Privacy Notice
This Privacy Notice will help you understand how we use your personal data when
you apply for employment with Affinity Water Limited.
We recommend that you read this privacy notice in full as it explains how and why
we collect personal data about you, how and why it will be processed by us and our
commitment to protecting your personal data.
1. ABOUT AFFINITY WATER
Affinity Water Limited ("Affinity Water", "We", "Our" or "Us") is a company registered in
England and Wales under company number 02546950 whose registered office is at
Tamblin Way, Hatfield, Hertfordshire AL10 9EZ.
We are registered as a data controller with the Information Commissioner's Office
and our registration number is Z8926206.
We have a data protection officer ("DPO"). Contact details can be found in section
14 of this privacy notice.
2. ABOUT THIS PRIVACY NOTICE
This privacy notice applies to the personal data we collect about you during our
recruitment process. We are committed to protecting your personal data in
accordance with applicable data protection legislation including the UK GDPR,
Data Protection Act 2018 and the Privacy and Electronic Communications
Regulations 2003 (together referred to as "Data Protection Legislation").
This privacy notice may change from time to time and, if it does, the up-to-date
version will always be available on our website at https://www.affinitywater.co.uk.
This privacy notice was last updated on 27th March 2023.
3. DEFINITION OF PERSONAL DATA
Personal data is information that relates to an identified or identifiable living individual.
This means that the individual is directly identifiable from that information or could be
indirectly identified from that information in combination with other information.
4. PERSONAL DATA WE COLLECT ABOUT YOU
We may collect, use, store and transfer different kinds of personal data about you
which we have grouped together as follows:
Identity Name and Title
Date of birth
Gender
Marital Status
Passport number
Driving license number
Birth certificate
5. HOW YOUR PERSONAL DATA IS COLLECTED
We use different methods to collect personal data from and about you including
through:
Direct interactions
We collect personal data from you during the application and interview process
when you apply for a job with Affinity Water.
You do not have to provide the information we ask for, however if you don’t it may
affect your application and our ability to assess your suitability for the role.
Information we receive from other sources
We may receive personal data about you from third parties who provide it to us. For
example:
Background checks performed during the recruitment process including DBS
checks and references provided by current and/or former employers;
CCTV which we may use for the purposes of ensuring safety and for the
prevention and detection of crime;
Where our employees are required by law, or otherwise, to undergo any
medical assessments to consider and monitor their ability to fulfil the role in
which they are employed;
From recruitment agencies who source candidates on our behalf;
From professional social media platforms such as LinkedIn.
6. PURPOSE AND LAWFUL BASIS OF PROCESSING YOUR PERSONAL DATA
We must have a legal basis for processing your personal data. We predominately
process your personal data under the following legal grounds:
When you have given us consent to do so for the specific purposes which we
have told you about;
Contact Home address
Telephone numbers
Email address
Next of kin and emergency contact details
Recruitment CV and application forms
Interview notes and scoring
Right to work check information
Background checks such as DBS checks
Employer references
Special
Category
Data
Health:
Reasonable adjustments
Disability information and/or long-term health conditions
Criminal
Conviction
Data
Details of criminal convictions and offences
If we enter into a contract with you or to take steps to enter into a contract
with you;
It is necessary in order to fulfil our legitimate interests (or those of a third party)
and your interests and fundamental rights do not override those interests;
The law permits or requires it.
We have set out in the following table the ways we commonly use personal data
and which of the legal grounds we rely on to do so. We have also identified what
our legitimate interests are, where appropriate.
In some cases, we may use more than one legal basis for processing your personal
data; this will depend on the specific purpose for which we are using your personal
data.
Please contact us if you have any queries about the specific legal basis that we rely
on for processing your personal data.
What we use your
personal data for
(purpose)
Type of data
Legal basis for processing
(including basis of legitimate
interest)
To assess your suitability for
a role you have applied
for, including an
assessment of your skills
and competencies,
performance at interview
and the uptake of
references.
