GDPR Compliance

Introduction

Primed Talent Limited (hereinafter “we”, “us”, or “our”) is a company that services to clients in the UK, US, EU, Switzerland, and India. We are committed to protecting the personal data of our clients, candidates, employees, and other stakeholders, in accordance with the applicable data protection laws, such as the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Swiss Federal Act on Data Protection (FADP), the Indian Personal Data Protection Bill (PDPB), and the relevant US state and federal laws.

This policy explains how we collect, use, store, transfer, and disclose personal data, as well as the rights and choices that individuals have regarding their personal data. This policy applies to all personal data that we process in the course of our business activities, whether it is collected directly from individuals or received from third parties.

Definitions

For the purposes of this policy, the following terms have the following meanings:

  • Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
  • Third party means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
  • Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Data Protection Principles

We adhere to the following data protection principles when processing personal data:

  • Lawfulness, fairness, and transparency: We process personal data lawfully, fairly, and in a transparent manner in relation to the data subject.
  • Purpose limitation: We collect personal data for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data minimization: We process personal data that are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: We take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Storage limitation: We keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and confidentiality: We process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  • Accountability: We are responsible for and able to demonstrate compliance with the data protection principles.

Data Protection Roles and Responsibilities

We have designated a Data Protection Officer (DPO) who is responsible for overseeing and ensuring our compliance with the data protection laws and this policy. The DPO can be contacted at info@primedtalent.com.

We also require our employees, contractors, and agents who are involved in the processing of personal data to comply with this policy and the data protection laws, and to undergo regular training on data protection best practices.

We may engage third-party service providers to process personal data on our behalf, such as cloud computing, web hosting, analytics, marketing, payroll, or accounting services. We enter into written agreements with such service providers that require them to comply with this policy and the data protection laws, and to implement appropriate technical and organizational measures to protect the personal data.

Data Collection and Use

We collect and use personal data for the following purposes:

  • To provide our services: We process personal data of our clients and candidates to provide recruitment, talent management, and other services, such as tax, sourcing, screening, interviewing, hiring, onboarding, training, coaching, performance management, and development. The legal basis for this processing is the performance of a contract or the taking of steps at the request of the data subject prior to entering into a contract.
  • To communicate with our stakeholders: We process personal data of our clients, candidates, employees, and other stakeholders to communicate with them about our services, projects, events, surveys, feedback, or other matters that may be of interest or relevance to them. The legal basis for this processing is our legitimate interest in maintaining and enhancing our business relationships and operations, or the consent of the data subject where required by law.
  • To comply with our legal obligations: We process personal data of our clients, candidates, employees, and other stakeholders to comply with our legal obligations, such as tax, accounting, reporting, auditing, or security requirements. The legal basis for this processing is the compliance with a legal obligation to which we are subject.
  • To protect our rights and interests: We process personal data of our clients, candidates, employees, and other stakeholders to protect our rights and interests, such as enforcing our contracts, policies, or terms of service, resolving disputes, or defending against legal claims. The legal basis for this processing is our legitimate interest in safeguarding our assets and reputation, or the establishment, exercise, or defense of legal claims.

We do not process personal data for purposes other than those for which they were collected, unless we have obtained the data subject’s consent or have another legal basis for doing so.

We do not process personal data that are considered sensitive or special categories of personal data under the data protection laws, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation, unless we have obtained the data subject’s explicit consent or have another legal basis for doing so.

Data Retention and Deletion

We retain personal data for as long as necessary to fulfill the purposes for which they were collected, or to comply with our legal obligations, or to protect our rights and interests.

We delete or anonymize personal data when they are no longer needed for the purposes for which they were collected, or when the data subject requests their deletion or withdraws their consent, unless we have a legal obligation or a legitimate interest to keep them.

We have established data retention policies and procedures that specify the retention periods for different categories of personal data, based on the nature, purpose, and sensitivity of the data, and the potential risk of harm from unauthorized use or disclosure of the data.

Data Transfer and Disclosure

We may transfer or disclose personal data to third parties for the purposes described in this policy, or as required or permitted by law. We only transfer or disclose personal data to third parties who have a legitimate need to access them, and who agree to comply with this policy and the data protection laws, and to implement appropriate technical and organizational measures to protect the personal data.

