Data Protection Policy

(amended to incorporate GDPR)


The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.


It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018. The GDPR replaces the 1995 Data Protection Directive.


This document sets out Est-Vest Services responsibilities and policy for the protection of personal data.


Areas of the GDPR addressed:


The following articles of the GDPR are addressed by this document:

Chapter II – Principles

Chapter IV – Controller and processor, articles 24 to 31


Review Frequency:


Est-Vest Services will ensure that this policy is reviewed annually to ensure that we remain compliant with the principles of the GDPR.


  1. Introduction


In its everyday business operations, Est-Vest Services makes use of a variety of data about identifiable individuals, including data about:


  • Current, past and prospective candidates
  • Customers
  • Users of our website
  • Other stakeholders


In collecting and using this data, Est-Vest Services is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.


The purpose of this policy is to set out the relevant legislation and to describe the steps that we are taking to ensure that we comply with all areas of legislation.


This control applies to all systems, people and processes that constitute our information systems, including directors, employees, candidates, suppliers and other third parties who may have access to Est-Vest Services systems.


The following policies and procedures are relevant to this document


  • Consent to Process Personal Data Form
  • Privacy Notice
  • Data Protection Impact Assessments
  • Data Breach Notification Policy
  • Records Management, Retention and Disposal Policy
  • Information Security Policy
  • Key changes between Data Protection and GDPR


  1. Data Protection Policy


2.1      The General Data Protection Regulation


The General Data Protection Regulation 2016 (GDPR) is one of the most significant pieces of legislation affecting the way that Est-Vest Services carries out its information processing activities. Significant fines are applicable if a breach is deemed to have occurred under the GDPR, which is designed to protect the personal data of citizens of the European Union.


It is Est-Vest Services policy to ensure that our compliance with the GDPR and other relevant legislation is clear and demonstrable at all times.


2.2      Definitions


There are a total of 26 definitions listed within the GDPR and it is not appropriate to reproduce them all here. However, the most fundamental definitions with respect to their policy are as follows:


“Personal data” is defined as:


Any information relating to an identified or identifiable natural person (“Data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;


“Processing” means:


Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;


“Controller” means:


The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the Union or Member state law, the controller or the specific criteria for its nomination may be provided for by the Union or Member state law


2.3       Principles Relating to Processing of Personal Data


There are a number of fundamental principles upon which the GDPR is based.


These are as follows:


  1. Personal data shall be:


(a)       processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)


(b)       collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) not be considered to be incompatible with the initial purposes (“purpose limitation”);


(c)        adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”)


(d)       accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data held is accurate, having regard to the purposes for which they are processed, erased or rectified without delay (“accuracy”)


(e)       kept in a form which permits identification of data subject for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation  of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”)


(f)        processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”)


  1. The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1 (“accountability”)


Est-Vest Services will ensure that it complies with all of these principles in both the processing it currently carries out or as part of the introduction of new methods of processing for example if we were to introduce new IT systems.


2.4       Rights of the Individual


The data subject also has rights under the GDPR. These consist of:


  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling


Each of these rights (GDPR Rights of the Individual) are included on the Consent to Process Personal Data form and the Privacy Notice issued to all parties.


Data Subject Request Timescale
The right to be informed When data is collected (if supplied by data subject) or within one month (if not supplied by the data subject) – all workers will be supplied with the Privacy Notice which is also included on the website. Workers will also be asked to sign the consent to process data form
The right of access If requested we will process requests within one calendar month.
The right to rectification If requested we will process requests within one calendar month.
The right to erasure If requested we will process requests without undue delay
The right to restrict processing If requested we will process requests without undue delay
The right to data portability If requested we will process requests within one calendar month.
The right to object If requested, we will process this objection immediately upon receipt.
Rights in relation to automated decision making and profiling Not applicable to our business




2.5       Lawfulness of Processing


There are six alternative ways in which the lawfulness of a specific case of processing of personal data may be established under the GDPR.


2.5.1   Consent


Unless it is necessary for a reason allowable in the GDPR, Est Vest Services will always obtain explicit consent from a data subject to collect and process their data.


All candidates are asked to sign a Consent to Process Personal Data form and provided with the Privacy Notice which fully details the reasons why the data is being collected and how it will be processed and how a candidate can request any data, ask for data to be erased or the processing of data to be restricted.


