Employee & Employee Candidate Privacy Statement
Endless LLP (“Endless”) respects the privacy and security of your personal data and is committed to protecting that information. This Privacy Statement provides information about the personal data we process, why we process it, how we process it and your legal rights in connection with it. It is important that you read this notice, together with any other privacy notice, fair processing notice or other documentation we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we use your data. In order to stay up to date with new laws or changes in the ways we handle data, we reserve the right to amend the terms of this Privacy Statement from time to time. You are expected to check this page from time to time to take notice of any changes we have made, as they are binding on you.
What are our responsibilities?
Endless is the data controller of the personal data you provide. As the data controller we are required to comply with data protection laws, including the UK General Data Protection Regulation 2016, Data Protection Act 2018, and subsequently any national implementing laws or successor legislation (collectively referred to as the “Data Protection Legislation”).
We are committed to following the data processing principles in ensuring that personal data are:
- Processed lawfully, fairly and transparently
- Collected and processed proportionately and for limited purposes with a view to minimising that data and their storage
- Accurate and processed in a manner that ensures integrity and confidentiality
- Collected and processed in a manner that allows for accountability
What is personal data?
Your personal data includes all the information we hold that identifies you or is about you, for example, your name or email address. It also includes any sensitive information that we may hold about you, such as medical and health records (known as “special categories of data” in GDPR).
What is processing?
Everything we do with your personal data counts as processing it, including collecting, storing, amending, transferring and deleting it. We are therefore required to comply with the Data Protection Legislation to make sure that your information is properly protected and used appropriately.
What kinds of personal data do we hold?
In connection with your application to work with us we will collect, store and use the following types of personal data:
- Information provided by you in your CV and covering letter including your name, title, address, telephone number, email address, postal address, date of birth, gender, location information, employment history, qualifications and general professional experience
- Information you provide to us during an interview which may or may not form part of the assessment notes taken by the interviewer(s)
- Information provided by your referees and any opinions they express of you.
- Any other opinions we document about you
- Passport information, right to work in the UK documentation and other information required to undertake background checks on you
In addition, there are special categories of more sensitive personal data which require a higher level of protection. We may collect, retain or use the following categories of sensitive personal data:
- Information about your race or ethnicity
- Disability status
- Information relating to criminal convictions and/or offences which are revealed by the Disclosure and Barring Service
If you are offered and accept a position with us then in connection with your employment we will collect, store and use the following types of personal data:
- Contact details such as name, title, address, telephone numbers and personal email addresses.
- Date of birth
- Gender
- Marital status and existence of dependants
- Next of kin and emergency contact details
- National insurance number
- Bank account details, credit card details, payroll records & tax status information
- Salary, annual leave, pension and benefits information
- Employment start and termination dates
- Location of employment or workforce
- Copy of drivers licence and driver insurance details
- Copy of passport
- Immigration data including nationality and immigration status, right to work documentation and information from related documents
- Recruitment data including references and other data included within a cover letter, resume or as part of the recruitment process
- Employment records including job titles, work history, working hours, training records and professional memberships
- Compensation history
- Information relating to performance
- Disciplinary and grievance information
- Information relating to your usage of our information and communications systems
- Photographic images and CCTV footage
- Information obtained as a consequence of your submitting an expenses claim
In addition, there are special categories of more sensitive personal data which require a higher level of protection. We may collect, retain or use the following categories of sensitive personal data:
- Information about your race or ethnicity
- Disability status
- Health and sickness records
- Information relating to criminal convictions and/or offences which are revealed by the Disclosure and Barring Service
We collect most of this information directly from you, either in person, by telephone and/or email. However, in some instances, we may also collect information from third parties (such as referees or recruitment agencies) or publicly available sources such as LinkedIn.
Why do we process your personal data?
We process your personal data as part of our recruitment process and subsequently for HR, employment and administrative purposes.
The Employment Rights Act 1996 and the Immigration, Asylum & Nationality Act 2006 require us to obtain certain personal data from you, such as your name, without which we would be unable to offer you employment. We may need other personal data from you to be able to enter into a contract with you and to provide you with all the information you need. Again, if we do not receive that personal data from you then we may be unable to offer you employment or fulfil our obligations to you as your employer
On what basis do we process your personal data?
We process most of your information on the grounds of our legitimate interests (i.e. promoting the effective operation and administration of our business, making a decision on whether to enter into an employment relationship with you and subsequently fulfilling our obligations as your employer).
We may also rely on the fact that we need to process your personal data in order to enter into a contract with you, to fulfil our contractual obligations to you as your employer or to comply with a legal obligation. If we process special categories of data about you we will usually do so on the basis that the processing is necessary as part of your entering into employment with us or because we are otherwise legally authorised to do so.
Information may also be collected on the basis that it is in the substantial public interest, such as supporting equality of opportunity or treatment.
If none of the grounds set out above apply then we will obtain separate consent from you to the processing of your personal data. You can withdraw your consent at any time. However, that wouldn’t affect the lawfulness of any processing we carried out prior to you withdrawing your consent.
Who will receive your personal data?
We only transfer your personal data to the extent we need to.
If you are a candidate then the recipients of your personal data include:
- Service providers we use as part of our IT infrastructure
- Background check providers
- Regulatory bodies
If you are an employee then the recipients of your personal data include:
- Service providers we use to enable the processing of expenses claims
- Service providers we use as part of our IT infrastructure
- Where you choose to participate in our Group Life Assurance Scheme, an insurance broker in addition to an ultimate policy provider
- Relevant regulatory bodies
- Criminal background check providers
- Credit background check providers
- Where you choose to participate in a co-investment/carried interest scheme, the providers of specialist legal and/or tax advice in relation to those schemes
- The hosted data centre/VPN provider we use
- Third parties involved in the arrangement of work related travel
- Third parties holding events that you wish or we require you to attend, such as conferences and seminars
- Investors in the funds that we manage in connection with their due diligence on us
- Other Group Entities
In addition, in order to promote our business, the capabilities of our team and events that we conduct we may publish personal information on our website, which is generally accessible within the public domain, or on our LinkedIn account, which is accessible by pre-approved individuals. This could include your name, job title and role, start date, base location, business contact details, qualifications and experience, or images of you.