We may transfer or disclose personal data to the following categories of third parties:

  • Service providers: We may transfer or disclose personal data to third-party service providers who process personal data on our behalf, such as cloud computing, web hosting, analytics, marketing, payroll, or accounting services. We enter into written agreements with such service providers that require them to comply with this policy and the data protection laws, and to implement appropriate technical and organizational measures to protect the personal data.
  • Affiliates: We may transfer or disclose personal data to our affiliates, which are entities that are controlled by, control, or are under common control with us, for the purposes of providing our services, communicating with our stakeholders, complying with our legal obligations, or protecting our rights and interests. We enter into written agreements with our affiliates that require them to comply with this policy and the data protection laws, and to implement appropriate technical and organizational measures to protect the personal data.
  • Clients: We may transfer or disclose personal data of our candidates to our clients who are interested in hiring or engaging them, for the purposes of providing our services, communicating with our stakeholders, complying with our legal obligations, or protecting our rights and interests. We enter into written agreements with our clients that require them to comply with this policy and the data protection laws, and to implement appropriate technical and organizational measures to protect the personal data.
  • Authorities: We may transfer or disclose personal data to governmental or regulatory authorities, courts, or law enforcement agencies, when we are required or permitted to do so by law, or when we believe that such transfer or disclosure is necessary to comply with our legal obligations, or to protect our rights and interests, or the rights and interests of our stakeholders or third parties.
  • Others: We may transfer or disclose personal data to other third parties with the consent of the data subject, or as otherwise required or permitted by law.

Data Transfer across Borders

We may transfer personal data across national borders, such as from the UK to the US, the EU, Switzerland, or India, or vice versa, for the purposes described in this policy, or as required or permitted by law. We only transfer personal data across borders when we have a legal basis and a legal mechanism for doing so.

We have a legal basis for transferring personal data across borders when:

  • The data subject has given their explicit consent to the proposed transfer, after being informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards;
  • The transfer is necessary for the performance of a contract between the data subject and us, or the implementation of pre-contractual measures taken at the data subject’s request;
  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between us and another natural or legal person;
  • The transfer is necessary for important reasons of public interest;
  • The transfer is necessary for the establishment, exercise, or defense of legal claims;
  • The transfer is necessary in order to protect the vital interests of the data subject or of another natural person, where the data subject is physically or legally incapable of giving consent;
  • The transfer is made from a register which according to UK, EU, Swiss, or Indian law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by UK, EU, Swiss, or Indian law for consultation are fulfilled in the particular case.

We have a legal mechanism for transferring personal data across borders when:

  • The UK Information Commissioner’s Office (ICO), the European Commission, the Swiss Federal Data Protection and Information Commissioner (FDPIC), or the Indian Data Protection Authority (DPA) has issued an adequacy decision, which means that they have determined that the country or organization to which the personal data are transferred ensures an adequate level of protection for the personal data;
  • We have entered into Standard Contractual Clauses (SCCs) with the recipient of the personal data, which are model contracts approved by the ICO, the European Commission, the FDPIC, or the DPA that impose contractual obligations on both parties to ensure the protection of the personal data;
  • We have implemented Binding Corporate Rules (BCRs) for the transfer of personal data within our group of companies, which are internal rules approved by the ICO, the competent EU data protection authorities, the FDPIC, or the DPA that ensure that the personal data are protected throughout our group of companies;
  • The recipient of the personal data has adhered to an approved code of conduct or obtained an approved certification, which are mechanisms that demonstrate compliance with the data protection laws and are monitored by a body accredited by the ICO, the competent EU data protection authority, the FDPIC, or the DPA;
  • The recipient of the personal data has provided appropriate safeguards and enforceable rights and effective legal remedies for the data subject are available, such as contractual clauses, administrative arrangements, or other legal instruments that are authorized by the ICO, the competent EU data protection authority, the FDPIC, or the DPA.

We will inform the data subject of the legal basis and the legal mechanism for the transfer of personal data across borders, and provide them with a copy of the relevant documents, upon request.

Data Subject Rights

The data protection laws grant data subjects certain rights regarding their personal data. We respect and facilitate the exercise of these rights, as follows:

