Recruitment Privacy Notice

Introduction

This Privacy Policy describes the ways in which Grafton Group plc ("Grafton Group", "the Company", "we", "us") processes and protects the personal data of prospective colleagues, temporary workers and contractors (collectively, "Applicants") who submit applications for consideration and processing by us, in accordance with Applicable Data Protection Law.

To be clear if you're already a member of the team at Grafton Group, you should refer to the Employee Privacy Policy, which you can access via the HR system or else please ask your line manager for copy.

Your privacy is important to us, and we are committed to protecting and safeguarding your privacy rights.

This Privacy Notice, last updated on 07 March 2024, sets out the following information:

1.     Identification of the Data Controller;

2.     Contact details of our Data Protection Officer ("DPO");

3.     Sources of Personal Data;

4.     Categories of Personal Data processed; purposes and legal basis for the Company's processing of Personal Data;

5.     Retention of Personal Data;

6.     How we share your data within the Company and with Third Parties;

7.     International transfers of personal data; and

8.     Rights of individuals in relation to their Personal Data. 

1 Identification of the Data Controller

The data controller for your personal data is Grafton Group plc, The Hive, Carmanhall Road, Sandyford Business Park, Dublin, D18 Y2C9. Grafton Group Plc ("the Group") has a number of subsidiary Companies and current members of the Group can be found here.

We, in conjunction with other members of the Group operate as joint controllers in regard to some processing activities relating to the personal data of Applicants. For example, to address requests by data subjects to exercise their rights under Applicable Data Protection Law, as set out in Section 8 below.

​2 Contact details of our Data Protection Officer

The Group has elected to appoint a Data Protection Officer ("DPO") who acts on behalf of all the members of the Group to support the Company's compliance efforts in respect of the processing of the personal data of applicants, colleagues, customers and suppliers.

The contact details for our DPO are as follows:

·       By email, dpo@graftonplc.com

·       By post, to either

o   The Data Protection Officer, Grafton Group PLC, Boundary House, 2 Wythall Green Way, Wythall, Birmingham, B47 6LW, United Kingdom; or

o   The Data Protection Officer, Grafton Group PLC, The Hive, Carmanhall Road, Sandyford Business Park, Dublin, D18 Y2C9, Ireland

3 Sources of Personal Data

As far as possible, we use a dedicated, online talent management platform ("Recruitment Platform") operated by the Group to collect and process applications of Applicants for available positions with us. This recruitment platform allows us to manage the personal data of Applicants and share it with relevant personnel within the Company in a secure fashion and in accordance with our obligations under the Applicable Data Protection Law. We use the recruitment platform primarily to structure, store and enable the sharing of any personal data that you provide us within the Company, as appropriate. It does not involve any decision-making about applicants based solely on automated processing or profiling.

Occasionally, applications for available positions in the Company may be made via email and other sources, such as Job Boards and is done only on an ad-hoc basis, and where technically necessary. This assists us in collecting the personal data of applicants where use of the recruitment platform is not available. Email is sometimes used in managing certain practical aspects of our data processing such as organising interviews and receiving evaluation information.

We generally obtain personal data concerning Applicants from three sources, as discussed below.

Personal Data provided by You

We generally collect personal data directly from you (electronically, in writing, verbally), or via the recruitment agency with which you are associated including by means of the recruitment platform and by email. We may ask you for information regarding your contact information, experience and qualifications and other information relevant to the recruitment process and the position for which you are applying.

We automatically collect certain data from you when you use any of our recruitment site, including IP address or other unique device identifiers, information collected by cookies on your usage of any of the recruitment sites within the Group, your mobile carrier (if applicable), time zone setting, operating system and platform and information regarding your use of any of the Group recruitment sites.

We will not take responsibility for any personal data provided by you that is outside the requested or permitted range of personal data. For example, where special categories of personal data are not requested or relevant to the position we will decline to process the data and delete it from our system.

Personal Data generated by Us

We generate derived data from the interviews in which you participate (electronically or verbally, by telephone, face to face and recorded digital interviews and assessments) and evaluations provided by those who have interviewed you.