Personal information will be anonymised where reasonably practical. In any event, the recipients of personal data will be bound by confidentiality obligations. We may also be required to share some personal information as required to comply with the law.
We may transfer your personal data outside of the EEA to standard global service providers operating in other jurisdictions. We will only transfer data where a finding of adequacy has been made, which means the EU Commission is satisfied that any data transferred will be adequately protected, or where a data transfer agreement incorporates EU model clauses meaning that appropriate safeguards will govern the transfer of the data. By submitting your personal information you agree to this transfer, storing or processing outside the United Kingdom and the EEA.
How do we store your personal data and ensure that your data is secure?
Personal data is primarily stored electronically but may also be held at our offices, at our external archiving facility or at the offices of our group companies, third party agencies, service providers, representatives and agents.
We have put in place appropriate physical, technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a legitimate need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. In the unlikely event of a suspected or actual breach of personal data, we have procedures in place to address the breach as well as to notify you and any applicable regulator where we are required to do so.
How long will we keep your personal data?
- If we are not able to offer you a position then we will retain your personal data for a maximum of 1 year after the ending of the recruitment exercise. We retain your information for this period in case any issues arise or in case you have any queries. Your information will be kept securely at all times. Following the end of the 1 year period your files and personal data we hold about you will be permanently deleted or destroyed. If you consent to marketing, any information we use for this purpose will be kept until you notify us that you no longer wish to receive this information.
- If you are offered and accept a position with us then we will retain your personal data for 6 years from the date your employment with us terminates. We retain your information for this period in case any issues arise following the end of your employment or in case you have any queries about the period in which you were employed by us. Your information will be kept securely at all times. Following the end of the 6 year period your files and personal data we hold about you will be permanently deleted or destroyed.
What are your rights?
You benefit from a number of rights in respect of the personal data we hold about you. We have summarised your rights below, and more information is available from the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio…). These rights apply for the period in which we process your data.
- Access to your data
You have the right to request confirmation that we process your personal data, as well as access to your personal data. You can also ask us to provide some additional information in relation to our processing of your personal data, although most of that information corresponds to the contents of this Privacy Statement.
We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.
We will provide the information you request as soon as possible and in any event within one month of receiving your request. If we need more information to comply with your request, we’ll let you know.
- Rectification of your data
If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it, unless we don’t feel it’s appropriate in which case we’ll let you know why. We’ll also let you know if we need more time to comply with your request.
- Right to be forgotten
In some circumstances, you have the right to ask us to delete personal data we hold about you. This right is available to you:
- where we no longer need your personal data for the purpose for which we collected it;
- where we have collected your personal data on the grounds of consent and you withdraw that consent;
- where you object to the processing and we don’t have any overriding legitimate interests to continuing processing the data;
- where we have unlawfully processed your personal data (i.e. we have failed to comply with the Data Protection Legislation); and
- where the personal data has to be deleted to comply with a legal obligation.
There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we’ll let you know.
- Right to restrict processing
In some circumstances you are entitled to ask us to suppress processing of your personal data. This means we will stop actively processing your personal data but we don’t have to delete it. This right is available to you:
- if you believe the personal data we hold isn’t accurate then we’ll cease processing it until we can verify its accuracy;
- if you have objected to us processing the data (see below) then we’ll cease processing it until we have determined whether our legitimate interests override your objection;
- if the processing is unlawful; or
- if we no longer need the data but you would like us to keep it because you need it to establish, exercise or defend a legal claim.
- Data portability
You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the personal data to another data controller. This right only applies to personal data you provide to us:
- where processing is based on your consent or for performance of a contract (i.e. the right does not apply if we process your personal data on the grounds of legitimate interests); and
- where we carry out the processing by automated means.
We’ll respond to your request as soon as possible and in any event within one month from the date we receive it. If we need more time, we’ll let you know.
- Right to object
You are entitled to object to us processing your personal data:
- if the processing is based on legitimate interests or performance of a task in the public interest or exercise of official authority;
- for direct marketing purposes (including profiling); and/or
- for the purposes of scientific or historical research and statistics.
We do not intend to use your personal data to send you direct marketing nor for scientific or historical research and statistics.
In order to object, you must have grounds for doing so based on your particular situation. We will stop processing your data unless we can demonstrate that there are compelling legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
Automated decision making
Automated decision making means making a decision solely by automated means without any human involvement. This would include, for example, an online credit reference check that makes a decision based on information you input without any human involvement. It would also include the use of an automated clocking-in system that automatically issues a warning if a person is late a certain number of times (without any input from HR, for example).
We don’t carry out any automated decision making using your personal data.
Your right to complain about our processing
If you think we have processed your personal data unlawfully or that we have not complied with the Data Protection Legislation we would welcome the opportunity to address those concerns. However, you can also report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website – https://ico.org.uk/make-a-complaint/your-personal-information-concerns/.Any questions?
Our General Counsel, Simon Hardcastle, has day to day responsibility for ensuring we comply with the Data Protection Legislation and for dealing with any requests we receive from individuals exercising their rights under the Data Protection Legislation.
If you have any questions or would like more information about the ways in which we process your data, please contact Simon Hardcastle on 0113 2104002 or alternatively at simon.hardcastle@endlessllp.com.
Last updated: December 2022