Please note that this Site is also governed by the Terms and Conditions of Use. We urge you to review the Terms and Conditions of Use before proceeding further on this Site.
For the purposes of data protection legislation in force from time to time, the data controller is CMD Recruitment of 4 Lancaster House, Lancaster Park, Bowerhill, Melksham, SN12 6TT
Our nominated Data Protection Officer is Dan Barfoot
Who we are and what we do.
We are a recruitment agency and recruitment business as defined in the Employment Agencies and Employment Businesses Regulations 2003 (our business). We collect the personal data of the following types of people to allow us to undertake our business;
- Prospective and placed candidates for permanent or temporary roles;
- Prospective and live client contacts;
- Supplier contacts to support our services;
- Employees, consultants, temporary workers;
We collect information about you to carry out our core business and ancillary activities.
Information you give to us or we collect about you.
This is information about you that you give us by filling in forms on our site www.cmdrecruitment.com or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you register to use our site, to enter our database, subscribe to our services, attend our events, participate in discussion boards or other social media functions on our site, enter a competition, promotion or survey, and when you report a problem with our site.
The information you give us or we collect about you may include your name, address, private and corporate e-mail address and phone number, financial information, compliance documentation and references verifying your qualifications and experience and your right to work in the United Kingdom, curriculum vitae and photograph, links to your professional profiles available in the public domain e.g. LinkedIn, Twitter, business Facebook or corporate website.
Information we collect about you when you visit our website.
Regarding each of your visits to our site we will automatically collect the following information:
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information if applicable, browser type and version, browser plug-in types and versions, operating system and platform;
- information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number.
Purposes of the processing and the legal basis for the processing.
We use information held about you in the following ways:
- To carry out our obligations arising from any contracts we intend to enter into or have entered into between you and us and to provide you with the information, products and services that you request from us or we think will be of interest to you because it is relevant to your career or to your organisation.
- To provide you with information about other goods and services we offer that are similar to those that you have already purchased, been provided with or enquired about.
- The core service we offer to our candidates and clients is the introduction of candidates to our clients for the purpose of temporary or permanent engagement. However, our service expands to supporting individuals throughout their career and to supporting businesses’ resourcing needs and strategies.
Our legal basis for the processing of personal data is our legitimate business interests, described in more detail below, although we will also rely on contract, legal obligation and consent for specific uses of data.
We will rely on contract if we are negotiating or have entered into a placement agreement with you or your organisation or any other contract to provide services to you or receive services from you or your organisation.
We will rely on legal obligation if we are legally required to hold information on to you to fulfil our legal obligations.
We will in some circumstances rely on consent for particular uses of your data and you will be asked for your express consent if legally required. Examples of when consent may be the lawful basis for processing include permission to introduce you to a client (if you are a candidate).
Our Legitimate Business Interests.
Our legitimate interests in collecting and retaining your personal data is described below:
- As a recruitment business and recruitment agency, we introduce candidates to clients for permanent employment, temporary worker placements or independent professional contracts. The exchange of personal data of our candidates and our client contacts is a fundamental, essential part of this process.
- To support our candidates’ career aspirations and our clients’ resourcing needs we require a database of candidate and client personal data containing historical information as well as current resourcing requirements.
- To maintain, expand and develop our business we need to record the personal data of prospective candidates and client contacts.
Should we want or need to rely on consent to lawfully process your data we will request your consent orally, by email or by an online process for the specific activity we require consent for and record your response on our system. Where consent is the lawful basis for our processing you have the right to withdraw your consent to this processing at any time.
Other uses we will make of your data:
Use of our website;
- To notify you about changes to our service;
- To ensure that content from our site is presented in the most effective manner for you and for your computer.
We will use this information:
- to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our site to ensure that content is presented in the most effective manner for you and for your computer;
- to allow you to participate in interactive features of our service when you choose to do so;
- as part of our efforts to keep our site safe and secure;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
- to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
We do not undertake automated decision making or profiling. We do use our computer systems to search and identify personal data in accordance with parameters set by our team when carrying out recruitment searches.
Disclosure of your information inside and outside of the EEA
We will share your personal information with selected third parties including:
- clients for the purpose of introducing candidates to them
- candidates for the purpose of arranging interviews and engagements
- clients, business partners, suppliers and sub-contractors for the performance and compliance obligations of any contract we enter into with them or you;
- subcontractors including email marketing specialists, event organisers, payment and other financial service providers
- analytics and search engine providers that assist us in the improvement and optimisation of our site;
- compliance partners and other sub-contractors for the purpose of assessing your suitability for a role where this is a condition of us entering into a contract with you.
We will disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets.
- If CMD Recruitment or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to enforce or apply our terms of and other agreements; or to protect the rights, property, or safety of CMD Recruitment, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
The lawful basis for the third-party processing will include:
- Their own legitimate business interests in processing your personal data, in most cases to fulfil their internal resourcing needs;
- Satisfaction of their contractual obligations to us as our data processor;
- For the purpose of a contract in place or in contemplation;
- To fulfil their legal obligations.