Personal Data from Third Parties

We may also tie in personal data from third parties that provide services to us or to you such as companies that provide recruitment services. For example, if you apply through a third-party staffing or recruitment firm, we will receive personal data regarding your experience and qualifications from such firms. We may also use digital platforms hosted by third parties that facilitate recorded video interviews, written questions and answers and skills tests that we administer and evaluate.

We may also receive information from referees that you authorise us to contact. Where permitted or otherwise authorised by applicable laws, information received from third parties may include the results of background checks and referencing.

Finally, we may also take personal data from only public areas of third party professional social networks websites, for example LinkedIn or professional directories.

4 Categories of Personal Data processed; purposes and legal basis for the Company's processing of Personal Data

We process various categories of personal data for the purposes discussed above and identified in this section.  Our legal basis for doing so will vary with the type of data processing activity involved, and will typically include the following:

·       where necessary for us to carry out our responsibilities under an employment contract which we are discussing and/or negotiating with you;

·       where necessary for us to pursue our legitimate interests provided that those interests are not overridden by your interests, fundamental rights and freedoms;

·       where necessary for us to comply with our legal obligations; or

·       on the basis of your explicit consent.

To the extent not addressed below, we will point out, at the time of data collection, if the processing of your personal data by us is a statutory or contractual requirement, whether you are obligated to provide the personal data and the possible consequences of your failure to do so.  In circumstances where consent is the basis for us to process your personal data, we will request this from you at the point of data collection.

We process your personal data to carry out our recruitment activities in order to attract new talent to the Company, including permanent colleagues, temporary workers as well as independent contractors and consultants.

The categories of personal data that we process about you, for the purpose of recruitment, include the following:

Initial Screening of Applications

Categories of personal data:

We may use your personal data to:

Our lawful basis for doing so is:

Our legitimate interests in doing so are to:

Identification data (i.e. name, mobile telephone number, email address)

Contact you about your application to us

Our legitimate interests

Allow appropriate assessment of applications and selection of suitable Applicants for roles with us 

Allow communication between us and you regarding the recruitment process 

Allow record keeping of our recruitment process 

If successful in your application, to create your contract and personnel record

CV/Résumé (or profile on professional social networks or websites), details of your qualifications and experience, employment history (including job titles, salary and benefits packages and any relevant working hours), interests, information about your academic history, qualifications, right to work status

Consider your qualifications, skills and experience to ensure they are suitable for the position

Our legitimate interests

Allow appropriate assessment of applications and selection of suitable Applicants for roles with us 

Allow record keeping of our recruitment process 

If successful in your application, to create your personnel record

Special Category personal data (including gender identity, sexual orientation, ethnic origin, nationality, citizenship, disability status, civil status, religion or belief)

This data is only used in aggregated form

Legal Obligation (in the UK)

Consent (in the EU)

Allow monitoring and measuring of equal opportunities and diversity against our Group diversity and inclusion strategy

Further Data Which May Be Required During Applicant Assessment and Selection

Categories of personal data:

We may use your personal data to:

Our lawful basis for doing so is:

Our legitimate interests in doing so are to:

Detailed evidence of your relevant skills and details of your previous experiences and the career choices you have made (usually assessed at a face-to-face or phone interview)

Consider your suitability for the position

Our legitimate interests

Allow selection of suitable Applicants for vacancies with us

If successful in your application, to create your personnel record

Video recording of your responses to interview questions using our digital assessment platform

Consider your suitability for the position

Consent

N/A

Compliance with Legal and Regulatory Obligations Relating to Employment (UK Business Units)

We request and collect Special Categories of Data and other personal data relevant to diversity reporting and monitoring from our colleagues and Applicants.  The provision of such data is optional, with no impact on our consideration of your application.  Any data that you choose to provide is used for statistical purposes in line with UK legislation.

We also collect health information necessary to comply with workplace health and safety regulations and equality and employment rights legislation.

