Data Protection Policy

At Fortress Recruitment Services Limited, we are committed to protecting the privacy and confidentiality of the personal data we process. As a recruitment company, we handle a significant amount of personal information from candidates, clients, and employees. This Data Protection Policy outlines our commitment to ensuring that all personal data is handled in compliance with data protection laws, specifically the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to all employees, contractors, and third-party providers who process personal data on behalf of Fortress Recruitment Services Limited. It is designed to ensure that data protection principles are consistently followed in all our recruitment practices, from collecting data to its secure storage and processing.

We are committed to ensuring that personal data is:

• Processed lawfully, fairly, and transparently.
• Collected for specified, legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
• Accurate and kept up to date.
• Kept in a form which permits identification of data subjects for no longer than is necessary.
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

We collect and process a variety of personal data in the course of our recruitment activities, including:

• Personal Identification Information: Name, address, date of birth, contact details (phone number, email address).
• Employment Information: CVs, employment history, qualifications, skills, references.
• Sensitive Data: Health information (where necessary for disability or work suitability purposes), equal opportunities monitoring data (race, gender, etc.), criminal record checks (where required for certain roles).
• Contractual and Financial Data: Bank account details (for payroll), salary history, employment contracts.
• Client Data: Contact details, business needs, and any other data related to the services we provide to clients.

We will only process personal data when we have a lawful basis for doing so. The lawful bases we rely on include:

• Consent: Where a candidate has given explicit consent for their personal data to be used for a specific purpose (e.g., applying for a job).
• Contractual Necessity: Where processing is necessary for the performance of a contract with the individual (e.g., employment contracts, client agreements).
• Legal Obligation: Where processing is necessary for us to comply with a legal obligation (e.g., tax or employment law compliance).
• Legitimate Interests: Where processing is necessary for our legitimate interests, provided these interests are not overridden by the data subject’s rights and freedoms.

We take the security of personal data seriously and have implemented appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encrypted data storage and transmission.
• Secure systems for handling and processing data.
• Regular staff training on data protection practices and security measures.
• Access controls to limit who can access personal data.
• Regular audits and assessments of data security.

We may share personal data with third parties only when necessary and in compliance with data protection laws. We may share data with:

• Clients: To match candidates with job opportunities and for fulfilling contractual obligations.
• Third-Party Service Providers: For services such as payroll processing, background checks, or IT support (provided they comply with data protection laws).
• Regulatory Authorities: As required by law, for example, HMRC or government bodies.
• Legal Authorities: When required by law or to protect the rights of individuals, including fraud prevention or legal proceedings.

Any data shared with third parties will be done securely, and where appropriate, a Data Processing Agreement (DPA) will be put in place to ensure compliance with data protection laws.

Data subjects (candidates, clients, and employees) have the following rights concerning their personal data:

• Right to Access: Individuals can request access to the personal data we hold about them.
• Right to Rectification: Individuals can request corrections to their personal data if it is inaccurate or incomplete.
• Right to Erasure: In certain circumstances, individuals can request the deletion of their personal data (e.g., if the data is no longer necessary for the purpose it was collected).
• Right to Restrict Processing: Individuals can request that we restrict the processing of their data, for example, if they believe the data is inaccurate.
• Right to Data Portability: Individuals can request to receive their personal data in a structured, commonly used format and have it transferred to another data controller.
• Right to Object: Individuals can object to the processing of their personal data for certain purposes, including direct marketing.
• Rights related to automated decision-making: If we process personal data based on automated decision-making, individuals have the right to challenge decisions.

To exercise these rights, individuals can contact our Data Protection Officer (DPO) using the contact details below.

Personal data will not be retained for longer than is necessary for the purposes for which it was collected. We follow the following general retention periods:

• Candidate Data: Personal data will be retained for a maximum of 6 months after the completion of the recruitment process unless the candidate consents to further retention.
• Employee Data: Personal data will be retained for the duration of employment and for a period of 6 years following the end of employment, in line with legal and regulatory requirements.
• Client Data: Retained as long as the business relationship exists and for a period of 6 years after the contract ends, in line with tax and business record requirements.

Fortress Recruitment Services Limited has appointed a Data Protection Officer (DPO) who is responsible for overseeing data protection compliance. The DPO’s role includes advising staff on data protection matters, monitoring internal compliance, and acting as a point of contact for individuals who have concerns about their personal data.

If you have any questions regarding this policy, or if you wish to exercise your data protection rights, please contact our Data Protection Officer:

Matthew Wrainwright

Fortress Recruitment Services Limited

matt@fortressrecruitment.co.uk

We may update this Data Protection Policy from time to time to ensure it remains compliant with applicable laws and regulations. Any changes will be communicated to employees, candidates, and clients as appropriate.

Fortress Recruitment Services Limited is dedicated to safeguarding personal data and complying with data protection laws. By following this policy, we ensure that personal data is collected, processed, and stored responsibly, with the highest regard for privacy and security.