How Do You Access and Update Your Personal Information?
Your personal information is located on a server(s) operated by Purple Penguin Media Limited. CMD Recruitment provides you with the means to access, update, edit or delete the Registration Information and other personal information you have provided to us at any time on your own by going to your user account and changing or deleting your Registration Information and other personal information as desired. If you decide at any time that you do not want to receive any updates you have subscribed to just send an email message to firstname.lastname@example.org indicating your preference not to receive updates. If you are unsure whether we have a record containing your personal information and would like to confirm whether or not we do, please send an email to email@example.com indicating all email addresses which you may have given us.
How Is Your Personal Information Secured and Protected?
We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures. These include measures to deal with any suspected data breach.
Where CMD Recruitment considers it appropriate, CMD Recruitment uses encryption and/or authentication tools among other methods to protect certain web-based personal information. E-mails you send us are not necessarily secure when they are transmitted to us. If your communication is sensitive or includes confidential information such as a credit card number, you may want to provide it by post or via the telephone instead.
If you suspect any misuse or loss of or unauthorised access to your personal information, please let us know immediately. Details of how to contact us can be found here.
This Site may contain links to other sites, including those of our business partners, vendors and advertisers. While we try to link only to sites that share our high standards and respect for privacy, please understand that we are not responsible for the content of, or the privacy practices employed by, other sites.
CVs are accessed by our consultants who seek to find you employment with third parties (“Third Parties”). Consultants are not permitted to disclose information outside our organization or beyond the Third Party, as applicable. Recruiters are also required to have entered into an agreement with Third Parties that requires such Third Parties to use your CV solely for the purpose of filling a job within the Third Party for which the information was provided and not disclosing your CV outside the organization. However, although CMD Recruitment deals only with reputable organizations, we cannot guarantee that all Employers and Third Parties will adhere to the limitations we impose on them. If at any time you would like your CV removed from our Website, you may do so by using the “delete CV” function.
Although we use all reasonable means to protect your personal information, CMD Recruitment is not responsible for any improper use of your personal information that is beyond our reasonable control.
Your CV when uploaded is converted into various formats for our use only. These conversions are handled by an external datacentre server stack. Once conversion is complete your CV is then automatically deleted from that service. We are committed to ensuring that your information is secure. To prevent unauthorized access or disclosure, the data company have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information. We may disclose your information if necessary to protect our legal rights or if the information relates to actual or threatened harmful conduct or potential threats to the physical safety of any person. Disclosure may be required by law or if we receive legal process. If these servers are breached, we are not responsible for this and cannot be held liable.
How long do we keep your personal data for?
We will delete your personal data from our systems if we have not had any meaningful contact with you for two years (or for such longer period as we believe in good faith that the law or relevant regulators require us to preserve your data). After this period, it is likely your data will no longer be relevant for the purposes for which it was collected.
When we refer to “meaningful contact”, we mean, for example, communication between us (either verbal or written), or where you are actively engaging with our online services. If you are a Candidate we will consider there to be meaningful contact with you if you submit your updated CV onto our website. We will also consider it meaningful contact if you communicate with us about potential roles, either by verbal or written communication or click through from any of our marketing communications or promotional content.
How can you access, amend or take back the personal data that you have given to us?
One of the GDPR’s main objectives is to protect and clarify the rights of EU citizens and individuals in the EU with regards to data privacy. This means you retain various rights in respect of your data, even once you have given it to us.
To get in touch about these rights, please contact us. We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). We may keep a record of your communications to help us resolve issues which you raise.
Right to object.
This right enables you to object to us processing your personal data where we do so for one of the following four reasons:
our legitimate interests;
- to enable us to perform a task in the public interest or exercise official authority;
- to send you direct marketing materials;
- for scientific, historical, research, or statistical purposes.
The “legitimate interests” and “direct marketing” categories above are the ones most likely to apply to our Website Users, Candidates, Clients and Suppliers. If your objection relates to us processing your personal data because we deem it necessary for your legitimate interests, we must act on your objection by ceasing the activity in question unless:
- we can show that we have compelling legitimate grounds for processing which overrides your interests; or
- we are processing your data for the establishment, exercise or defence of a legal claim.
If your objection relates to direct marketing, we must act on your objection by ceasing this activity.
Right to withdraw consent.
Where we have obtained your consent to process your personal data for certain activities (for example, marketing arrangements or profiling), you may withdraw consent at any time and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition.
Data Subject Access Requests (DSAR)
You may ask us to confirm what information we hold about you at any time, and request us to modify, update or Delete such information. We may ask you to verify your identity and for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this unless your request is “manifestly unfounded or excessive”. If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible. Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will always tell you the reasons for doing so.