The Est Vest Services website also includes a privacy policy detailing what data we collect and the re

asons for doing so.


2.5.2   Performance of a Contract


Where the personal data collected and processed is to fulfil a contract with the data subject, explicit consent is not required. This often applies to Est-Vest Services whereby the contract cannot be completed without the personal data in question e.g a worker cannot be placed with a client without providing personal data.


2.5.3   Legal Obligation


If the personal data is required to be collected and processed in order to comply with the law, then explicit consent is not required.


2.5.4   Vital Interests of the Data Subject


In a case where the personal data is required to protect the vital interests of the data subject or of another natural person, then this may be used as the lawful basis of the processing.


Est-Vest Services will retain reasonable, documented evidence that this is the case, whenever this reason is used as the lawful basis of the processing of personal data. For example, if the GLAA were to request personal data as part of a criminal investigation, we will ensure that we have the request in writing which will be held on file.


2.5.5   Task carried out in the Public Interest


Where Est-Vest Services need to perform a task that it believes is in the public interest, or as part of an official duty, then the data subject’s consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.


2.5.6   Legitimate Interests


If the processing of specific personal data is in the legitimate interest of Est-Vest Services and is judged not to affect the rights and freedoms of the data subject in a significant way, then this may be defined as the lawful reason for the processing.


Est-Vest Services will ensure that all reasoning behind this view will be documented.


2.6       Privacy by Design


Est-Vest Services has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems collect or process personal data will be subject to due consideration of privacy issues.


We will ensure that should this arise, we will complete a data protection impact assessment.


2.7       Contracts Involving the Processing of Personal Data


Est-Vest Services will ensure that all relationships it enters into that involve the processing of personal data are subject to a documented contract with our client to ensure that they adopt a GDPR Controller-Processor Agreement policy.


2.8       International Transfers of Personal Data


Est-Vest Services do not anticipate the transfer of personal data outside the European Union. Should this change, we will ensure that any transfer takes place in accordance with the limits imposed by the GDPR.




2.9       Data Protection Officer


As a small business, we do not require a defined role of Data Protection Officer (DPO). We will ensure as a business, we continue to keep appraised of ongoing developments in relation to GDPR and update policies and procedures should the need arise.


2.10    Breach Notification


It is Est-Vest Services policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred (which is likely to result in a risk to the rights and freedoms of individuals) the relevant supervisory authority will be informed within 72 hours.


This will be managed in accordance with our Information Security Policy and Data Breach Notification Policy which sets out the overall process of handling information security incidents.


2.11    Addressing Compliance to the GDPR


The following actions are undertaken to ensure that Est-Vest Services complies at all times with the accountability principle of the GDPR:


  • The legal basis for processing personal data is clear and unambiguous
  • All staff involved in handling personal data understand their responsibilities for following good data protection practice
  • Rules regarding consent are followed
  • Candidates are advised of routes to take for anyone wishing to exercise their rights regarding personal data
  • Any data subject requests will be handled effectively
  • Regular reviews of procedures involving personal data will be carried out
  • Privacy by design will be adopted for all new or changed systems and process

General Data Protection Regulation (GDPR)

Key changes from the Data Protection Act 1998




The General Data Protection Regulation (GDPR) will apply from 25 May 2018. The Regulation will directly replace many of the provisions of our own data protection legislation (the Data Protection Act 1998 (DPA) in the UK). Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), however there are new elements and enhancements so there is a need to implement some new procedures and do some existing procedures differently.


The Data Protection Principles, as set out in the DPA, remain but they have been condensed into six, as opposed to eight, principles. Article 5 of the Regulation states that personal data shall be:


  1. Processed fairly, lawfully and in a transparent manner in relation to the data subject.
  2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date.
  5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.



Under the GDPR the supervisory authority has a number of new powers (for the UK the supervisory authority for GDPR is the ICO). This includes an increase in the upper limit for fines from up to £500,000 or 1% of annual turnover to an upper limit of 20 million euro or 4% of global annual turnover, whichever is higher (for some infringements and an upper limit of 10 million euro or 2% of global annual turnover for others). In addition an ability to issue warnings, carry out audits, require specific remediation (financial compensation), order erasure of data and suspend data transfers to a third county.