The categories of personal data that we may process about you for the above purposes, include the following:

Compliance with Legal and Regulatory Obligations

Categories of personal data:

We may use your personal data to:

Our lawful bases for doing so are: 

 

 

GDPR Article 6

UK Data Protection Act 2018

 

Special Categories of Personal Data related to diversity and equality:  gender identity, sexual orientation, ethnic origin, nationality, citizenship, disability status, civil status, religion or belief

Monitor and measure the results of our Group diversity and inclusion strategies 

Comply with diversity and equality reporting requirements of and other relevant organisations 

For disability status, to consider whether we need to provide appropriate adjustments during the recruitment process (eg. for tests or interview)

Legal obligation

Carry out our obligations under employment, social security and social protection law

UK Data Protection Act 2018 Schedule 1, Part 1, Para 1

Equality Act 2010;

Employment Rights Act 1996

Special Categories of Personal Data: Information concerning health

To be aware of any medical conditions for Health & Safety reasons;

 To make reasonable workplace adjustments to enable a disabled person to work

Legal obligation

Carry out our obligations under employment, social security and social protection law 

UK Data Protection Act 2018 Schedule 1, Part 1, Para 1

Health and Safety at Work Act 1974;

Equality Act 2010;

Employment Rights Act 1996

Criminal Convictions Data: Details of any unspent criminal convictions recorded against your name by the Courts of England and Wales 

In the UK, this shall be in accordance with the Rehabilitation of Offenders Act 1974 as amended from time to time. This means that you will never be asked to disclose convictions relating to certain offences after seven years. The convictions that are regarded as “spent” after seven years are set out in Section 5 of that Act. Certain minor convictions are regarded as “spent” after shorter periods of time

Consider your suitability for a particular position

Legitimate interests

UK Data Protection Act 2018 Schedule 1, Part 2, Para 12

and

Schedule 1, Part 3, Para 36

To screen for the conduct and integrity of certain colleagues involved in the Finance department or persons involved in dealing with large sums of cash 

Where you may be driving vehicles, we may ask you to disclose any previous driving convictions

Credit Checks: Publicly available information related to financial integrity, including County Court Judgements (CCJ’s), Bankruptcy, Bankruptcy Restriction Orders, Individual Voluntary Arrangements, Fast Track Voluntary Arrangements, Debt Relief Orders, Debt Restriction Orders, Decrees, Sequestration Orders, Notices of Correction

To manage business risk

Legitimate interests

N/A

To screen for the conduct and integrity of certain employees in the Finance department

5 Retention of Data

We retain your personal data for the period necessary to fulfil the purposes set out in this Privacy Notice or as required by applicable law or in order to establish, exercise or defend potential legal claims or to pursue our legitimate interests.

It is our general policy to retain potential personnel records until the end of our recruitment process regarding your application, extended to cover the relevant statutory period or for the duration of any relevant legal proceedings. More specifically, your personal data will be retained as follows:

If you submit your own personal data and are an unsuccessful Applicant:

·       Our policy is to delete your personal data in its entirety after the expiration of 12 months following the conclusion of the recruitment process for the role for which you have applied.

If you apply via a third-party staffing or recruiting company and are an unsuccessful Applicant:

·       Our policy is to delete your personal data after the expiration of 12 months following the conclusion of the recruitment process for the role for which you have applied.

We delete any introductory communications that we may have with you via social media sites, such as LinkedIn, within one month following of the close of our dialogue with you using such sites. 

6 How we share your Personal Data within the Company and Third Parties

The ways in which we share personal data relating to Applicants among other members of the Group and also with trusted third parties are set out below.

Intra-Group

Relevant personal data of Applicants may be shared with authorised Company personnel, including selected interviewers and, where relevant to a particular Applicant, other authorised personnel from other members of the Group, who may be in either the UK or EU and are involved in administering its hiring in a fair and coordinated manner across all of our Group.

For all our hires. we use:

·       Either, our dedicated Recruitment Platform, which holds the personal data that you or the recruitment agency that has introduced you to us submit in your initial application to us. This platform is hosted in the EU and is used to manage the information you provide us in a secure manner; or

·       On occasions, applications made via email and other sources, such as Job Boards. These are hosted in the EU.

·       Our HR management platform which allows us to gain approval to make individual hires, and which holds individuals’ names, educational background, professional background and proposed salary details. This is hosted in the EU.

