Privacy Policy

Index Page No.
1 Company details and who to contact in relation to this Policy 2
2 Key Definitions 2-4
3 Purpose 4
4 Scope 4-5
5 Our Role as a Data Controller and Data Processor 5
6 Personal Data We Collect 5-6
7 How We Collect Personal Data 6-7
8 Lawful Basis for Processing 7
9 How We Use Your Personal Data 7-8
10 Data Sharing and Disclosure 8-9
11 Data Retention 10
12 Data Security 10
13 International Data Transfers 11
14 Individuals’ Rights as a Data Subject 11
15 How to Exercise a Data Subject’s Rights 12
16 Individual responsibilities 12
17 Company Responsibilities and accountability 12-13
18 Training 13
19 Monitoring and Review 13
20 Retention of records in relation to this Policy 13-14
21 Amendments 14
22 Contact Us 14
23 Complaints 14-15
24 Attestation of Document Production 15

1. Company details and who to contact in relation to this Policy

Company Name (The company) Hive Support Services Limited
Address: Teme House Whittington Hall
Whittington Worcester WR5 2RY
Phone Numbers: Main Company No. 0330 236 6834

Name of Company Contact:

Michelle O’Connor - Chief People Officer

Email: michelle.oconnor@support-
services.com

Department: (The Department, we, us,
our)

Recruitment Department

Any other Contact Details ( e.g.,
Information asset Owner, Department
Head) if different from Company Contact.
Email:
Telephone No:

Data Protection
Team - Provided by
Hive Support
Services Limited

Data Protection
Officer (DPO)
DPO Contact email

Peter Collingridge

dpo@support-services.com

Data Protection
Business Partner
(DPBP)
DPBP email address

Julie Painter

julie.painter@support-services.com

2. Key Definitions

Data Controller

An organisation or person that determines the purposes and means of processing personal data.

Data Processor: An organisation or person that processes personal data on behalf of a DataController.

Data Retention Policy: This is a set of rules that says how long we need to keep personal information and when we should delete it. It helps us make sure we don't retain information for longer than we need to, which is important for privacy.

Data Subject: Data Subject means the individual to whom the personal data relates

Data Security: Measures taken to protect personal data from unauthorised access, disclosure, alteration, and destruction.

Information Asset Owner/Designated Owner:

An Information Asset Owner is a designated person who is responsible for overseeing specific categories of personal data. In the context of this policy, the chief people officer serves as the Information Asset Owner for data, ensuring its accuracy, security, appropriate access, adherence to the company’s Data Retention Policy, and relevant legal requirements.

Lawful Basis

The legal reason or justification for processing personal data, such as contractual necessity, consent, or legitimate
interests.

Personal data

Any information that relates to an individual who can be identified from that information.

Processing/processes

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Special Category Data (Sensitive personal
data)

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex lift or sexual
orientation.

UK GDPR

This stands for the United Kingdom General Data Protection Regulation, and this is the main law that protects people’s personal information in the UK.

3. Purpose
3.1 This Privacy Policy sets out how Hive Support Services Ltd gathers and processes personal and sensitive data, the individual's rights, and Our obligations concerning that data. It aims to ensure we protect and respect privacy and maintain the security of any personal or sensitive data we hold, adhering to relevant UK legislation, including the General Data Protection Regulation (GDPR) as implemented via the Data Protection Act 2018.
3.2 As the recruitment provider for both Hive Support Services itself and a number of client companies, we recognise the importance of protecting personal data, especially sensitive information.
4. Scope
4.1 This policy covers both scenarios where Hive Support Services Limited acts as a Data Processor on behalf of clients and, in limited circumstances, as a Data Controller for its internal recruitment processes and applies whether:
● we are providing a service or receiving a service
● an individual is visiting our website
● an individual is registering as a new candidate (via our website, telephone,
email, or in person)
● we are assisting an individual in finding employment
● we are continuing our relationship with an individual after we have found
them employment
● We are asking an individual to assist us in relation to a candidate.