Their powers extend to the right to enter premises for the purposes of monitoring compliance.  Importantly some of these powers can be applied to data processors and controllers, see table below for further information.


So what does this means in practice? You will need to continue to manage and protect information as you do now, whilst also implementing some new procedures. You need to ensure you are aware of the changes that may affect your business areas outlined in the below table:


The DPA Says: The GDPR says:
Subject access requests must be responded to within 40 calendar days Respond to SARs electronically and in a commonly used format within 1 month
Businesses are permitted to charge a reasonable fee for data requests Personal data requests will be free. Businesses can charge a fee or refuse a request, if requests become manifestly unfounded or excessive. Fees must be porportionate to the cost of administration
Data subjects have a right to be informed:

What data is held on them

The purpose it is being processed for

Who it may be shared with

Inform data subjects of the legal basis for processing their data. To include:

Who the data controller is

How their data will be held

Data retention periods

Who data will be shared with

How to gain access to it

The right to complain to the ICO if they think data is handled incorrectly

Data breach reporting is only mandatory if the breach is covered by the Privacy and Electronic Communications Regulations 2011 and is noted as an advisory step for organisations outside of the PECR All data breaches where it is likely to result in a risk to the rights and freedoms of individuals must be notified by the data controller to the relevant supervisory authority (ICO) within 72 hours. Any delay to this timeframe must be communicated to the ICO. If the data breach is likely to result in a high risk to an individuals’ rights and freedoms the data subject must also be informed without undue delay (some exceptions do apply)
Under the current legislation there is no need for any business to have a dedicated Data Protection Officer (DPO) A DPO is mandatory for any business or organisation with more than 250 employees.
There is no requirement for an organisation to remove all data they hold on an individual An individual will have the “Right to erasure” (with all information being permanently deleted) – which comprises all data including web records and portability (provide the personal data in a structured, commonly used and machine readable form)
Privacy Impact Assessments (PIA) are not a legal requirement under DPA but has always been “championed” by the ICO Data Protection Impact Assessments (DPIA) will be mandatory and must be carried out when there’s a high risk to the individuals freedoms, and in particular should be undertaken prior to commencing processing of personal data on new technologies.

DPIAs help an organisation to ensure they meet an individual’s expectation of privacy

Data collection does not necessarily require an opt-in under the current Data Protection Act Consent is key. Individuals must actively opt-in whenever data is collected and there must be clear privacy notices. Notices must be concise, transparent, with consent able to be withdrawn at any time.
Liability for data breaches remains with the data control where a controller uses a third party to act as a data processor (under legally binding contract) The GDPR places new legal obligations on data processors including a requirement to maintain records of personal data and processing activities. Data processors have significantly more liability in the event of a data breach. Liability can fall to any party unless one can prove that it is not in any way responsible.

A controller may seek redress from a processor. As a data controller GDPR places further obligations on you to ensure your contracts and processes comply with GDPR.

Under the DPA there is no special protection for children’s personal data Special protection for children’s personal data, particularly in the context of commercial internet services (eg social networking). If an organisation offers online services to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. At age 16, a child can give their own consent (although this may be lowered to a minimum age of 13 in the UK)
Every data controller must lodge a formal notification document with the ICO outlining how personal data will be processed by that controller The current system of notification under the DPA will be replaced by a requirement for data controllers to keep their own record in relation to the personal data they process; this must include; details of the purpose of processing; recipients, transfers to third countries; time limits for erasure and a general description of the technical and organisational measures in place to protect personal data.

