This privacy notice is specific to the processes of the Talent Acquisition and Resourcing (Recruitment) Department of The intended audience of this notice includes candidates who wish to seek employment through the department and clients, who wish to use the services of the department

This document is required in order to inform data subjects in a concise, transparent and intelligible manner of what personal data is being processed, the legal basis of the processing, the purposes of the processing, the technical and organisational provisions which have been put in place to protect the personal data and the rights of the data subjects

Business purposes

The purposes for which personal data may be used by

Personnel, administrative, financial, regulatory, payroll and business development purposes.

Business purposes include the following:
•Compliance with our legal, regulatory and corporate governance obligations and good practice
•Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
•Ensuring business policies are adhered to (such as policies covering email and internet use)
•Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
•Investigating complaints
•Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
•Monitoring staff conduct, disciplinary matters
•The marketing of the business to our clients
•Offering employment services
•Improving services

Personal data

Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts.

Personal data we gather may include: individuals’ contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.

Sensitive personal data

Personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of sensitive personal data should be strictly controlled in accordance with this policy.

Data Protection Acts (DPA)

This means the Data Protection Act 1988 and 2003.

General Data Protection Regulation (GDPR)

This means the EU regulation 2016/673


This means Data protection officer as nominated by the company.

The company

This means Technology Group.

The supervisory authority

This means the office of the data protection commissioner.

Data Protection Policy or the Policy

This means the overall policy published by the company internally.

Data Privacy Statement or the Statement

This means the public privacy notice published on the company website.

The Principles

These are the principles of data protection as found in Article 5 of the GDPR.


This means employees and agent of


We would like to direct readers to Article 4 of the GDPR for definitions of the terms which will be used throughout this document.


This means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.


This means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.


of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data Subject

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Collecting Personal Data

The recruitment department are collecting and processing the following information relating to data subjects. This data is collected in a number of manners, the prime source, however, is from the Data Subject themselves by applying for employment on the company website ( Other sources of data collection include publicly accessible platforms namely; Monster, LinkedIn, Irish Jobs, CV Library. are fully compliant with the terms of use of these platforms and once contact is made consent is established in order to continue to process the data.

Information Reason for Collecting
Name To source employment
Address To source employment
Telephone To source employment and to communicate
Email To source employment and to communicate
Employment status To understand notice periods
Employment history Necessary to discover level of experience
Location To understand the preferred geographical location of employment
Salary Details & Expectations To negotiate with client
Nationality Only in the case where visa applications may be necessary
Curriculum Vitae To source employment
Personal references In order to contact references to verify contents of CV
Marital status Small number of cases for insurance reasons

All of this information is provided by the data subjects. Where further personal data has been provided but is not necessary for the purposes of the processing then it is deleted from any and all systems where it may have otherwise been stored.

Collecting Personal Data from Sources other than the Data Subject

As mentioned above some sources of personal data include publicly accessible information on platforms such as Monster, LinkedIn and Irish Jobs. and its employee operate wholly within the codes of conduct of these platforms. Once the recruitment agent reaches out to the data subject and confirms that they are still seeking employment then the data shall be further processed in the same manner as if it was collected directly from the data subject and as described elsewhere in this document.

Legal Basis for Processing

In order to process this information, which may or may not include special categories of personal data per Article 9 of the GDPR, relies on the consent of the data subject. This is collected and gathered at the point of initial contact, it is logged in the CRM system, Bullhorn, and is tracked appropriately. The data subject is informed of the processing activity and what data shall be processed for what reasons. The data subject is informed of their own rights.

The secondary legal basis for processing is in the performance of a contract. Once the candidate has been successful in securing employment then they are subject to a contract of employment for which certain data processing activities are essential in order to perform that contract.


Consent is gathered in accordance with the provision of Article 7 of the GDPR. Important to data subjects in terms of the recruitment department is that it is understood that at any time in the process consent can be withdrawn and the process cancelled. As specific and explicit consent is gathered through an email to the relevant recruitment agent then the withdrawal of the consent shall be in the same manner.