·       Various other systems such as email systems, finance systems, and internal management systems that are used for the purposes of communications and general business management, which are hosted on servers located in the UK and in the EU.

For some of our hires, in certain jurisdictions, we may use digital assessment tools, data analytics and algorithms to help us review the large quantities of Applicants and application data that we receive. These algorithms help us prioritise the application review process and sort Applicants on the basis of characteristics that suggest strengths and capabilities necessary to perform the relevant role. The algorithms are designed to analyse the Applicant’s application data and compare it to our historical data on previously successful and unsuccessful applicants.

The automated results are always considered in tandem with, and not in lieu of, human judgement. We evaluate each individual Applicant on their own merits. Certain roles may require specific prerequisites or skills (for example, particular professional qualifications or certifications, or number of years in a similar role). Applications that do not meet those requirements may be automatically rejected.

Third Parties

We also share the personal data of Applicants with trusted service providers (processors) pursuant to contractual arrangements with them, which will include appropriate safeguards to protect any personal data that we share with them.  The data recipients may include, for example, IT service providers, lawyers.

7 International Transfers of Personal Data

Intra-Group

Due to the nature of the operations of our Group, your personal data may be transferred to and shared with authorised personnel of other members of the Group where we have offices in both the EU and UK.

Third Parties

Some of the third parties with which we may share your personal data may be located outside the EU/EEA or UK.  Unless the recipients are located in countries that have been deemed adequate by the European Commission or UK Parliament, we will put in place data transfer agreements based on the applicable EU Standard Contractual Clauses or rely on other available data transfer mechanisms (e.g., Binding Corporate Rules or approved Certifications or Codes of Conduct) to protect personal data that is transferred to recipients outside the EU or the UK.  In exceptional cases, we may rely on statutory derogations for international data transfers.

8 Rights of individuals in relation to their Personal Data

The Applicable Data Protection Laws provide certain rights to data subjects in relation to their personal data.  These include the rights to:

·       request details about the personal data that we process, and obtain a copy of the data that we hold about them;

·       correct or update their personal data;

·       transmit personal data that the data subject has provided to us, in machine readable format, to another party;

·       erase the data that we hold about them;

·       restrict or object to a processing activity; and

·       object to processing:

(i)         if based on grounds relating to the individual’s particular situation, where the processing is based on the legitimate interest of the Company; or

(ii)        where personal data is being processed for direct marketing purposes; and

·       decline to consent or withdraw your consent, if consent is the basis for processing your personal data.

In some cases, the exercise of these rights (for example, erasure, objection, restriction or the withholding or withdrawing of consent to processing) may make it impossible for us to achieve the purposes identified in Section 4 of this Privacy Notice in relation to your potential employment or partnership with us.

To assist us in complying with our obligation to maintain the accuracy of your personal data, please notify us in writing of any changes to your personal data by updating your information using the Recruitment Platform or contacting the HR Team.  Where you have notified us or we otherwise become aware of an inaccuracy in your information, we will take appropriate steps to rectify the inaccuracy.

Should an Applicant wish to exercise any of the rights set out above, please email dpo@graftonplc.com.

You have the right to make a complaint at any time to the relevant supervisory authority, who upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We would, however, appreciate the chance to deal with your concerns before you approach the relevant supervisory authority, so please contact us in the first instance at dpo@graftonplc.com. 

Definitions

Applicable Data Protection Law

means the GDPR, the UK GDPR, the UK Data Protection Act 2018 and any national laws governing the protection of personal data as many be amended from time to time.

Applicant

as defined in the Introduction to this Privacy Notice.

Colleagues

includes full-time employees, part-time employees, temporary employees, reinstated employees, rehired employees and retired and former employees.

Data Controller or Controller

means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

GDPR

means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).

Personal Data

means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., computers), such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Special Categories of Personal Data

means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data (for the purpose of uniquely identifying a natural person), data concerning health or data concerning a natural person's sex life or sexual orientation.

UK GDPR

means UK legislation incorporating the provisions of the GDPR into the body of UK law.