Records Management, Retention And Disposal Policy


  1. Purpose and Introduction
    • Est-Vest Services is committed to the secure and efficient management of its data, and records for supporting the delivery of its services, documenting its principle activities.
    • The benefits of effective records management within Est-Vest Services are:
    • Protect business critical records,
    • Ensure that data, information and records can be retrieved easily and efficiently,
    • Ensure compliance with legal, regulatory requirements,
    • Reduce the risks relating to litigation, audit and government investigations,
    • Minimising storage requirements and therefore costs,
    • The principles outlined in this policy have been developed to provide a consistent approach to managing records throughout their lifecycle, irrespective of their format.
  2. Scope
    • The scope of this policy relates to all data, information and records irrespective of how they are generated, received, managed, retained and disposed of.
    • This policy applies to all members of staff (including contractors) of Est-Vest Services and will also where necessary, apply to third parties and suppliers who manage records on behalf of our business.
    • Est-Vest Services has an information Register (IR) which provides clarity regarding what information we collect, how we use it and how long we keep it and is provided at Appendix A to this policy.
    • The key business areas are as follows;
    • Dealing with candidates and clients
    • Emails
    • Sub-contractors
    • External Communications (website/social media)
    • Procedures to support specific areas of the business have been produced and are provided at Appendix B to this policy.


  1. Policy Principles
    • A record is defined as any information, created, received and maintained as evidence of a business transaction related to its legal obligations and / or business functions acting as a recruitment business
    • All information created by Est Vest Services staff, including contractors and third party suppliers belongs to Est-Vest Services and must be reviewed and disposed of in line with this policy.
    • Records should remain in their original format (electronic or manual).
    • Records will be processed in line with legal and regulatory requirements.
  2. Retention Policy
    • Records and Information held and therefore processed for any longer than is necessary carries additional risk and cost to Est-Vest Services. Records will only be retained for legitimate business purposes and in line with legal and regulatory requirements.  Under GDPR it is clear that ‘personal data’ should not be retained for any longer than its lawful purpose.  Any information that is not by definition ‘personal data’ may be disclosable under Freedom of Information legislation.
    • Records and information will not be retained indefinitely by Est-Vest Services. The majority of records will be held for 18 months. At that time, a decision will be taken to retain, archive or arrange for the destruction of the particular records. We will consider whether there is a pressing business need, public interest or other reason for retaining a record or information for example, under HMRC guidance, payroll records will need to be kept for 6 years.
    • The retention of any record beyond its disposal date will be documented and a new review / retention date agreed and documented.
    • Hard copy information relating to Est-Vest Services will be stored securely
    • All IT based information will be held on password protected systems.
    • Records that are scheduled for destruction will be destroyed promptly and securely. For electronic records suitable software that can wipe the media clear and provide a certificate of destruction will be used where possible. Similarly, hard copy information will be shredded.



  1. Information Rights
    • Information and records held by the Est-Vest Services may under certain circumstances be disclosable. There is a right of access to personal data under both GDPR and the Freedom of Information legislation.
    • GDPR requires that personal data should only be processed for as long as it is needed for the purposes it was collected for.
    • GDPR does not stipulate specific time periods for retention. For how long information is retained is dependent upon the purpose for which it is processed.
    • Est-Vest Services understand and acknowledge that to retain a copy anywhere, deliberately or recklessly, of personal data that has been marked for and then subsequently destroyed is committing a criminal offence.
  2. Review
    • This policy and associated procedures will be reviewed annually or sooner if new record types are introduced.

                                                                                      APPENDIX A




What information do we collect? How do we use it? How long do we keep it for?


Information relating to Agency workers or Est Vest Services staff


We collect personal data in order to fulfil the contract with the client and to comply with our legal obligations and where it is in our legitimate interests to provide work seeking services and to supply our clients with labour.


What type of information do we collect?


  • Name and contact details
  • Right to work status (copies of passport/ID documents)
  • Skills, experience and qualification
  • Details about the type of work required
  • Next of kin details
  • If any reasonable adjustments are required in the recruitment process
  • Questions about work seeking activity to protect welfare and worker rights
  • NINO and bank account details to allow us to pay for work carried out
  • Information to confirm suitability for work (for example, including video of butchering skills, references and health questions if applicable)
  • Assessment Tests (including numeracy, skills, literacy)
  • Training records
  • Appraisal/performance review records
  • Sickness absence records
  • Correspondence records (including disciplinary/grievance notes where relevant)


How do we use it?


The information collected is only used for the purpose of work finding services or to fulfil legal or regulatory requirements if necessary.


Disposal policy


The information is kept for a minimum of 18 months (or some information may be for 6 years if required by law) as long as consent has been granted.





Information relating to External Business Contacts


External business contacts means individual members of staff at the supplier, support, client and any other organisations that we may work with to perform the legitimate activities of our business.


What type of information do we collect?


