Policy Reference Number:	PT/GDPR/V3
Date of Approval	January 2026
Next Review Date	January 2027

 

Introduction

Primed Talent Ltd (“Primed Talent”, “we”, “us”, “our”) is committed to protecting the personal data of our clients, learners, candidates, employees, contractors, partners, and other stakeholders in accordance with applicable data protection and privacy laws. 

Depending on the nature of the data, the location of the individual, and the services being delivered, these may include: 

• UK General Data Protection Regulation (UK GDPR) 
• Data Protection Act 2018 
• EU General Data Protection Regulation (EU GDPR), where applicable 
• Swiss Federal Act on Data Protection (FADP), where applicable 
• Indian Digital Personal Data Protection Act, 2023 (DPDP Act), where applicable 
• Relevant United States federal or state privacy laws, where applicable 

This policy explains how we collect, use, store, share, retain, transfer, and protect personal data, and how we uphold the rights of individuals whose data we process. 

 

Scope

This policy applies to all personal data processed by Primed Talent in the course of its business activities, including data relating to: 

• prospective and existing clients 
• learners and programme participants 
• job applicants and candidates 
• employees and contractors 
• trainers, assessors, and consultants 
• suppliers and business partners 
• website users and marketing contacts 

This policy applies to personal data processed in both digital and physical formats. 

Definitions

For the purpose of this policy: 

• Personal Data means any information relating to an identified or identifiable individual. 
• Special Category Data means sensitive personal data requiring higher protection under applicable law, such as health data, biometric data, racial or ethnic origin, religious beliefs, or trade union membership, where applicable. 
• Processing means any operation performed on personal data, including collection, storage, use, sharing, updating, or deletion. 
• Data Subject means the individual to whom personal data relates. 
• Controller means the organisation that determines the purposes and means of processing personal data. 
• Processor means a party that processes personal data on behalf of a controller. 
• Consent means a freely given, specific, informed, and unambiguous indication of the individual’s wishes, where consent is the lawful basis relied upon. 
• Profiling means any form of automated processing used to evaluate certain personal aspects of an individual. 

 

Data Protection Principles

Primed Talent processes personal data in accordance with the following principles: 

• lawfulness, fairness, and transparency 
• purpose limitation 
• data minimisation 
• accuracy 
• storage limitation 
• integrity and confidentiality 
• accountability 
• We ensure that personal data is processed only where there is a valid legal basis and for legitimate business purposes. 

Categories of Personal Data We May Process

Depending on the relationship with the individual and the service being delivered, we may process: 

• identity data such as name, title, date of birth, or identification details 
• contact data such as email address, phone number, postal address 
• employment and education data such as CVs, qualifications, training records, experience, references 
• learner and programme data such as attendance, assessments, progression, completion, and placement information 
• financial data where required for invoicing, payments, or payroll purposes 
• technical data such as IP address, device data, login data, and website usage information 
• communication data such as emails, enquiries, call notes, and support requests 
• compliance data required for funding, audit, safeguarding, or statutory obligations 
• special category data only where necessary and lawfully permitted 

We will only collect personal data that is relevant, adequate, and limited to what is necessary. 

 

Purposes of Processing and Lawful Basis

We process personal data for the following purposes: 

a) Delivery of services

Including recruitment, employability support, training, learner engagement, programme administration, workforce solutions, and related services. 
Lawful basis: contract, steps prior to entering into a contract, or legitimate interests. 

b) Candidate and recruitment management

Including candidate sourcing, screening, interviews, placement support, and employer matching. 
Lawful basis: contract, steps prior to entering into a contract, legitimate interests, and where required, consent. 

c) Learner administration

Including enrolment, eligibility checks, attendance, assessments, certification, learner support, progression tracking, and reporting to funding or delivery partners where applicable. 
Lawful basis: contract, legal obligation, public task where applicable, and legitimate interests. 

d) Employment administration

Including recruitment, onboarding, payroll, benefits, performance management, compliance, health and safety, and statutory reporting. 
Lawful basis: contract, legal obligation, and legitimate interests. 

e) Marketing and communications

Including newsletters, service updates, invitations to events, webinars, surveys, and relevant business communications. 
Lawful basis: legitimate interests or consent, depending on the nature of the communication and applicable law. 

f) Legal and regulatory compliance

Including tax, accounting, audit, fraud prevention, right-to-work checks, safeguarding, and responding to lawful requests from regulators or authorities. 
Lawful basis: legal obligation and legitimate interests. 

g) Business protection and dispute management

Including enforcement of contracts, internal investigations, handling complaints, and legal claims. 
Lawful basis: legitimate interests and legal obligation where applicable. 

h) Systems security and service improvement

Including access controls, monitoring, troubleshooting, cybersecurity, analytics, and improvement of services and digital systems. 
Lawful basis: legitimate interests and legal obligation where applicable. 

Where special category data is processed, we will do so only where there is a valid additional condition under applicable law, such as explicit consent, employment law obligations, safeguarding requirements, or establishment, exercise, or defence of legal claims. 

 

Automated Processing and AI Use

Where technology, automation, AI-supported tools, or profiling is used in our operations, Primed Talent will ensure that: 

• such processing is subject to appropriate human oversight 
• decisions with legal or similarly significant effects are not based solely on automated processing unless lawfully permitted 
• fairness, proportionality, and data minimisation are considered 
• appropriate safeguards are implemented to reduce bias, inaccuracy, or unintended harm 
• Any AI-supported processing used in recruitment, assessment, communications, or operational support will be reviewed for compliance with applicable privacy and data protection obligations. 