Identity
Contact
Recruitment
Necessary for the
performance of a contract
to which the data subject is
party or in order to take steps
at the request of the data
subject prior to entering into
a contract.
Use of recruitment and
social media platforms
such as LinkedIn or
agencies.
Identity
Contact
Recruitment
Necessary for our legitimate
interests (to ensure we can
source the best candidates
for our roles).
To verify your identity and
legal right to work in the
UK.
Identity Necessary for compliance
with a legal obligation.
To meet any reasonable
adjustments you may
require during the
recruitment process.
Special Category
data (health)
Necessary for compliance
with a legal obligation
Necessary for the purposes of
carrying out the obligations
and exercising specific rights
of the controller or of the data
subject in the field of
employment.
What we use your
personal data for
(purpose)
Type of data
Legal basis for processing
(including basis of legitimate
interest)
To assess your fitness for
work.
Special Category
data (health)
Necessary for the
performance of a contract to
which the data subject is
party or in order to take steps
at the request of the data
subject prior to entering into a
contract
Necessary for the purposes of
carrying out the obligations
and exercising specific rights
of the controller or of the data
subject in the field of
employment.
To conduct a fair
recruitment process.
Identity
Recruitment
Special Category
data (health)
Necessary for our legitimate
interests (to ensure we
conduct a fair process)
Necessary for compliance
with a legal obligation
Necessary for the purposes of
carrying out the obligations
and exercising specific rights
of the controller or of the data
subject in the field of
employment.
To promote equality,
diversity and inclusion
(EDI) in our workplace,
and to prevent and
challenge discrimination
or potentially
discriminatory practices.
Identity
Special Category
Data (health,
racial or ethnic
origin)
Necessary for compliance
with a legal obligation
Processing is necessary for the
purposes of our legitimate
interests (to ensure Affinity
Water is actively promoting
EDI and preventing
discrimination)
Necessary for the purposes of
carrying out the obligations
and exercising specific rights
of the controller or of the data
subject in the field of
employment
Necessary for a substantial
public interest (equality of
opportunity or treatment and
promotion or maintaining
diversity at senior levels).
What we use your
personal data for
(purpose)
Type of data
Legal basis for processing
(including basis of legitimate
interest)
To perform and assess
criminal record and other
background checks
Identity
Criminal
Conviction
Necessary for the
performance of a contract to
which the data subject is
party or in order to take steps
at the request of the data
subject prior to entering into a
contract
Necessary for compliance
with a legal obligation
Necessary for the purposes of
carrying out the obligations
and exercising specific rights
of the controller or of the data
subject in the field of
employment.
Special Category Data
We do not need your consent if we use Special Category Data (see section 6 for
details) in accordance with this privacy notice to carry out our legal obligations or
exercise specific rights in the field of employment law. In limited circumstances, we
may approach you for your written consent to allow us to process certain
particularly sensitive data. If we do so, we will provide you with full details of the
information that we would like and the reason we need it, so that you can carefully
consider whether you wish to consent. You should be aware that it is not a condition
of your contract with us that you agree to any request for consent from us.
7. AUTOMATED DECISION-MAKING (INCLUDING PROFILING)
Automated decision-making takes place when an electronic system uses personal
data to make a decision without human intervention. We are allowed to use
automated decision-making in the following circumstances:
Where it is necessary for entering into or to perform the contract with you
and appropriate measures are in place to safeguard your rights;
Where it is authorised by law; and
In limited circumstances, with your explicit written consent and where
appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of Special Category Data, we
must have either your explicit written consent or it must be justified as a substantial
public interest, and we must also put in place appropriate measures to safeguard
your rights.
We may use automated profiling during recruitment for certain roles in the form of
psychometric or personality profile testing. If this applies to you, you will always be
provided with a copy of the final report and given the opportunity to comment on
the results.