  • Names and contact details including email addresses, telephone numbers
  • Information about charge rates, risk assessments, client information
  • Sensitive data about the client including recipes


  • Professional information in the public domain (for example linked in, client website pages etc)


How do we use it?


The information collected is only used in connection with the legitimate activities of Est-Vest Services


Disposal policy


The information is kept for a minimum of 18 months or for along as we are required to do so by law. Information will be kept whilst business with the client is ongoing.


Individuals within external business contacts have the same rights as any other individual with regards to the processing of their data.


Personal data is collected in order to comply with legal obligations and where it is in the company’s interests as an employer/labour provider to do so.


Individuals within the company we work with are also entitled to have their personal information protected.




                                                                                                                        APPENDIX B


  1. Activities relating to Records Management, Retention and Disposal will comply with the policy section of this document (above).
  2. The objective of this procedure is to ensure that Est-Vest Services processes and retains the information and records necessary to carry out its functions, are kept in a structured format to enable best use of the information when carrying out those functions and are disposed of when no longer needed.
  3. Est-Vest Services will ensure that all candidate details are held safely and securely either in hard copy format or electronically and are disposed of accordingly.
  4. We understand that significant records may also be generated as a result of receiving emails and attachments. There are specific processes regarding email procedures detailed below.
  5. Review or destruction dates must not be ignored, they must be acted upon. Where there is no automatic review or destroy date, records will be checked every six months  and arrangements made for any records that have exceeded their retention period are securely deleted.


  1. Activities relating to Records Management, Retention and Disposal will comply with the policy section of this document (above).
  2. Email is a vital business communication tool. It is not a tool for generating an audit trail and should not be used as such.
  3. It is important that email messages are properly managed to ensure that they support business needs and to also assist with compliance with information rights legislation
  4. It is important to distinguish between email messages that contain significant information, and therefore need to be retained, and messages of trivial or only passing significance. Significant emails and in almost every case, attachments, should be removed from inboxes and personal folders as soon as possible and stored on the appropriate record for the specific system or business area. For example, candidate files should be filed in an appropriate candidate folder so can be easily accessible should the need arise.
  5. An email is likely to be significant and needs to be retained if it contains information relating to candidates or clients. Significant emails are likely to be copied or forwarded to more than one recipient.
  6. External messages that are received should also be stored on the appropriate business area folder.
  7. Less significant emails or those of only passing significance should be managed within the inbox and kept only as long as required before being deleted.
  8. If after consideration, it is decided to delete an email from the inbox or folder including the deleted items folder then such a deletion is acceptable. If an email (including attachments etc.) is deliberately deleted following the receipt of a subject access request for personal data under GDPR then a criminal offence is committed



  1. Activities relating to Records Management, Retention and Disposal will comply with the policy section of this document (above).
  2. When personal data is obtained via a Sub-Contractor (such as Est Vest SRL) we will ensure that the data is contained and stored on a separate folder identifying the origin of the data.
  3. Sub-contractors will be expected to comply with Est-Vest Services policy relating to retention and disposal of personal data.



  1. Activities relating to Records Management, Retention and Disposal will comply with the policy section of this document (above).
  2. Wherever possible, the Est-Vest Services website does not contain any personal data We will review the website on an ongoing basis to ensure that policies, guidance and other information remains correct and up to date and that out of date material is removed.
  3. Social Media will be used responsibly and we will ensure that we do not hold personal data on this platform.
  4. Information disclosed to Social Media sites will be in the public domain and once there cannot generally be removed.
  5. Where there is no automatic review or destroy date, records will be checked every six months and arrangements made for any records that have exceeded their retention period to be securely deleted.



  1. Purpose and Introduction
    • The purpose of this document is to outline Est-Vest Services policy on Information Security.
    • Information is a vitally important asset which requires protection against risks which may threaten the confidentiality, integrity and availability. This policy provides a commitment to ensure the protection of all information assets and processing operations.  It is also designed to ensure the confidentiality, integrity and availability of the data and information we receive, process and share which will help to minimise the risk or impact of security incidents.
  2. Scope
    • This policy will apply to any data or information that is processed by the Est-Vest Services irrespective of whether it is held in electronic or paper format.
    • It applies to all members of staff, permanent or temporary, including third party contractors and client.
  3. Legal and Regulatory Requirements
    • Information Security will be applied in accordance with the standards as published in the relevant legislation, Government guidelines, Codes of Practice and industry best practice including, but not restricted to:
      • The Data Protection Act 2018
      • EU 2016/679 General Data Protection Regulation (GDPR)
      • EU2016/680 Law Enforcement Directive (LED)
      • The Computer Misuse Act 1990
      • The Freedom of Information Act 2000
      • The Human Rights Act 1998
      • The Copyright Designs and Patents Act 1988.




