Privacy Policy
Penrose Health (“we”, “us”) are committed to protecting and respecting your privacy. This Privacy Notice sets out the basis on which the personal data collected from you, or that you provide to us, will be processed by us in connection with our recruitment processes.
For the purpose of the General Data Protection Regulation (“GDPR”) the Data Controller is Penrose Health.
We use Pinpoint, an online software product provided by The Infuse Group Ltd (t/a Pinpoint Software), to assist with our recruitment process. We use Pinpoint to process personal information as a data processor on our behalf. Pinpoint is only entitled to process your personal data in accordance with our instructions
Where you apply for an opportunity posted by us, these Privacy Notice provisions will apply to our processing of your personal information, in addition to our other Privacy Notice which is available on our website.
Your Personal Information
Information we collect from you
We collect and process some or all of the following types of information from you:
- Information that you provide when you apply for a role. This includes information provided through an online application, via email, in person at interviews and/or by any other method.
- In particular, we process personal details such as name, email address, address, date of birth, qualifications, experience and any information relating to your employment history, skills and experience that you provide to us.
- If you contact us, we may keep a record of that correspondence.
- Details of your visits to our careers website including, but not limited to, traffic data, location data and other communication data, the site that referred you to our careers website and the resources that you access.
- Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief.
Information we collect from other sources
The organisation will also collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks. The organisation will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.
Pinpoint’s technology enables us to search various databases, which may include your personal data, to find possible candidates to fill our job openings. Where we find you in this way we will obtain your personal data from these sources.
Uses made of your information
Lawful basis for processing
We rely on legitimate interest as the lawful basis on which we collect and use your personal data. Our legitimate interests are the recruitment of staff for our business.
Purposes of processing
We use information held about you in the following ways:
- To consider your application in respect of a role for which you have applied.
- To consider your application in respect of other roles.
- To communicate with you in respect of the recruitment process.
- To enhance any information that we receive from you with information obtained from third party data providers.
- To find appropriate candidates to fill our job openings.
- To help Pinpoint improve their services.
The organisation needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you. In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.
The organisation has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the organisation to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The organisation may also need to process data from job applicants to respond to and defend against legal claims.
Where the organisation relies on legitimate interests as a reason for processing data, it has considered whether those interests are overridden by the rights and freedoms of job applicants, employees or workers and has concluded that they are not. The organisation processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.
Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health, religion or belief, age, gender or marital status, this is done for the purposes of equal opportunities monitoring with the explicit consent of job applicants, which can be withdrawn at any time by contacting Sachin Gupta.
For some roles, the organisation seeks information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment and / or to comply with a regulatory requirement to establish whether an individual has committed an unlawful act or been involved in dishonesty or other improper conduct.
If your application is unsuccessful, the organisation will keep your personal data on file in case there are future employment opportunities for which you may be suited. The organisation will ask for your consent before it keeps your data for this purpose and you are free to withdraw your consent at any time by contacting Sachin Gupta.
Who has access to data?
Who has access to data?
Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.
We will only share your personal data if we are legally permitted to do so. When we transfer or share personal data, we put contractual arrangements and security mechanisms in place that comply with our data protection, confidentiality and security standards and applicable laws and regulations.
If your application for employment is successful and we make you an offer of employment, the organisation will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks.
We use PinpointHQ, an Applicant Tracking System, to support our hiring processes. Pinpoint have their own rigorous privacy and data protection policies, which you can access on their website (https://www.pinpointhq.com/security-privacy/gdpr-compliance/#how-pinpoint-helps-our-customers-comply-with-gdpr-requirements ). Applicant data is stored exclusively in Pinpoint’s production infrastructure, split across two hyperscale cloud service partners (AWS and Digital Ocean) across three data centre locations (Amsterdam, Dublin and London).
All data centres have been accredited under at least ISO/IEC 27001:2023 or ISO/IEC 27001:2013 and SOC 1,2.
Automated decision making / profiling
We may leverage Pinpoint’s technology to help us select appropriate candidates for us to consider based on criteria we have identified. The process of finding suitable candidates is automatic, however, any decision as to who we will engage to fill the job opening will be made by our team.
How we store your personal data
Security
We take appropriate measures to ensure that all personal data is kept secure including security measures to prevent personal data from being accidentally lost, or used or accessed in any unauthorised way. We limit access to your personal data to those who have a genuine business need to view it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means, therefore any transmission remains at your own risk.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means, therefore any transmission remains at your own risk.
Where we store your personal data
The data that we collect from you and process using Pinpoint’s Services will be transferred to and stored at one of several datacentre locations in Amsterdam (Netherlands) and may be synchronised to one of several datacentre locations in London (United Kingdom) for backup and redundancy purposes. By submitting your personal data, you agree to this transfer, storing or processing.
How long we keep your personal data
If your application for employment is unsuccessful, the organisation will hold your data on file for 12 months after the end of the relevant recruitment process. If you agree to allow the organisation to keep your personal data on file, the organisation will hold your data on file for a further [6 months] for consideration for future employment opportunities. At the end of that period or once you withdraw your consent, your data is deleted or destroyed.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.
How does the organisation protect data?
The organisation takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. If you would like to know more please contact our Data Protection Officer, Sachin Gupta.
What if you do not provide personal data?
What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to the organisation during the recruitment process. However, if you do not provide the information, the organisation may not be able to process your application properly or at all. If your application is successful, it will be a condition of any job offer that you provide evidence of your right to work in the UK and satisfactory references.
You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.
Your rights
Under the General Data Protection Regulation you have a number of important rights. In summary, those include rights to:
- access to your personal data and to certain other supplementary information that this Privacy Notice is already designed to address
- require us to correct any mistakes in your information which we hold
- request the erasure of personal data concerning you in certain situations
- request access to the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
- object at any time to processing of personal data concerning you for direct marketing
- object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
- object in certain other situations to our continued processing of your personal data
- otherwise restrict our processing of your personal data in certain circumstances
- claim compensation for damages caused by our breach of any data protection laws.
If you would like to exercise any of those rights, please either:
- utilise the Manage Your Data tool provided or
- contact us using our contact details below, ensuring we have enough information to identify you, proving your identity and address and confirming which information to which your request relates
How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred.