What kind of personal information do we collect?
Applicant data
We collect an applicant’s information for the purpose of considering an application to join us.
Information collected and processed for the purposes of considering your application may include the following:
- Your name
- Your title
- Your address
- Your email address
- Your telephone number
- Your CV and/or promotional CV and images submitted in support of your application
- Any other work related information regarding specific additional skills and attributes that
- you could bring to the role that you are applying for
- Proof of your identity and, if applicable, proof of your ongoing eligibility to take work in the United Kingdom
Please note that this list is not exhaustive and may vary from time to time depending on legitimate business need and/or changing statutory requirements.
Staff member data
We collect additional information from staff members who are either employed or engaged by us for the purposes of administering your employment or engagement with us and for the carrying out of our statutory obligations.
Information collected and processed for the purposes of administering of your employment or engagement with us may include:
- Your date of birth
- Confirmation of your identity and, if applicable, proof of your ongoing eligibility to take work
- in the United Kingdom
- Your National Insurance Number
- Your bank details
- Emergency contact details
- Diversity information including racial or ethnic origin, gender, age, sexual orientation,
- disability, religious or other similar beliefs
- Additional information on your skills, attributes and interests that may assist us in placing
- you in suitable roles or assignments
- Additional information such as your driving licence or any criminal convictions if these are necessary for a role that you are applying for or for an assignment that you would like to be considered for
Please note that this list is not exhaustive and may vary from time to time depending on legitimate business need and/or changing statutory requirements.
Client and supplier data
The data we collect and process on our clients and suppliers is only that which is necessary to enable the smooth running of our business relationship and may include:
- Generic contact details for the business
- Individual business contact details such as email addresses, telephone numbers (landline
- and/or mobile)
- Financial details
Please note that this list is not exhaustive and may vary from time to time depending on legitimate business need and/or changing statutory requirements
How do we collect your personal data?
Applicant data
There are three primary ways in which we collect data from you when you apply to join us:
1. Personal data that you provide us with when you register your application; entering your details on our website for example
2. Personal data that we receive from other sources; an external recruitment company for example or referees
3. Personal data that we collect in order to further consider your application; as a result of an interview for example
Staff member data
There are three primary ways in which we collect data from you when you are employed or engaged by us:
1. Additional personal data that you provide us with when your application to join us has been successful and where you continue to update them throughout your time with us
2. Personal data that we receive from other sources; referees for example, or feedback as a result of an assignment
3. Personal data that we collect automatically; assignment records or payroll records for example
Client or supplier data
There are three primary ways in which we collect data from you when you are employed or engaged by us:
1. Personal data that you provide us; when we agree to enter into a business relationship for example
2. Personal data that we receive from other sources; due diligence or other market checks for example
3. Personal data that we collect automatically
How do we use your personal data?
Applicant data
We use the data we have obtained about you for the purpose of considering your application and for contacting you.
Staff member data
We use the data we have obtained about you for the purposes of administering your employment or engagement with us. These may include the following:
- Storing, and updating as necessary, your details in order to maintain accuracy
- Communicating with you via telephone, text or email in order to be able to offer you, and confirm you on assignments or to advise you of statutory or other changes which may affect your employment or engagement
- Assessing your data in order to be able offer you assignments most suited to you
- Sending clients the necessary parts of your personal data in order for them to consider your suitability for an assignment
- Sending clients the necessary parts of your personal data in timesheets or other documents which confirm your participation on assignments
- Carrying out our payroll and invoicing processes
- Using third party resources to verify details which may be pertinent to your employment or engagement, such as references, qualifications or criminal convictions
- Complying with our legal obligations in connection with the detection of crime or the collection of taxes or duties
- Carrying out staff surveys as to how we are performing and how we may improve
- Where there is a legal requirement to do so
Please note that this list is not exhaustive and may vary from time to time, but they are examples of what we consider to be legitimate business need in order to fulfil your expectations of being offered assignments and our responsibilities towards you and our clients in carrying out our necessary, operational business requirements.
If, for example, we were approached by a third party requesting participation in marketing or research projects, this would fall outside of our legitimate business interest and we would seek your consent as to whether you wished to participate.
Equal opportunities monitoring and other sensitive personal information
This is another area where we would seek your consent to release your personal data.
We are committed to ensuring that our recruitment and business model is parallel to our approach to equal opportunities. Some of the data that we collect if you participate in our equal opportunities monitoring comes under the heading of ‘diversity information.’ As mentioned above this includes information regarding racial or ethnic origin, gender, age, sexual orientation, disability, religious or
other similar beliefs. We may from time to time, and where appropriate disclose this information in an anonymised format in order to meet statutory compliance requirements or where we may be contractually obliged to do so by a client.
This information is classified as sensitive personal information and in order to use it, even in anonymised form, we are required to seek your explicit consent. We do this by offering you an optin; this means that you have to explicitly and clearly tell us that you agree to us collating and using or
disclosing the information. Consent is explained more fully later in this policy document.
Client and supplier data
We use the data we have obtained about you for the purposes of administering and conducting our business and commercial relationships with you.
We may do this in the following ways:
- using your generic or personal contact details to communicate about existing or future business
- storing, and updating when necessary, your details on our database
- keeping records of our business and financial communications and transactions offering you services that fall within the remit of our current or previous business relationship or to obtain services from you
- where we are legally obliged to do so
Please note that this list is not exhaustive and may vary from time to time, but they are examples of what we consider to be legitimate business need in order to fulfil our business and commercial interests.
How do we keep your personal data safe?
The protection and safeguarding of the personal data that we hold is very important to us. We have in place a range of appropriate technical and organisational measures designed to protect personal information from misuse, loss and unauthorised access. These include measures to deal with any suspected data breach.
How long do we keep your personal data for?
Applicants
If your application to join us was unsuccessful the personal information you provided will be deleted after a period of 6 months.
Staff members
If you join us but do not take any work or receive any monies from us your personal information will be deleted after a period of 18 months.
If you have worked for us and been paid by us and then cease working for us, then your personal information will be deleted 6 years after your last period of work.
Your rights to access, amend or take back your personal information
The protection and clarification of the rights of EU citizens and individuals in the EU with regard to data privacy is the central pillar of GDPR. These rights are unaffected by Brexit and mean that even once you have given us personal information you retain various rights with regard to your data. These rights are as follows:
The right to be informed
You have the right to be informed about the collection and use of your personal data. We must provide you with information including: our purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with.
The right of access – Data Subject Access Requests (DSAR)
You have the right to ask us to confirm what information we hold on you at any time and request that we modify, update or delete such information. You must make this request in writing. We may ask you to verify your identity and for more information about your request. We will respond to your
request as soon as possible and no later than one month of receipt.
We may extend the period of compliance by a further two months if your requests are complex or numerous. If we do this we will inform you within one month of the receipt of the request and explain why the extension is necessary.
There will be no charge for the information we provide you with unless your request is “manifestly unfounded or excessive.” In this case any fee will be based on the administrative cost of providing you with the information. A fee may also be charged should you request further copies of the information. Once again, it will be based on the administrative cost of providing the copies.
If your request is “manifestly unfounded or excessive” we may refuse to respond. If we refuse your request we will tell you why as soon as possible, and no later than one month from receipt, and advise you of your right to complain to our supervisory authority.
The right to rectification
You have the right to have inaccurate personal data rectified, or completed if it is incomplete. You can make this request verbally or in writing. We will respond to your request as soon as possible and no later than one month from receipt.
We may extend the period of compliance by a further two months if your requests are complex or numerous. If we do this we will inform you within one month of the receipt of the request and explain why the extension is necessary.
There will be no charge for the information we provide you with unless your request is “manifestly unfounded or excessive.” In this case any fee will be based on the administrative cost of providing you with the information.
If your request is “manifestly unfounded or excessive” we may refuse to respond. If we refuse your request we will tell you why as soon as possible, and no later than one month from receipt, and advise you of your right to complain to our supervisory authority.