4.2 This policy applies to:
● Website Users
● Prospective and placed candidates for permanent or fixed term placements.
● Prospective and live client contacts.
● Supplier contacts to support Our services; and,
● Our employees and consultants.
5. Our Role as Data Controller and Data Processor
5.1 For the purposes of data protection legislation, where the recruitment team provides services to client companies Hive Support Services Ltd is a joint Data Controller with the client company which means they jointly determine the
purposes and means of processing, but we also act as a Data Processor of the data we collect on behalf of the client company. Insofar as internal recruitment support, Hive Support Services Limited is both Data Controller and Processor of such data and is registered with the Information Commissioner’s Office Register, registration number ZB909213. Our nominated Data Protection Officer is Peter Collingridge, who oversees the Data Protection function of our company and who can be contacted at DPO@support-services.com.
5.2 The recruitment team within Hive Support Services is defined as a recruitment agency under Section 13(2) of the Employment Agencies Act 1973. The team also provides other related services including coaching, outplacement, and
psychometric testing.
6. Personal data we collect
6.1 The types of personal data we may collect, and process depends on the nature of the instructions we receive but would typically include but may not be limited to:
● Basic Information
○ Contact details: Name, Address, phone number, email address
○ Employment History: Past job titles, companies worked for, dates of
employment and job responsibilities
○ Educational Qualifications: Degrees, certifications, and relevant
courses
● Skills and Experience
○ This can be obtained from CVs, cover letters and interviews
● References
○ Information from previous employers, supervisors, or colleagues
● Test Results
○ Scores from aptitude tests, assessments, or other skills-base
evaluations
● Background Checks
○ Criminal history checks (DBS)
● Other Information
○ May include other information provided during interviews,
information on diversity monitoring and any other additional
information volunteered by the candidate.

● Some data we collect is known as special category data (e.g., racial or ethnic
origin, political opinions, religious or philosophical beliefs, health data). If we
need to collect, process, and disclose such information we may ask for
consent to us processing that data or, alternatively, we will advise of the legal
basis for processing this data.
● Within our recruitment application there is the facility for individuals who are
applying for employment to build their own profile which includes an option
for them to add their date of birth, but this is not a mandatory requirement.

7. How we collect Personal data
7.1 We collect personal data to meet Our legal, statutory, and contractual obligations
and to provide our products and services. Personal data is information about an
individual that is given to Us by:
● filling in forms online forms
● corresponding with us by phone, email, or otherwise.
● registering to use Our website.
● entering Our database.
● applying to vacancies We advertise online.
● subscribing to Our services.
● attending Our events.

POL004 Privacy Policy-Recruitment Department Version 001 - June 2025 7
@2025Hive Support Services Limited. All rights reserved.
● participating in discussion boards or other social media functions on Our
website.
● entering a competition, promotion, or survey; and when a problem or
concern is reported.

7.2 This includes data about individuals employed or engaged by our clients, suppliers,
and service providers. We also collect data automatically via cookies in line with
cookie settings in the browser and when contact is made via the website. We obtain
information from other sources such as:
● LinkedIn,
● corporate websites,
● job board websites,
● social media,
● online CV libraries,
● business cards, and
● personal recommendations.

7.3 The Technical Data collected by visiting our website will come from the following
parties: (a) analytics providers such as Google based outside the UK; (b) advertising
networks such as Indeed, and (c) search information providers.
8. Lawful Basis for Processing
8.1 In all instances, when processing personal data, we adhere to the data protection
principles. This means we ensure processing is lawful, fair, and transparent. We
collect data for specified, explicit, and legitimate purposes. The data collected is
adequate, relevant, and limited to what is necessary. We maintain data accuracy
and keep it up to date. Data is kept only for as long as required, and we process data
securely. Our processing of data is based on the performance of a contract,
compliance with legal obligations, and our legitimate business interests. These
legitimate interests include introducing candidates to clients, maintaining business
relationships, supporting candidates' career aspirations, and supporting clients'
resourcing needs. In addition, we may rely on consent for specific processing
activities
9. How We Use Personal Data
9.1 We use personal data:

● in the performance of a contract or to provide a service.
● to check and update records to ensure accuracy.
● to manage Our business.
● for legal obligations, staff administration, operations, accounting, credit
control, and tax purposes.
● for legal and regulatory compliance.
● to send marketing information where beneficial.

9.2 We use website information:
● For administration,
● For troubleshooting,
● For data analysis,
● For testing,
● For research, and statistical and survey purposes.
● to improve Our site.
● to enable participation in interactive features.
● for site security.
● to measure advertising effectiveness; and to make suggestions and
recommendations.

9.3 We do not undertake automated decision-making or profiling.
10. Data Sharing and Disclosure
10.1 We share personal data with:

● Authorised personnel within Hive Support Services Limited where engaged
in internal recruitment
● Client companies, business partners, suppliers and sub-contractors for the
purpose of:
○ Introducing candidates to them (where relevant)
○ For the performance and compliance obligations of any contract we
have entered into with them or any candidate
○ For the purpose of arranging interviews and engagements
(candidates)

● Approved Third-party Service Providers
○ Subcontractors including email marketing specialists, event
organisers, and payment and other financial service providers