Except where required by law, you will not be subject to decisions that will have a
significant impact on you based solely on automated decision-making unless we
have given you the opportunity to obtain human intervention, to express your
point of view and to contest the decision.
8. WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA
Personal data will only be handled by our trained recruitment employees and the
hiring manager who have a legitimate business need to access your personal data
for the purposes set out in this privacy notice.
9. WHO ELSE WE MIGHT SHARE YOUR PERSONAL DATA WITH
Except as explained in this privacy notice, we will not share your personal data
without your consent unless required to do so by law, where we have a legitimate
interest in doing so, or to administer the working relationship with you.
We may share your personal data with you, and where we have obtained your
consent to do so, your associates and your representatives.
We may disclose your personal data to the Police, Department for Work and
Pensions, HMRC, UK Visas and Immigration, fraud prevention and investigation
agencies and any other law enforcement agency to the extent necessary for
purposes including preventing, investigating, detecting, and prosecuting criminal
offences or where required to do so by law.
We may share your personal data with third-party service providers who assist us
with administering our recruitment process. Any such third parties will only be
permitted to use your personal data for specific purposes in accordance with
our instructions and not for their own purposes.
If a business transfer or change of business ownership takes place or is
envisaged, we may transfer your personal data to the new owner (or a
prospective new owner). If this happens, we will inform you of this transfer.
10. HOW WE PROTECT YOUR PERSONAL DATA
We are committed to maintaining the privacy and security of the personal data you
provide to us through the deployment of physical, technical and organisational
security procedures designed to secure your personal data against accidental loss,
destruction or damage and unauthorised access, use, alteration or disclosure.
Our recruitment data is held on secure systems and servers with access controls in
place on a need to access basis.
We ensure all our staff are trained in data protection so they understand how they
can help keep your personal data safe from unauthorised use and access.
Our sites are highly secured with physical access controls strictly implemented.
Where we have given you (or where you have chosen) a password which enables
you to access our recruitment system, you are responsible for keeping this password
confidential. You should not share this information with anyone.
11. TRANSFERS OF YOUR PERSONAL DATA OUTSIDE THE UK
Your personal data may be transferred to, and stored at, a destination outside the
UK. When we transfer and store your personal data outside of the UK we will ensure
that it is adequately protected by using appropriate safeguards as further detailed
below.
Staff operating outside the UK who work for us, or one of our suppliers, may process
your personal data. Such staff may be engaged in, among other things, the
processing of your payment details and the provision of support services.
Where your personal data is transferred from the UK to a recipient outside the UK to
a country not recognised by the UK as providing an adequate level of protection for
personal data we will ensure the transfer shall be covered by the following:
An International Data Transfer Agreement or the International Data Transfer
Addendum to the European Commission’s standard contractual clauses for
international data transfers (or the EU standard contractual clauses valid until
21 March 2024); and
An international data transfer risk assessment of the receiving country; or
In accordance with one of the derogations set out in the Data Protection
Legislation.
Unfortunately, the transmission of your personal data via the internet is not
completely secure and although we do our best to protect your personal data, we
cannot guarantee the security of your personal data transmitted to us over the
internet and you acknowledge that any transmission is at your own risk.
12. HOW LONG WE KEEP YOUR PERSONAL DATA
We will keep your personal data for no longer than is necessary for the purposes for
which it was obtained. The criteria for determining the duration for which we will
retain your personal data are as follows:
We will retain your personal data in a form that permits identification only for as long
as:
we maintain an ongoing relationship with you; or
your personal data is necessary in connection with the lawful purposes set
out in this privacy notice for which we have a valid legal basis.
Plus, for the duration of:
any applicable limitation period under applicable law (i.e. any period during
which any person could bring a legal claim against us in connection with
your personal data, or to which your personal data may be relevant); or
an additional reasonable period following the end of such applicable
limitation period.
In addition to the above:
if any relevant legal claims are brought, we may continue to process your
personal data for such additional periods as are necessary in connection
with that claim.
