Data Processing Notice
Who is Definia and what do we do?
Definia is an expert advisory and delivery partner that offers tailored services to transform and future-proof businesses from across industry sectors. Definia is part of the Investigo group.
Operating as advisors across the private and public sectors, we deploy teams of subject matter experts to help our clients deliver business initiatives, adopt new technology and bring about transformation.
Definia selects and engages its own teams of consultants to provide Definia’s consultancy services as well as other professional and administrative staff to support, advise and structure such services.
Our legal entity is listed below:
|Country||Legal entity||Correspondence address|
|United Kingdom||Investigo Limited||10 Bishops Square, London, England, E1 6EG|
We are a data controller as we determine the purposes and means of processing your personal data.
In the United Kingdom Investigo Limited is registered with the Information Commissioner’s Office (certificate no: Z8867460).
Does this Data Process Notice apply to you?
This Data Processing Notice applies to you if you are an independent contractor who is looking for a consultancy or contract position.
What legislation applies?
We have issued this Data Processing Notice in accordance with the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and any associated legislation e.g. the Data Protection Act 2018, and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. In this Data Processing Notice, any references to GDPR also relate to associated legislation. The relevant legislation may be updated from time to time.
Does this Data Process Notice apply to you?
Definia is committed to respecting your right to privacy. As such, this Data Processing Notice covers the following topics:
- What are the types of personal data that we collect about you?
- How do we process your personal data?
- How long do we keep your personal data for?
- What are the purposes for which we share your personal data?
- Will we use your data for automated processing?
- What legal bases do we have for processing your personal data?
- Will you be receiving marketing emails, and can you opt out of these?
- Do we transfer your personal data outside the EEA?
- What are your rights?
- Is your personal data safely secured?
- What do you need to do if you want to file a complaint?
- What happens if we make changes to this Data Processing Notice?
What are the types of personal data that we collect about you?
In order to provide recruitment services to our candidates, we may process the following personal data:
- Full name
- Registered address
- Date of birth
- Email addresses
- (Mobile) Telephone number
- Work history
- LinkedIn profile and other relevant social media profiles
- Work history & client testimonials
- Representatives right to work (ID)
- Current fees
- Desired fees
- Other documentation, if requested by Definia or our clients.
Furthermore, if you are hired by Definia to work as a worker or contractor for us or one of our clients, additional personal details may be processed.
If you are confirmed for interim work, you may have to provide us with the following personal data:
- A copy of your passport/visa
- National Insurance Number
- P45, P46 or equivalent document
- Professional references
- Clearance documents, criminal checks (including fraud checks) or a credit check (when applicable)
- Company documents (see explanation below)
- Details to complete background checks
For enhanced screening or compliance purposes, we may also ask you to provide us with additional documentation. If this is the case, then we will tell you what documents we need.
We may also have to collect other documents which may relate to you as an individual, including information relating to any limited company directorships or shareholdings you have (e.g. your company, this can be your own limited company or a nominated umbrella company) certificate of incorporation, proof of tax & social security status, VAT certificate (when applicable), bank statement (usually not a personal bank account) and insurance documents and where applicable statutory information (IR35).
We will process data about your assignment(s) and relevant payments to your business in connection with your assignment(s). You may also be engaged as Agency Worker on a PAYE basis, meaning that you will be paid as individual and receive a monthly payslip. If you will be working as an Agency Worker, we will also process data such as information about your paid holiday entitlement, wages and pension contributions.
We will furthermore process your assignment details (including the agreed rates) and may provide you with a Key Information Document to give you visibility on how your take-home pay is calculated.
We are sometimes instructed by our client to conduct a background check.
This is often requested by clients who operate in the public sector or the Financial Services Industry.
A “background check” is (which could include credit checks and/ or fraud checks) a verification of your antecedents by making use of the services of an agency which specialises in performing background checks. The details to be verified in this background check would typically include, but are not limited to:
(a) The authenticity of your residential address;
(b) The veracity of your claims in relation to educational qualifications and work/job experience; and
(c) An enquiry into your character, including but not limited to your criminal history, credit checks/history
If background checks apply, we will tell you what is expected of you when initiating or conducting a background check. Unless we inform you otherwise, we will not share the outcome of the background check with any other party other than the client, and this will only be communicated to people with a ‘need to know’. Some clients however may require a copy of the background check as they need to abide by internal or external compliance standards.
The background checks may be carried out in-house or this may be outsourced to a third-party background check screening company (screening company). If the latter is the case, then you need to speak to the screening company if you have any questions about how your personal data is processed.