POL004 Privacy Policy-Recruitment Department Version 001 - June 2025 9
@2025Hive Support Services Limited. All rights reserved.
○ Advertisers and advertising networks that require data to select and
serve relevant adverts to individuals and others (aggregate
information only, not identifiable individuals)
○ Analytics and search engine providers that assist us in the
improvement and optimisation of our website
○ Credit reference agencies, our insurance broker, compliance partners
and other sub-contractors for the purposes of assessing an
individual’s suitability for a role where this is a condition of us entering
into a contract.
○ Information will be stored on our applicant tracking system provided
by Tribepad at their data centres based in Manchester and Sheffield
10.2 Third parties will only process your data in accordance with our instructions and are
required to comply fully with this Privacy Policy, data protection laws applicable in
the UK, and on a confidential basis.
10.3 We do not permit third-party service providers to use an individual’s personal data
for their own purposes and only permit them to process such data for the specified
purposes and in accordance with this Privacy Policy.
● Legal Requirements:
○ If we are under a duty to disclose or share an individual’s personal
data in order to comply with any legal obligation (e.g. in connection
with the detection of crime or the collection of taxes or duties or
employment related requirements).
○ To protect the rights, property, or safety of our business partners, our
customers or others. This includes exchanging information with
other companies and organisations for the purposes of fraud
protection and credit risk reduction.
○ We will rely on legal obligation if we are legally required to hold and
share information on an individual to fulfil our legal obligations.
○ We may process personal data without an individual's knowledge or
consent, in compliance with the rules, where required or permitted
by law.
● Business Transfers:
○ In the event that we sell or buy any business or assets, in which case
we will disclose your personal data to the prospective seller or buyer
of such business or assets

POL004 Privacy Policy-Recruitment Department Version 001 - June 2025 10
@2025Hive Support Services Limited. All rights reserved.
○ If Hive Support Services Limited or substantially all its assets are
acquired by a third party, in which case personal data held by it about
its customers and candidates will be one of the transferred assets.

11. Data Retention
11.1 We retain personal data for as long as necessary to fulfil the purposes for which it
was collected, including for the purposes of satisfying any legal, accounting, or
reporting requirements.
11.2 The specific retention periods will largely be determined by our agreements with
our client companies and our internal Data Erasure and Retention Policy
11.3 We check for accurate information before introductions and keep in touch to
update personal data.
11.4 We segregate data and use criteria such as the nature of the data, its perceived
accuracy, our regulatory obligations, whether an interview or placement has been
arranged, and our recruitment expertise to determine retention.
11.5 We may archive or anonymise data.
12. Data Security
12.1 We implement robust technical and organisational measures to protect personal
data from unauthorised access, disclosure, alteration, and destruction. These
measures include:
● Encryption: Encrypting data both in transit and at rest where appropriate.
● Access Controls: Restricting access to personal data to authorised personnel
only, based on the principle of least privilege.
● Regular Security Audits: Conducting regular assessments of our security
measures.
● Staff Training: Providing ongoing data protection and security training to all
staff members.
● Incident Response Plan: Having a clear plan in place for responding to and
managing data breaches.

13. International Data Transfer
13.1 We primarily store and process personal data within the United Kingdom. If, in the
course of providing our services, it becomes necessary to transfer personal data
outside the UK or the European Economic Area (EEA), we will ensure that
appropriate safeguards are in place to protect personal data, such as:
● Adequacy Decisions: Transferring data to countries deemed to provide an
adequate level of data protection by the UK government.
● Standard Contractual Clauses (SCCs): Implementing UK-approved SCCs
with the recipient of the data.
● Binding Corporate Rules (BCRs): If applicable, for transfers within a
multinational group.
14. Individuals’ Rights as a Data Subject
14.1 Data Subjects have the following rights under UK GDPR in relation to their own
personal data, although some of these rights may need to be exercised through our
client companies (the Data Controllers) in cases where we act as a Data Processor:
● Right to be Informed: To be informed about how their personal data is being
used. This Privacy Policy serves to fulfil this right.
● Right of Access: To request access to the personal data we hold about them.
● Right to Rectification: To request that inaccurate or incomplete personal
data about them is corrected.
● Right to Erasure (”Right to be Forgotten”): To request the deletion or removal
of their personal data where there is no compelling reason for its continued
processing.
● Right to Restrict Processing: To request the suspension of the processing of
their personal data in certain circumstances.
● Right to Data Portability: To obtain a copy of their own personal data in a
structured, commonly used, and machine-readable format, and to transmit
that data to another controller.
● Right to Object: To object to the processing of their personal data in certain
circumstances, including for direct marketing.
● Rights in Relation to Automated Decision Making and Profiling: To not be
subject to a decision based solely on automated processing, including
profiling, which produces legal effects concerning them or similarly
significantly affects them.