The right to erasure
You have the right to have your personal data erased if one or some of the following apply:
- the personal data is no longer necessary for the purpose which we originally collected or processed it for
- we are relying on consent as our lawful basis for holding the data, and you withdraw your consent
- we are relying on legitimate interests as our basis for processing, you object to the processing of your data, and there is no overriding legitimate interest to continue this processing
- we are processing the personal data for direct marketing purposes and you object to that processing
- we have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle)
- we have to do it to comply with a legal obligation
The right to restrict processing
In certain circumstances you have the right to request the restriction or suppression of your personal data. When processing is restricted, we are permitted to store your personal data, but not use it. You can make a request verbally or in writing. We will respond as soon as possible but no later than one month following receipt.
You have the right to request that we restrict the processing of your personal data in the following circumstances:
- you contest the accuracy of your personal data and we are verifying the accuracy of the data
- your data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and you don’t wish erasure and request restriction instead
- we no longer need the personal data but you wish us to keep it in order to establish, exercise or defend a legal claim
- you have objected to our processing of your data under Article 21(1), and we are considering whether our legitimate grounds override yours
The right to data portability
This right allows you to obtain and reuse your personal data for your own purposes across different services.
It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies:
- to personal data you have provided to us
- where the processing is based on your consent or for the performance of a contract
- when processing is carried out by automated means
There is no charge should you request this and the timing of our response is as given above as is the process to be followed should we not respond or refuse your request for data portability.
The right to object
You have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing (including profiling)
- processing for purposes of scientific/historical research and statistics.
- We will cease processing your personal data unless:
- we can demonstrate compelling legitimate grounds for the processing, which overrides your interests, rights and freedoms
- the processing is for the establishment, exercise or defence of legal claims
Rights in relation to automated decision making and profiling
The GDPR has provisions on:
- automated individual decision-making (making a decision solely by automated means without any human involvement)
- profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process
We do not process your data in this way but if you would like further information on this please click on the link at the beginning of this document. Further information is also included in Article 22.
International transfer of your data
For the purposes of enabling you to take assignments in the EU we may share relevant parts of your data with our European partners in The Staffing & Entertainment Collective.
Should you be offered (and accept) assignments outside of the EU by us, then decisions regarding any release of your data will be made on a case by case basis. Your data will only be released with your consent, in accordance with GDPR requirements, and only when appropriate checks have been made and safeguards been put in place.
We are a British owned and based company and all of our data is controlled, processed and stored in the United Kingdom.
Consent
From time to time there may be circumstances where it may be necessary to process your data for reasons that fall outside of our legitimate business interest. We will always seek your consent in such situations.
Article 4(11) of the GDPR states that (opt-in) consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which he or she, by a statement of clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
This means that:
- you have to freely give us your consent without being put under any type of pressure
- you must know what you are consenting to and be sure that we have given you all necessary information
- you have control over which processing activities you consent to and which ones you don’t
- you need to take positive and affirmative action in giving us your consent and that we have provided a clear and unambiguous way for you to provide your consent
We will keep records of the consents that you have given in this way. You may withdraw your consent at any time.
From time to time we may review and amend this Privacy Policy to comply with new statutory obligations or to meet our changing business requirements.
Annex 1 – Data Protection Officer details and supervisory authority details
Kru Live Data Protection Officer:
Suzi Ley Greaves
E: suzi@krulive.com
T: 0203 838 7272
A: Kru Live Ltd
19a Heathman’s Road
London
SW6 $TJ
Supervisory authority details:
The Information Commissioner’s Office
E: casework@ico.org.uk
T: 0303 123 1113
A: The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Annex 2 – Data Protection Act 1998 – Data principles
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
- (a) at least one of the conditions in Schedule 2 (https://www.legislation.gov.uk/ukpga/1998/29/schedule/2) is met, and
- (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 (https://www.legislation.gov.uk/ukpga/1998/29/schedule/3 )is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or
damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Annex 3 – definition of personal data
Under the GDPR personal data means “any information relating to an identified, or identifiable natural person (data subject); an identifiable natural person is one who can be identified directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “
Get in Touch