 

Data Sharing and Disclosure

We may share personal data where necessary with: 

• clients and prospective employers, where relevant to recruitment or talent services 
• trainers, assessors, delivery partners, and programme partners 
• awarding bodies and certification bodies 
• government departments, funding bodies, auditors, or regulators where required 
• professional advisers such as legal, compliance, or financial advisers 
• IT providers, cloud service providers, CRM and ATS providers, payroll providers, and other processors acting on our instructions 
• law enforcement or public authorities where legally required 

Where third parties process personal data on our behalf, we ensure appropriate contractual, technical, and organisational safeguards are in place. 

We do not sell personal data. 

 

International Transfers

Where personal data is transferred outside the UK or outside the jurisdiction in which it was originally collected, Primed Talent will ensure that appropriate safeguards are in place. 

These may include: 

• adequacy regulations or adequacy decisions 
• approved standard contractual clauses 
• international data transfer agreements 
• binding corporate rules 
• other lawful transfer mechanisms recognised under applicable law 

Transfers will only take place where necessary and where lawful protections for the personal data are maintained. 

 

Data Retention and Deletion

Primed Talent retains personal data only for as long as necessary for the relevant purpose, legal obligation, contractual need, or legitimate business requirement. 

Typical retention periods may include: 

• candidate and recruitment data: up to 2 years from the last meaningful interaction, unless a longer period is required or consent is renewed 
• learner and programme records: retained in line with contractual, funding, awarding body, audit, and statutory requirements 
• employee records: retained in line with employment, tax, pension, and legal requirements 
• marketing records: retained until consent is withdrawn or the individual opts out, subject to lawful retention needs 
• supplier and financial records: retained in line with tax, accounting, and contractual requirements 
• At the end of the retention period, personal data will be securely deleted, destroyed, or anonymised, unless continued retention is legally required. 

A separate retention schedule may be maintained to define detailed retention periods by record type. 

 

Individual Rights

Where applicable under law, individuals have the right to: 

• be informed about how their personal data is used 
• access their personal data 
• request correction of inaccurate or incomplete personal data 
• request erasure of personal data 
• request restriction of processing 
• object to processing carried out on legitimate interests grounds 
• request transfer of their personal data where applicable 
• object to or seek review of certain automated decision-making 
• withdraw consent at any time where consent is the lawful basis relied upon 

Requests relating to personal data may be submitted to: info@primedtalent.com 

We will respond within the applicable legal timeframe, normally within one month, unless an extension is permitted due to complexity or volume of requests. 

 

Data Security

Primed Talent implements appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, loss, misuse, or destruction. 

These measures may include: 

• role-based access controls 
• password protection and multi-factor authentication where appropriate 
• encryption in transit and at rest where appropriate 
• secure storage and restricted access to records 
• regular software updates and patching 
• supplier due diligence and contractual controls 
• staff awareness and confidentiality obligations 
• secure disposal of records and devices 
• incident monitoring and response procedures 

Access to personal data is limited to those who need it for legitimate business purposes. 

 

Personal Data Breaches

A personal data breach includes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. 

In the event of a suspected or actual breach, Primed Talent will: 

• assess the nature and scope of the incident 
• contain and investigate the breach 
• record the incident and actions taken 
• notify the relevant regulator where required by law 
• notify affected individuals where there is a high risk to their rights and freedoms 
• implement corrective and preventive actions 
• All staff and contractors must report suspected data breaches immediately through the appropriate internal reporting channel. 

 

Complaints

Individuals who have concerns about how Primed Talent handles their personal data may contact us at info@primedtalent.com in the first instance. 

Where applicable, individuals also have the right to lodge a complaint with the relevant supervisory authority, including the UK Information Commissioner’s Office (ICO). 

 

Responsibilities

Primed Talent is responsible for ensuring compliance with this policy. 

Management is responsible for ensuring that appropriate controls, processes, and resources are in place. 

Employees, contractors, trainers, consultants, and any person handling personal data on behalf of Primed Talent must: 

• follow this policy and related procedures 
• only access personal data where authorised 
• maintain confidentiality 
• report incidents, breaches, or concerns promptly 
• complete relevant data protection training where required 
• The designated policy lead or data protection lead is responsible for overseeing the implementation and review of this policy. 

 

Policy Review and Updates

This policy will be reviewed at least annually, or sooner where there are: 

• changes in applicable law or regulatory guidance 
• changes to business operations or processing activities 
• material changes to systems, services, or suppliers 
• lessons learned from incidents, audits, or complaints 

Where appropriate, related notices, procedures, and records will also be updated. 

 

Contact Details

Primed Talent Ltd 
Email: info@primedtalent.com 

Questions regarding this policy or personal data processing practices should be directed to the Data Protection Lead unless a formal Data Protection Officer has been appointed. 

 

Document Control and Review

Field	Details
Approval Status	Approved
Approved By	Managing Director
Date Approved	March 2026
Review Date	March 2027
Policy Lead	Data Protection Officer
Policy Number	PT/GDPR/V3

 

Revision Log

Version	Date	Section Updated	Summary of Change
V1	January 2023	Initial Release	Data protection policy published
V2	January 2025	Full Policy Review	Updated to reflect wider regulatory references and practices
V3	March 2026	Full Policy Refresh	Reviewed with no material operational change; updated document control, clarified lawful basis, rights, retention, complaints, AI use, international transfers, and governance wording