  • Right of access: The data subject has the right to obtain from us confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from us rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with the ICO, the competent EU data protection authority, the FDPIC, or the DPA; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; (i) where personal data are transferred to a third country or to an international organization, the appropriate safeguards relating to the transfer. We will provide a copy of the personal data undergoing processing to the data subject, upon request.
  • Right to rectification: The data subject has the right to obtain from us the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • Right to erasure: The data subject has the right to obtain from us the erasure of personal data concerning him or her without undue delay, and we have the obligation to erase personal data without undue delay, where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; (c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing; (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in UK, EU, Swiss, or Indian law to which we are subject; (f) the personal data have been collected in relation to the offer of information society services to a child. However, this right does not apply to the extent that processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by UK, EU, Swiss, or Indian law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; (c) for reasons of public interest in the area of public health; (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise, or defense of legal claims.
  • Right to restriction of processing: The data subject has the right to obtain from us restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject, for a period enabling us to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) we no longer need the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; (d) the data subject has objected to processing pending the verification whether the legitimate grounds of us override those of the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the UK, the EU, Switzerland, or India.
  • Right to data portability: The data subject has the right to receive the personal data concerning him or her, which he or she has provided to us, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without hindrance from us, where: (a) the processing is based on consent or on a contract; and (b) the processing is carried out by automated means. In exercising his or her right to data portability, the data subject has the right to have the personal data transmitted directly from us to another controller, where technically feasible.
  • Right to object: The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on our legitimate interests or on the performance of a task carried out in the public interest or in the exercise of official authority vested in us. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  • Right not to be subject to automated decision-making: The data subject has the right not to be subject to a decision based solely on automated processing, including profiling,which produces legal effects concerning him or her or similarly significantly affects him or her, unless: (a) the decision is necessary for entering into, or performance of, a contract between the data subject and us; (b) the decision is authorized by UK, EU, Swiss, or Indian law to which we are subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (c) the decision is based on the data subject’s explicit consent. In any case, such decisions shall not be based on special categories of personal data, unless the data subject has given explicit consent or the processing is necessary for reasons of substantial public interest, and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

To exercise any of these rights, the data subject can contact us at info@primedtalent.com, or use any other means of communication that we provide. We will respond to the data subject’s request without undue delay, and in any event within one month of receipt of the request, unless the request is complex or we receive a large number of requests, in which case we may extend the response time by another two months, informing the data subject of the reasons for the delay.

We will provide the information requested by the data subject free of charge, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

We may request the provision of additional information necessary to confirm the identity of the data subject, if we have reasonable doubts concerning the identity of the person making the request.

The data subject also has the right to lodge a complaint with the ICO, the competent EU data protection authority, the FDPIC, or the DPA, in particular in the UK, EU, Swiss, or Indian member state of his or her habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the data protection laws.

Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

We apply the following security measures, among others:

  • Encryption of personal data in transit and at rest, using industry-standard algorithms and protocols;
  • Pseudonymization and anonymization of personal data, where feasible and appropriate;
  • Regular backup and recovery of personal data, using secure and reliable storage media;
  • Access control and authentication of authorized personnel, using strong passwords, multi-factor authentication, and role-based permissions;
  • Firewall, antivirus, and anti-malware protection of our systems and networks, using up-to-date software and tools;
  • Security awareness and training of our employees, contractors, and agents, who are involved in the processing of personal data;
  • Security audits and assessments of our systems and processes, using internal and external experts;
  • Security incident response and management, using established procedures and protocols.

We monitor and review the effectiveness of our security measures on a regular basis, and update them as necessary to address new or emerging threats or vulnerabilities.

We also require our third-party service providers, affiliates, and clients to implement appropriate technical and organizational measures to protect the personal data that we transfer or disclose to them, and to notify us of any security incidents or breaches that may affect the personal data.

Data Breach Notification

In the event of a personal data breach, we will take the following actions, without undue delay and, where feasible, not later than 72 hours after having become aware of it:

  • Notify the ICO, the competent EU data protection authority, the FDPIC, or the DPA, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification will contain, at least: (a) a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) the name and contact details of the DPO or other contact point where more information can be obtained; (c) a description of the likely consequences of the personal data breach; (d) a description of the measures taken or proposed to be taken by us to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  • Communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. The communication will contain, in clear and plain language: (a) a description of the nature of the personal data breach; (b) the name and contact details of the DPO or other contact point where more information can be obtained; (c) a description of the likely consequences of the personal data breach; (d) a description of the measures taken or proposed to be taken by us to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  • Document the personal data breach, including the facts relating to the personal data breach, its effects, and the remedial action taken, as part of our records of processing activities.
  • We may delay or omit the notification or communication to the ICO, the competent EU data protection authority, the FDPIC, or the DPA, or the data subject, if:
  • We have implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
  • We have taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
  • It would involve disproportionate effort, in which case we will make a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

We will also notify our third-party service providers, affiliates, and clients of any personal data breach that may affect the personal data that we have transferred or disclosed to them, and cooperate with them to address the personal data breach and mitigate its possible adverse effects.

Policy Updates

We may update this policy from time to time, to reflect changes in our practices, technologies, legal requirements, or other factors. We will post the updated policy on our website and indicate the date of revision. We encourage data subjects to periodically review this policy to stay informed about how we process personal data.

If we make any material changes to this policy that may have a significant impact on the rights and freedoms of data subjects, we will notify them by email or other appropriate means, and obtain their consent where required by law.

Contact Us

If you have any questions, comments, or requests regarding this policy or our processing of personal data, please contact us at:

info@primedtalent.com

This policy was last updated on November 20, 2023.