Privacy Policy and GDPR Compliance

Cortex IT Recruitment is owned by Graduate Recruitment Bureau Ltd (GRB), also operating as: Cortex IT Recruitment, Metrica Recruitment and Quota Recruitment. GRB are registered with the ICO and its registration number is z7502403.

Cortex IT Recruitment, 4 Clifton Mews, Brighton, East Sussex, BN1 3HR
Registered Office: 30 New Road, Brighton, BN1 1BN
Company Registration Number: 03640983

We have tried to write the following policy in a user-friendly format and language to aid the understanding of our service and systems to our end users. It draws reference and is also binding to all of our policies and terms:

• Data Protection Policy (external)
• GDPR Privacy Notice (external)
• Terms and Conditions
• Website Usage and Cookie Policy
• Complaints Procedure

Introduction- Cortex IT Recruitment and Data Protection

The General Data Protection Regulation (or GDPR) is the framework for data protection laws in Europe. Due to increasingly technologically driven and globalised data communications, the GDPR addresses personal data transfers for EU citizens to ensure greater data control and security, within and outside the EU.

Graduate Recruitment Bureau Ltd, also referred to as GRB, also operates under its sister company names:

• Cortex IT Recruitment
• Metrica Recruitment
• Quota Recruitment

We are registered with the Information Commissioner’s Office (ICO), number z7502403. We take data privacy very seriously and we are strictly compliant with data protection legislation. We have carefully complied with the Data Protection Directive 1995, Data Protection Act 1998 and now the General Data Protection Regulation.

We have strong data security measures in place, and we have never sold or exchanged work-seeker or client data, and we never will.

Our Service – Why we store personal data

We process and store the personal data of the work-seekers and individual client contacts that opt-in or request the use our services by agreeing to our Privacy Policy or Terms of Business. We hold and store this personal data on individuals so we can efficiently retrieve it at the appropriate time to provide the work-finding and employee-finding services you request. This storage and access requirement comes in the following but not exclusive forms of:

• Website functionality
• Internal administration
• Candidate selecting and screening
• Advertising and marketing relevant employer opportunities
• Internal research to improve our services

Your Data – What Do We Collect and Why?

Our recruitment service for graduates, students and employers consists of, but not exclusively:

• Screening CVs and contacting candidates to assess suitability
• Matching candidates to employers that meet their requirements
• Organising some or every stage of the recruitment process
• Advertising and marketing relevant job and career or training related opportunities
• Research projects

So that we can accurately carry out our recruitment service, we collect the following information:

• First Name and Surname
  For identification
• CV and/or Cover Letter
  For employer requirements and skill assessment
• Email Address
  For job contact purposes, confirmations and website functionality
• Contact Phone Number
  For job contact purposes, confirmations and interviews
• Current or recent employer
  For career assessment
• Desired job title
  So we can understand your requirements
• Qualifications
  For employer requirements and skill assessment

While using our website we also collect and store other data while you use our website for the features to work and to better improve our services. We also store unobtrusive cookies in your browser that allows our website to function correctly. These cookies are typically set when you submit a form, login or interact with the site by doing something that goes beyond clicking on simple links. Please view our Website Usage and Cookie Privacy Policy for more information.

Your Privacy Notice – What happens with your data

When you register with Cortex IT Recruitment, we will issue an official GDPR Privacy Notice within one month, normally in the welcome email, depending on how you registered with us. This will outline the following important GDPR compliance factors as to what we do with your data:

• We have a purpose and legal basis to process
• We have legitimate interest to process
• If we will or will not use a third-party to process
• This is dependent on how you registered. If you registered on a paper form at an event, we use a GDPR compliant third party to process the paper registration forms
• If your data will go outside the EU
• How long we will retain your data
• Your data protection rights

Data Storage – Where we safely store your data

In terms of storage and website functionality, your data will never leave the EU. Your personal information is being stored in one or more of the following secure UK based locations either temporarily or until your account is deleted:

• Our website server
• Our internal database
• Our backup server
• Our cloud storage account
• A data entry service
• A cloud based document processor
• A cloud based call recording system

For security reasons the providers will only be named on legitimate requests.

The Data Protection Principles – The care we take when handling your personal data

Cortex IT Recruitment lawfully process their data in a fair and transparent manner and we do not discriminate by gender, ethnicity or any other protected characteristic or social background. The data collected is exclusively for legitimate work-finding purposes and limited to only what is necessary in relation to it.