Where your personal data is retained for claim limitation purposes or for a reasonable
period thereafter, we will restrict our processing of your personal data to the storage
of, and maintaining the security of, those personal data, except to the extent that
those personal data need to be reviewed in connection with any legal claim or
obligation under applicable law. After this period your personal data will be
anonymised so that you are no longer identified or identifiable from such information,
or securely deleted/destroyed.
Any third parties that we engage will keep your personal data stored on their systems
for as long as is necessary to provide the relevant services to you or us. If we end our
relationship with any third-party providers, we will make sure that they securely delete
or return your personal data to us.
We may retain personal data about you for statistical purposes. Where personal data
is retained for statistical purposes, it will always be anonymised, meaning that you will
not be identifiable from that data.
13. YOUR DATA RIGHTS
The legal rights you have in relation to your personal data are summarised below:
Right to be informed - You have the right to be informed about the collection
and use of your personal data, as covered by this privacy notice.
Right of access – You have the right to access and receive a copy of your
personal data, and other supplementary information (subject to a limited
number of exemptions).
Right to rectification – You have the right to have inaccurate personal data
rectified, and incomplete personal data completed.
Right to erasure – You have the right to request erasure of your personal data
in certain circumstances.
Right to restrict processing – You have the right to request restriction or
suppression of your personal data.
Right to data portability – Where we are processing your personal data based
on your consent or for the performance of a contract you may request that
we transfer your personal data to another organisation in a structured,
commonly used machine-readable format. This only applies to personal data
provided to us by you.
Right to object – You have the absolute right to object to our processing of
your personal data. The right to request we stop processing your personal
data applies when we process your personal data based on a task carried
out in the public interest or for our legitimate interests (or those of a third party).
However, in these circumstances we may refuse to comply with your request
if we can justify compelling legitimate grounds, or where the processing is for
establishment, exercise or defense of legal claims.
Rights related to automated decision-making including profiling – You have
the right not to be subject to a decision based solely on automated
processing (no human intervention), where the decision affects your legal
status or rights or where the decision has a similarly significant effect. This type
of processing is permitted where the decision is necessary for entry into or
performance of a contract; is authorised by law; or based on your explicit
consent. We can only use your Special Category Data for this type of
processing where we have your explicit consent or if is necessary for reasons
of substantial public interest.
If we are processing your personal data on the basis of consent you have the right
to withdraw your consent at any time. If you decide to withdraw your consent, we
will stop processing your personal data for that purpose unless there is another lawful
basis we can rely on.
You can exercise your data rights free of charge. We may need to request specific
information from you to help us confirm your identity and ensure your right to access
your personal data (or to exercise any of your other rights). This is a security measure
to ensure that personal data is not disclosed to any person who has no right to
receive it. We may also contact you to ask you for further information in relation to
your request to improve our response to you.
We will comply with your request within one calendar month (from the time Affinity
Water receives your request, or upon receipt of any additional information we have
requested from you). Occasionally we may require more time to respond to your
request if your request is complex. We will notify you within one month to inform you
that we require additional time to comply with your request.
In exceptional circumstances where your request is manifestly unfounded or
excessive, we may charge you for your request, or refuse to comply with your
request. We will always inform you of the reasons for not being able to comply with
your request.
For more information on your rights and how to use them, or if you would like to make
any of the requests set out above, please contact us using the contact details
provided below.
14. FURTHER INFORMATION
If you have any questions or concerns about how we handle your personal data,
you can contact us by:
Post: FAO Data Protection Officer
Compliance & Ethics
Affinity Way Ltd
Tamblin Way
Hatfield
Hertfordshire
AL10 9EZ
Email: data.protection@affinitywater.co.uk
If you are unsatisfied with our response to any data protection issues you raise with
us or our DPO, you have the right to make a complaint to the ICO. The ICO is the
authority in the UK which is tasked with the protection of personal data and privacy
and contact details can be found at https://ico.org.uk/global/contact-us/.
Last Updated: March 2023