of personal data collected. Once received it becomes the responsibility of the Carousel Privacy Manager (PM) to ensure that it is processed in accordance with the latest UK data protection legislation. You can contact the PM using Carousel is registered with the Information Commissioner’s Office (ICO). Typically, when Carousel is dealing directly with candidates to fill roles on behalf of a client, it will be the data controller.

    The personal data processed by Carousel will be basic contact information for responding to general enquiries, the typical data sets found on a CV for recruitment purposes and additional data that might be needed to prove eligibility to work in the UK. It may also be necessary to collect bank details to administer temporary position candidates. If we are not given all of the required data, it may result in an incomplete service being provided.

    Carousel’s duty of confidentiality means that Carousel’s staff will treat clients’ personal data with due respect and in confidence. It is only disclosed to those that need to know it. We also expect the same duty of confidentiality of all third parties with whom we share your personal data. Sharing is kept to a minimum and reviewed regularly.

    Carousel uses reasonable organisational and technical measures to ensure personal data is kept secure. This is processed and stored on servers based in the UK only.

    Carousel processes personal data against a lawful basis as described below:

    • To respond to your general enquiries and to process the details of job candidates, and forward details of referees, we will use our legitimate interests
    • To comply with our legal obligations
    • To fulfil our contractual obligations including their prior preparation
    • To process the personal data provided on the pre-registration form, we will ask for your Please note that consent can always be withdrawn by contacting the PM

     

    In all cases the processing of personal data by Carousel shall be:

    • Processed lawfully, fairly and transparently
    • Collected for specified, explicit and legitimate purposes
    • Adequate, relevant and limited to what is necessary (and no more)
    • Accurate and, when necessary, updated
    • Kept for no longer than is necessary
    • Processed in a manner that ensures appropriate

     

    Carousel will share personal data, but only when absolutely necessary, with some or all of the following third parties:

    • The Inland Revenue (HMRC)
    • Solicitors appointed by Carousel
    • Accountants appointed by Carousel
    • Pension providers (for successful candidates)
    • Client/ potential employer
    • Third-party IT support company (maintenance only)
    • Unspecified recipients but only when compelled to do so for legal reasons

     

    Carousel follows a retention schedule to determine the length of time it holds different types of personal data. The retention schedule is shown below:

    • Routine correspondence for casual enquiries in emails will be stored for one year
    • Servicecontractrelateddatawillberetainedthroughoutthe life of the engagement plus another 6 years following the termination of the contract
    • CVs to be held for no more than one year
    • Contact data is stored indefinitely unless a valid request to erasure is received from the interested data subject
    • Financial records and invoices, which may include personal data, will be retained for 6 years after the end of the current tax year of processing
    • By exception, documentation that includes personal data may be retained by Carousel beyond the schedule, but only for a specific purpose and only when Carousel believes there is a legitimate interest or a legal obligation to do so

     

    At the end of the retention schedule Carousel will delete your personal data. Less your contact details, including any relevant documentation, such that it is put beyond operational use. It should be noted that Carousel allows up to 3 months after the retention schedule to complete the action.

    The UK General Data Protection Regulation defines the rights that you have (although these do not apply in all situations), For convenience, these rights are shown below:

    • Right to be informed as to how your personal data is being processed by Carousel – this is done through this statement or specific to customer privacy notices
    • Right to access your personal data held by Carousel which is done by making a ‘Data Subject Access Request’ (DSAR) to the privacy manager
    • Right to rectification of your personal data if you believe Carousel has collected it incorrectly or it needs to be updated
    • Right to erasure of your personal data for which Carousel no longer has a legitimate purpose to process
    • Right to restrict processing under certain circumstances, during which time your personal data but will be out of operational use until the related matter is resolved
    • Right to data portability of your personal data in a machine-readable version, as you have provided but only applicable to data provided with your consent or under contract
    • Right to object to Carousel processing your personal data for which it does not have a legal or contractual obligation
    • Rights related to automated decision making and profiling (however Carousel does not use these techniques in its decision making)

     

    Further details on data subjectsrights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.

    Raising concerns, exercising rights or making queries about our processing of your personal data can be done by contacting the privacy manager. Please be aware that we will need to determine your identity before responding fully, therefore, you may be asked for proof of ID or other material that, in context, will enable us to confirm your identity. Alternatively, you may wish to contact the ICO directly, using the details provided above.

     

    v1. – April 2021