Every reasonable step is taken to keep data accurate and up to date, including by the use of email requests or in some cases telephone calls, to ensure that any personal data stored is valid and still relevant to the purposes of which it was collected. Cortex IT Recruitment do not intend to keep data for longer than is necessary to the services we offer in student, graduate and experienced recruitment. If you decide to create an account, add your personal information and upload a CV or other similar documents then we will keep that information until you request for us to delete it.

We ensure that appropriate security of personal data is in place to protect against unauthorised or unlawful access, accidental loss and destruction or damage. We do so by using, amongst others, the following technical, cyber security and organisational measures:

• Secure Socket Layer (SSL) certificates installed on the Cortex IT Recruitment and sister websites
• Separate non-public access servers to store candidate data
• Enterprise level secure managed hosting
• Enforced strong passwords and password change lockouts
• Encrypted backups for all systems
• Regular auditing of internal computers and laptops
• Password or user permissions protected documents and folders
• Industry leading anti-virus and firewall software
• All staff trained in safely handling data
• All third party services used are GDPR compliant with supplied statements
• Appointed Data Protection representative

Legal Bases for Processing – We store personal information the correct and legal way

Cortex IT Recruitment only process your personal data where it has a legal basis for doing so that is with the requirements of the service we offer. Before transferring personal data to any third party (such as past, current or prospective employers, suppliers, customers and clients, intermediaries such as our sister companies, persons making an enquiry or complaint and any other third party (such as software solutions providers and back office support)), we will establish prior legal consent either before entering it onto our systems or before making the transfer.

Cortex IT Recruitment take every possible step to implement measures and procedures that protect your privacy and we ensure that data protection is integral to all processing activities. This includes implementing measures such as:

• Data minimisation
  Only completely necessary data is requested and stored
• Anonymisation
  Personal information is anonymised if it is not required for the purpose of use. Individuals who request their personal data to be removed will have their records anonymised.

Anonymisation (of data) is a type of information sanitisation whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.

Privacy Notices – We’ll always tell you and make it clear

It is important that you know exactly what data is being collected and what it is used for. Cortex IT Recruitment ensure that whenever personal data is collected the individual is clearly notified as to what is going to happen with the data. You will be given at least one of the following notices and will be required to confirm with us that you accept before we process and store your information for our services:

• For the Cortex IT Recruitment website registration form, an opt-in tick box that refers to our full Privacy Policy. The website form will not submit without checking it.
• For third-party website registration forms, either a clear non-compulsory opt-in tick box asking the user if they would like to register with Cortex IT Recruitment, along with a link to Cortex IT Recruitment’s full Data Privacy Policy, will be included in the third-party company’s registration form.
• For paper forms from live events, a clear message will be provided on the form that refers to agreeing to a statement of consent for Cortex IT Recruitment, or our third-party GDPR approved supplier, to process the data.
• For external CV databases and employment networking websites, either a verbal or email confirmation will be required from the individual asking for consent and a copy of our Privacy Policy will be emailed once registered.

All new user registrations will receive an email containing our terms of consent depending on how their data was acquired and guidelines on our data policy. This will normally arrive in the welcome email.

Cortex IT Recruitment does not intend to further process personal data for any purpose other than that for which the data was initially collected. If this should change in the future for a reason that would benefit the users of Cortex IT Recruitment’s service, then full consent will be requested from the affected individuals before they carry out any further processing.

Data Processors – Who handles your personal information

We process the majority of our data internally, but additionally Cortex IT Recruitment use third-party data processors who meet GDPR requirements when necessary. For physical registrations that are collected at events, Cortex IT Recruitment use a third-party data entry company. The companies and their GDPR statements with details of how they process data on behalf of Cortex IT Recruitment are available by request.

Personal Data Request – Take a look at what we have

If we hold any of your personal data then you or a representative of your behalf can request a copy from Cortex IT Recruitment. A full copy of your data will be supplied in a Microsoft Excel file within one month. Cortex IT Recruitment would also be happy to assist if you would like to rectify any inaccurate or incomplete personal data. See Making Requests at the end of this document.

Data Changes and Deletion – Your right to be forgotten

Cortex IT Recruitment strongly believe in your right to be forgotten. This is both good for the autonomy and respect of our users, and business efficiency. This is at the core of Cortex IT Recruitment’s values as a company and GDPR.