  • Plus, where relevant , the standards and best practice published by the
    • Information Commissioners Office
    • HMG Security Policy Framework
    • Government Digital Services
    • NCSC (CESG) Guidance
    • ISO 27001:2013 and associated codes of practice and standards
    • NIST, SANS, British Computer Society, ISACA etc.
  1. Policy Statement

4.1       Est-Vest Services is committed to managing the confidentiality, integrity and availability of all             physical and electronic information assets throughout our business.

Est-Vest Services is committed to:

  • Maintaining compliance with all relevant regulatory and legislative requirements
  • Communicating its Data Protection Policy including our Information Security policy with all relevant parties.
  • Striving for Continuous improvement by reviewing all policies in line with legislative requirements
  • Ensuring that Information Security Incidents (confidentiality, integrity and availability) are investigated and followed up.


  1. Roles and responsibilities

5.1       Everybody working for or on behalf of Est-Vest Services is responsible for information security.   All employees and contractors (including data processors) are required to comply with this                information security policy along with associated policies, standard operating procedures and                         guidelines.


  1. Review
    • This policy will be reviewed annually.


We care about your information

Est-Vest Services is both a Data controller and Data processor for the purposes of Data Protection Legislation. Relevant, authorised members of our staff will have access to this information.

We ask you to share information with us so that we can provide you with work-finding and related services.

This notice advices you what you can expect from us and how we will protect your rights.

This applies to information we collect about our agency workers, staff members and individuals who work at the companies we do business with.

Est-Vest Services has a full Data Protection, Retention and notification of breaches policy which are available to review at our office.

Why do we process your information?

We process information about you (known as “personal data”) to enable us to carry out our business as an employment agency for the purposes of both permanent and temporary recruitment services.

By law, we have obligations to ensure that any candidate is suitable for the vacancy and the vacancy is suitable to the candidate and to do so, we need to collect and process some relevant information.

We also process some information to help us make sure we are delivering a quality service that treats people fairly and legally, prevents modern slavery and toe ensure that we continually improve

Who will we share your information with?

In order for our clients to consider workers for employment opportunities, we need to share worker information with them. We have contracts in place with these clients that require them to treat any such information as confidential and to not share this with other parties.

From time to time, we may be audited by third parties to ensure that we are operating a legally compliant and ethical business. These third parties my include Government regulatory and enforcement audits, independent social compliance audits and client audits.

What are your rights?

All individuals have the following rights regarding their personal information (also called “personal data”)



The right to be informed

  • You have the right to know what information we hold about you, what we are using it for, who we are sharing it with, how long we are keeping it and on what basis we are processing the data.
  • Whilst we always prefer to process data based on your explicit consent, as a recruitment business, we also have a “legitimate interest” in processing your data to ensure we are matching you to suitable vacancies.
  • There may also be times when we have to process your data because we are required to by law.

The right of access

If you would like to see the records we hold on file for you we will arrange this on request.

The right to rectification

If you believe we are holding incorrect information, you can ask us to correct it

The right to erasure

You can ask us to remove your information from our records. As long as there is no legal requirement for us to keep them (for example, HMRC require us to keep payroll records for 6 years) we will remove your details. Once your details are removed, we will be unable to contact you with any work opportunities in the future.

The right to restrict processing

Instead of asking for your data to be erased, you can ask us to stop processing it, for example, we can keep your records on file, but you can ask us to stop contacting you with work opportunities

The right to data portability

If you want to take your data to another organisation, this can be arranged.

The right to object

You have the right to object to your data being processed. We will stop processing your information immediately unless there are legal reasons for us not doing so.


If you wish to exercise any of your rights in this notice, or have any queries, please contact the Est-Vest Services Office.