Sharing of Personal Data

During the process of sourcing employment for the candidate the following information is shared. When data is shared with the recruitment department it is done so in a secure manner using a CRM system called Bullhorn. This system was evaluated in conjunction with a number of other systems and was deemed to be the most sufficient in terms of business use and protection of personal data.

The following link goes directly to Bullhorn’s GDPR Commitment Statement:

Information Shared with Reason for Sharing
Name 3rd Party Client To identify candidate
Address Recruitment department colleagues only Record keeping
Telephone Recruitment department colleagues only Record keeping
Email Recruitment department colleagues only Record keeping
Employment status Recruitment department colleagues only Record keeping
Employment history 3rd Party Client and recruitment department To evaluate experience
Location Recruitment department colleagues only Record keeping
Salary Details & Expectations Recruitment department colleagues. In the case of internal recruitment the account manager and HR Record keeping and in order to properly negotiate with clients
Nationality Recruitment department and HR Record keeping and in order to apply for a visa if applicable
Curriculum Vitae 3rd Party Client and recruitment department To evaluate the candidate for employment
References Recruitment department only The recruitment department will contact nominated referees to verify the contents of the CV. These may be shared with the 3rd party client only with the consent of the candidate

Transfers to Third Countries

Personal data is under no circumstances shared with individuals or organisations outside of the EU unless in the case of explicit consent from the data subject. This shall be sources and logged separately from all other consent. When data is transferred outside of the EU all necessary technical protections shall be awarded to it including anonymization and encryption.

Retention Periods

Where the data subject has given consent to have their information processed by for the purposes specified above then the data shall be retained for a period of up to but no more than two years without receiving further consent. If the data subject is successful in finding employment through the service, either directly with as a contractor or with a client whereby bills the client, then the data shall be retained until the termination pf the contract and following any other legal obligations to retain the data. More information can be found in our Retention Policy and Schedule document. This can be viewed by request to

Rights of the Data Subject

Under the Data Protection Acts and the GDPR Data Subjects are awarded certain rights pursuant to the Charter for Fundamental Human Rights. These rights are below for the information of data subjects.

Data subjects have a number of enforceable rights under the GDPR, these are, in brief:
5.Restricted Processing;
8.Rights in relation to automated decision making and processing. makes every endeavour to uphold and protect these rights. The processing activities of takes these rights into consideration prior to the beginning of the processing activity.

A request should preferably be addressed to the DPO, whose contact details are below. This request is free unless a reasonable cost is to be charged where requests are unfounded or excessive or repetitive in character:

Name: DPO

Address: Coach Lodge Rear 59 Rathgar Avenue, Dublin 6

Telephone: 015653996


New rights under the GDPR include the right to Data Portability and the Right to be forgotten. Please find more information on these rights below.

Data portability

Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free. This right can only be exercised if the legal basis for processing is based on consent or contractual.

Right to be forgotten

A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

Personal data is first searched using an eDiscovery tool if necessary. All data which can then be used to identify a data subject will then be deleted. If necessary a third party may be engaged to ensure that the data has been deleted, this will be on a case by case basis.

Right to Rectification

A data subject has the right to their data being accurate and up to date. All data is provided by the client either directly to or to publicly accessible platforms such as Monster, Irish Jobs, CV Library and LinkedIn. Recruitment agents will periodically request an updated CV when they are sending the data to a third party client as part of the service. If the data subject notices that any of the data is inaccurate or out of date they can request to have it changed directly to the recruitment agent with whom they are engaging or by emailing the request and relevant detail to

Right to Complain to the Supervisory Authority

The Supervisory authority in Ireland at present is the Office of the Data Protection Commission. However, this will change following the 25th of May to the Data Protection Commission. The Data Subject has the right to judicial remedy which includes but not limited to the award of damages for material and non-material loss.