Right to erasure.
You have the right to request that we erase your personal data in certain circumstances. Normally, the information must meet one of the following criteria:
- the data are no longer necessary for the purpose for which we originally collected and/or processed them;
- where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing;
- the data has been processed unlawfully (i.e. in a manner which does not comply with the GDPR);
- it is necessary for the data to be erased in order for us to comply with our legal obligations as a data controller; or
- if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with legal obligations or for the performance of a public interest task or exercise of official authority;
- for public health reasons in the public interest;
- for archival, research or statistical purposes; or
- to exercise or defend a legal claim.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to Delete the relevant data.
Right to restrict processing.
You have the right to request that we restrict our processing of your personal data in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either:
- one of the circumstances listed below is resolved;
- you consent; or
- further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.
The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
- where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified;
- where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data;
- where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
- where we have no further need to process your personal data, but you require the data to establish, exercise, or defend legal claims.
If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
Right to rectification.
You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
Right of data portability.
You have the right to transfer your personal data between data controllers. This means that you are able to transfer your CMD account details to another online platform. To allow you to do so, we will provide you with your data in a commonly used machine-readable format that is password-protected so that you can transfer the data to another online platform. Alternatively, we may directly transfer the data for you.
This right of data portability applies to:
- personal data that we process automatically (i.e. without any human intervention);
- personal data provided by you; and
- personal data that we process based on your consent or in order to fulfil a contract.
Right to lodge a complaint with a supervisory authority.
You also have the right to lodge a complaint with your local supervisory authority. If you would like to exercise any of these rights or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), you can contact us here.
We may keep a record of your communications to help us resolve any issues which you raise.
You may ask to unsubscribe from job alerts at any time. For details of how to do this please contact us here.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period for which we hold your data.
Who is responsible for processing your personal data on the CMD website?
Our Data Processor Bullhorn is committed to addressing EU data protection requirements applicable to them as a data processor. Bullhorn has worked extensively with local EU counsel to provide that their Master Subscription Agreement and related agreements contain appropriate provisions for personal data they store and balances the risks and responsibilities between data controllers and data processors.
Bullhorn has the ability to fulfil commitments as a data processor to CMD Recruitment as data controller, as is part of their compliance with GDPR where data controllers are using a third-party to process personal data.
Bullhorn has the distinction of being one of the first applicant tracking systems (ATS) to be SOC 1 audited, and one of the first non-financial industry-based software-as-a-service (SaaS) companies to utilise the SSAE 16/18 framework to provide security review. Bullhorn undertakes an independent third party annual SOC 1, Type 2 audit that reviews certain of its internal controls and processes. The audit covers internal governance, production operations, change management, data backups, and software development processes. It evaluates that we have the appropriate controls and processes in place and that they are actively functioning appropriately in accordance with related standards.
GDPR includes certain requirements on data controllers for the portability of personal data. The data that CMD Recruitment stores in Bullhorn remains ours.
The SOC program offers independent verification that Bullhorn’s security practices offer a recognised standard of security measures. The program is designed to cover key elements of data processing and integrity while maintaining auditing practices within business and operational processes. Bullhorn has integrated its SOC controls into its operating procedures, which span the organisation, teams or functions that provide service or support to clients on their platform. The key components of the SOC controls environment include:
- Corporate Governance: how they provide oversight of our business and people
- Change Management: how they make sure changes are tracked and properly reviewed
- Access Control and Management: who has access to the platform operations and how this access is managed
- Data Redundancy and Backup: how data is kept safe and stored in the event of adversity
- Software Architecture and Development: oversight of the development effort around our platform
Bullhorn, Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Bullhorn, Inc. is committed to subjecting all personal data it receives from data exporters in any European Union (EU), Switzerland or European Economic Areas (EEA) member state, under the Privacy Shield Framework, to its applicable Privacy Shield Principles.
CMD Recruitment do not store and transfer your data internationally.
Article 4(11) of the GDPR states that (opt-in) consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” In plain language, this means that:
- you must give us your consent freely, without us putting you under any type of pressure;
- you must know what you are consenting to – so we’ll make sure we give you enough information;
- you should have control over which processing activities you consent to and which you don’t. We provide these finer controls within our privacy preference centre; and
- you need to take positive and affirmative action in giving us your consent – we’re likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
We will keep records of the consents that you have given in this way.
Establishing, Exercising or Defending Legal Claims.
Sometimes it may be necessary for us to process personal data and, where appropriate and in accordance with local laws and requirements, sensitive personal data in connection with exercising or defending legal claims. Article 9(2)(f) of the GDPR allows this where the processing “is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”.
This may arise for example where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process.
You can remove your account and all your data from our system, simply login and click here.
26 April 2018
Dan Barfoot – Company Director
CMD Recruitment Limited
4 Lancaster House, Lancaster Park, Bowerhill, Melksham, SN12 6TT