We may carry out CIFAS (fraud) checks. For more detail, please read section 4.
If you want to know exactly what documents we hold on file about you, please contact your recruitment consultant or email GDPR@investigo.co.uk
How do we process your personal data?
The following include the different sources from which we may collect your personal data:
Directly from you.
- the information you provide to us while searching for a new opportunity
- the information provided to us during the different stages of the recruitment process.
From an agent/third party acting on your behalf.
- a Contractor’s Limited Company
Through (publicly) available sources.
- Zoom info
- Job Boards
- CV databases
- Your organisation’s website
By reference or word of mouth.
- you may be recommended by a friend, a former employer, a former colleague or even a present employer.
If you want to know how we acquired your details, please speak to your recruitment consultant or email GDPR@investigo.co.uk
How long do we keep your personal data for?
In most circumstances your data will not be retained for more than 6 years from the last point at which we provided any services or otherwise engaged with you. It is our policy to only store your personal data for as long as is reasonably necessary for us to comply with our legal obligations and for our legitimate business interests. The following sets out the lengths of time we are required by law to retain your data or certain elements of your data:
- for 2 years from the end of your last period of engagement or employment for the purposes of providing evidence that right to work checks were carried out under The Immigration (Restrictions of Employment) Order 2007;
- for 3 years from the end of the relevant year for the purposes of any parental/adoption leave records or statutory maternity or paternity pay; and
- for 6 years from the end of each tax year for the purposes of retaining payroll records under the Income Tax (Employment and Pensions) Act 2003,
- for 6 years from the end of each tax year for the purposes of keeping VAT records for any VAT registered limited company contractors.
However, we may retain data for longer than a 6 year period where we have a legal or contractual obligation to do so, or we form the view that there is otherwise a continued basis to do so, for example where your personal information identifies specialist skill sets which may remain in demand, or we are subject to a legal obligation which applies for a longer period.
If however you believe that we should delete your personal data at an earlier date, please inform us in writing of your reasons. Please see Section 9 below for ‘Your Rights’.
Why and with whom do we share your personal data?
This section outlines in more detail the purposes and the consequences of processing your personal data. We will be using your personal data to:
- source potential opportunities or roles as part of our and consulting services
- collate market information or trends including providing analysis to potential or actual clients
- personalise your experience and our offering with appropriate content, whether via our website or otherwise
- collect further information needed to assess your eligibility for the projects
Where background checks and specifically CIFAS (fraud) checks are carried out, the personal information we have collected from you will be shared with Cifas who will use it to prevent fraud, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct. If any of these are detected, you could be refused certain services or employment. Your personal information will also be used to verify your identity.
Further details of how your information will be used by us and Cifas, and your data protection rights, can be found by accessing https://www.cifas.org.uk/fpn. If we carry out a CIFAS check, we will provide you with the FAIR PROCESSING NOTICE FOR THE INTERNAL FRAUD DATABASE
- We will only share your personal data (usually CV) with our clients if you have explicitly consented to this.
We may share your personal details with an umbrella or management company if you have confirmed a desire to utilise a particular approved umbrella company.
Will we use your personal data for automated processing?
We will not conduct any forms of automated processing of your personal data consisting of the use of personal data to evaluate certain personal aspects relating to you.
We will not analyse or predict aspects concerning your performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Furthermore, we will not make decisions that are based solely on automated processing which produces legal effects or similarly significantly affects your rights.
What legal bases do we have for processing your personal data?
If we process your personal data, we mostly rely on the following legal bases:
|consent||Sending your details to clients, processing sensitive data (e.g., health data), sending you job alerts.|
|legitimate interest||Adding your details to our database and contacting you from time to time to identify and discuss potential consulting opportunities. Carrying out background checks if we are instructed to do so by our client.|
|contract||Signing an agreement with you as individual or with your business/umbrella company or employer.|
|legal obligation||Where applicable, under the Conduct of Employment Agencies and Employment Businesses Regulations 2003, we must retain evidence of an introduction or supply for at least one year from the last activity e.g., interview, introduction or engagement.|
If you are a candidate, the legal basis on which we usually rely for processing your information will be our legitimate interests. We have carried out a Legitimate Interest Assessment which is available upon request. As part of this Legitimate Interest Assessment (‘LIA’), a “balancing test” is carried out to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests. We maintain a record of these balancing tests and you may request a copy of the LIA by contacting GDPR@investigo.co.uk.