15. How to Exercise a Data Subject’s Rights:
15.1 If an individual wishes to exercise any of these rights, particularly concerning data
which may be held by our client companies, the relevant client company should be
contacted directly by the individual in the first instance, as they are the Data
Controller responsible for their data.
15.2 If a request relates to data for which Hive Support Services Limited is the Data
Controller, the contact details of the company’s DPO shown in clause 1 of this policy
may be used. We will respond to such requests within one month of receipt, unless
the request is of a complex nature in which case we reserve the right to extend the
timescale for a full response up to a further 2 months, but we will ensure the
individual is kept informed of the situation.
16. Individual responsibilities
16.1 Company personnel are responsible for ensuring that if they become aware of any
breach of data, or believe there to have been a breach, whether it involves personal
or commercial data, this must be reported without delay to their line manager and
the Data Protection team so that immediate steps can be taken to deal with the
situation and mitigate any potential detriment to individuals or the Company.
16.2 Company personnel have the responsibility of ensuring they maintain security
standards to prevent any breaches occurring, such as complying with rules on
premises access, computer access (including password protection), secure file
storage, and destruction.
16.3 Individuals must also ensure they familiarise themselves with what constitutes a
breach and take a proactive approach in participating in training events in relation
to Data Protection matters and reading the regular communications which are
circulated as reminders and updates.
17. Company Responsibilities and accountability
17.1 Overall accountability for this policy and its procedures rests with the Company's
Directors, supported by the Company’s appointed DPO.
17.2 The Company’s responsibility for data protection extends to data processed by
third parties on the Company’s behalf and appropriate due diligence is performed
on those parties.

POL004 Privacy Policy-Recruitment Department Version 001 - June 2025 13
@2025Hive Support Services Limited. All rights reserved.
17.3 The Company is responsible for ensuring that training and support to company
personnel is provided to enable them to fulfil their data protection responsibilities.
18. Training
18.1 Training on keeping data secure, identifying breaches and mitigating risks as a result
of a breach is provided during induction processes and through regular reminders to
all personnel.
18.2 Individuals whose roles involve regular access to personal data or who are
responsible for identifying, assessing, mitigating and/or recording risks will receive
additional training to enhance their understanding of their duties, and how to follow
relevant requirements.
18.3 A formal organisational wide training plan should be drawn up in respect of GDPR
which must be retained together with details of who has completed the relevant
training.
19. Monitoring and Review
19.1 The Company's Chief People Officer or their designated representative shall
monitor the effectiveness of this policy and conduct at least an annual review but
may review more in the event of significant changes to processing activities or laws,
to ensure its continued relevance in light of regulatory and Company requirements.
Changes in legislation or significant changes to processing activities will trigger more
frequent reviews. Any necessary changes to the policy or related processes resulting
from the review will be reported to the Directors of the Company for approval and
subsequent implementation and the Policy updated accordingly.
19.2 To ensure compliance with UK GDPR requirements, the monitoring and review
process will form part of the overall monitoring of the organisation’s data protection
compliance records which ensures such records are regularly updated,
comprehensive, and accessible as required by regulatory obligations.
20. Retention of records in relation to this Policy
20.1 Records generated as part of the operation of this policy, including:

Previous policy wording
 Reports related to policy monitoring and review
 Issues arising from the policy
20.2 Shall be retained for two years for reference purposes. These records should
primarily be stored electronically but may also be in hard copy. Both formats must
be retained in accordance with the Company's Data Retention and Erasure Policy.
The Company's Data Protection Officer shall own the records and audited annually.
20.3 The Company maintains a Document Control Register which tracks changes to
policy wording and other company documents.
21. Amendments
21.1 The Company reserves the right to amend or modify this policy in whole or in part,
at any time, without providing a reason or conducting full consultation, provided
that such changes do not contradict data protection laws or other regulatory
obligations.
21.2 Any amendments or modifications to this policy will be documented in the
company’s Document Control Register.
21.3 In the event of any conflict between the terms of this policy and applicable law
governing the Company, such law shall take precedence until the policy is modified
to follow the law.
22. Contact Us
22.1 Please refer to clause 1 of this policy for contact information in respect of:
● Questions about this policy, or our data protection practices
● Exercising any individual rights

23. Complaints
23.1 Any complaints in relation to privacy issues should be directed to the company’s
DPO whose contact details are provided in clause 1 of this policy. If our response is
not considered satisfactory by the complainant, they have the right to refer the

POL004 Privacy Policy-Recruitment Department Version 001 - June 2025 15
@2025Hive Support Services Limited. All rights reserved.
matter to the Information Commissioner's Office (ICO), the UK's independent
authority for upholding information rights.
23.2 The ICO can be contacted in writing, by telephone or online:

● Address: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
● Telephone: 0303 123 1113
● Website: https://ico.org.uk/
24. Attestation of Document Production
24.1 This Policy has been produced by Hive Support Services Limited. For inquiries or
further clarification regarding this document please contact us directly at:
dpo@support-services.com.