If you would like your personal data removed then please email your request to Cortex IT Recruitment (See Making Requests at the end of this document) with confirmation that you would like to be removed entirely, or whether you are happy to remain as a user that does not get contacted in the future (for a specified period or otherwise).

If you would like to be completely removed then a full anonymisation of your record will be put into motion. This process ensures that all personally identifiable data is removed and the profile cannot be identified under any circumstances. If you have given prior consent for your information to be passed on to a recruiter or another third party then we will attempt to reach out and request they follow the same procedure however we can’t enforce or follow-up to prove action from them.

This initial process will be completed within one month of the request made. The Cortex IT Recruitment system encrypted backups date back three months, so after this period the full process will be complete and no record will be left.

Please note that you will be able to re-summit your data again in the future should you wish to. It is also possible to be re-registered via another route that you may not be aware of such as opting-in while registering with one of our partners. As we will not keep a record of people we have removed, we can’t avoid this, so you may be contacted again.

Deletion and the Conduct Regulations

Employment businesses such as Cortex IT Recruitment must keep records that are sufficient to show that we have complied with the legal Acts and the Conduct Regulations of our industry. This includes a regulation that requires us to retain work-seeker and client records for at least one year following the date we last provided services. What this means is that if you request to be deleted, certain information will be stored in a separate location for a year before we can completely delete it.

Restriction of Processing – When and why data processing might be restricted

You have the right to ask us to stop using your data if you know it to be inaccurate, unlawful or against legitimate interest where the grounds of use override those of yours. In these cases Cortex IT Recruitment will revert to the anonymisation of your data once you agree. Please see Making Requests at the end of this document.

Data Portability – How you can move your data

You have the right to a copy of your data, and where feasible, Cortex IT Recruitment will send your personal data to a named third party on the individual’s request. We supply your data in Microsoft Excel format which is considered as a good choice for data portability. We can also supply it in other formats on request. Please see Making Requests at the end of this document.

Object to Processing – Your right to ask us to stop

You have the right to object to your personal data being used or profiled by Cortex IT Recruitment if you feel it’s of public or legitimate interest. You can also object to your personal data being used for direct marketing. Once we receive a request we shall cease using your data, unless we have legitimate grounds to continue which take precedence over your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. To cease using your data we will revert to full anonymisation of your record in all our systems. Please see Making Requests at the end of this document.

Enforcement of Rights – Our responsibility to action your requests in a given timeframe

Cortex IT Recruitment will act upon any requests relating to your personal data within one month. This includes personal data requests, requests relating to rectification, erasure, restriction, data portability or objection or automated decision making processes or profiling. We may extend this period for two further months where necessary, when taking into account the complexity and the number of requests. These timeframes meet the GDPR standards.

If Cortex IT Recruitment considers any requests unfounded or excessive due to the request’s repetitive nature we may either refuse to act on the request or may charge a £10 fee per request taking into account the administrative costs involved.

Reporting personal data breaches – How we are prepared

In the unlikely event of a data breach, Cortex IT Recruitment will take steps to contain and recover the breach. If a personal data breach is likely to result in a risk to the rights and freedoms of any individual, Cortex IT Recruitment will notify the ICO. If a personal data breach presents a high risk to the rights and freedoms of any individual then Cortex IT Recruitment will tell all affected individuals without undue delay. If a personal data breach happens outside of the UK, Cortex IT Recruitment shall alert the relevant supervisory authority for data breaches in the affected jurisdiction.

Making Requests

Please email your request to Cortex IT Recruitment providing the following information:

What action you would like to take:

• Account Snoozed
  Your data will remain within the Cortex IT Recruitment systems and contact will not be made until your account is reactivated on a specified date that you set.
• Account Unsubscribed
  Your data will remain within the Cortex IT Recruitment systems but no email contact will be made.
• Account Deactivated
  Your data will remain within the Cortex IT Recruitment systems but contact will not be made without additional prior consent.
• Account Data Request
  We will supply a copy of the personal data we hold on your account.
• Account Deleted
  Your data will be fully deleted in the form of anonymisation.
• Other Request
  Please specify and direct us to any part of this privacy policy that may assist us with your request

For identification:

• Full Name
• Email address/addresses that may be registered
• Contact phone number

You must make your request from the registered email on your account. In the cases where we can’t identify you with certainty we may ask for further identification such as photographic ID.

Please send the above information from your registered email to datarequests@grb.uk.com