Please note that the list of legal bases is not exhaustive.
Will you be receiving marketing emails, and can you opt out of these?
We may market relevant products and services to you unless you inform us of your wish to opt out (which you are entitled to do at any stage). Some emails we send are market insight driven, others are service, and vacancy related. We also approach our network for feedback and insight. You can sign up for job alerts via our website and you can unsubscribe from these whenever you wish.
Do we transfer your personal data outside the EEA?
As our servers are based in the United Kingdom, your personal data is shared, stored and processed outside the European Economic Area (EEA).
We will however only transfer your data outside the EEA to countries which the European Commission believes offer an adequate level of protection to you or where appropriate safeguards have been put in place to preserve the privacy of your data.
If you need to see a copy of the relevant Standard Contractual Clauses signed by our UK and US office, please contact GDPR@investigo.co.uk.
What are your rights?
By law, you have a number of rights regarding your personal data. These rights can be summarised as follows: right to be informed, right of access, right to rectification, right to erasure/to be forgotten, right to restrict processing, right to data portability, right to object and rights in relation to automated decision making and profiling. Further information and advice about your rights can be obtained from the Information Commissioner’s Office. .
You are entitled to lodge a so-called Subject Access Request (‘SAR’). The type of SARs are outlined below:
What rights do you have in relation to the data we hold on you?
|Rights||What does this mean?|
|1. The right to be informed||You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we are providing you with the information in this Data Processing Notice.|
This is so you are aware and can check that we are using your information in accordance with the GDPR.
|3. The right to rectification||You are entitled to have your information corrected if it is inaccurate or incomplete.|
|4. The right to erasure||This is also known as ‘the right to be forgotten’ and in simple terms, enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.|
|5. The right to restrict processing||You have the right to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but cannot use it further. We keep encrypted lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.|
|6. The right to data portability||You have the right to obtain and reuse your personal data for your own purposes across different services. For example, if you decide to switch to a new provider, this enables you to move, copy or transfer your information easily between our IT system and theirs safely and securely, without affecting its usability.|
|7. The right to object to processing||You have the right to object to certain types of processing, including processing for direct marketing (e.g., if you no longer want to be contacted regarding potential opportunities).|
|8. The right to lodge a complaint||You have the right to lodge a complaint about the way we handle or process your personal data with the ICO https://ico.org.uk.|
|9. The right to withdraw consent||If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your personal data for marketing purposes.|
We will respond to any request within 1 month (this can be extended to 2 months in exceptional circumstances). However, where requests are manifestly unfounded or excessive in particular because of its repetitive character, we may refuse to act upon your request. If this happens then we will inform you within one month of about the possibility of lodging a complaint with a supervisory authority (in the UK this will be the ICO) or seeking a judicial remedy.
The fact that you make a deletion request does not necessarily mean that we will grant your request in every instance especially if we have legitimate reasons to retain your personal data. We will always give reasons if we decline your request.
Please note that should we receive any requests from you to erase personal data or stop processing your information, we may retain a record of such requests as well as the actions taken by us. This will serve as both evidence of our compliance to your request as well as enable us to take steps to curtail any future processing of your data should it be received again from a third-party source.
Is your personal data safely secured?
We take all reasonable steps to ensure that your personal data is adequately secured. We use market suppliers such as Bullhorn, Microsoft market, Broadbean, Cube 19 and ETZ all of which are leading and up-to-date technologies. We are delighted to have been awarded ISO 27001 certification for the quality of our information security, following an independent audit by certification body QMS International.
ISO 27001 is an international standard laying out the specifications for implementing an information security management system. Certification demonstrates that our organisation has invested in the people, processes and technology to protect our data and provides an independent, expert assessment of whether our data is sufficiently protected.
What do you need to do if you want to file a complaint?
If you are based in the UK and are unhappy about any aspect of the way in which your Personal Data is processed by us, in the first instance please contact us at GDPR@investigo.co.uk. This does not affect your right to make a complaint to the Information Commissioner’s Office https://ico.org.uk.
If you are based in the EU and are unhappy about any aspect of the way in which your Personal Data is processed by us, in the first instance please contact us at GDPR@investigo.co.uk or call our EU representative:
David Korthals-Clarke, Head of Compliance | +31 20 809 0266
What happens if we make changes to this Data Processing Notice?
It is important to note that we may amend this Data Processing Notice from time to time. Please visit this page if you want to stay up to date as we will post any changes here.
Last updated: November 2021
Have a question? Pop your details in the form,
and we’ll get straight back to you