Privacy Policy

1 General

Cpl Resources and/or its subsidiary companies (‘Cpl Group’) are committed to protecting all personal, special, and criminal categories of data held on you.

As such, we want you, the ‘data subject’, to understand how we collect, use, store, and share your personal data. We also want you understand what rights you can invoke to help you to protect your privacy. In this regard, it is important that you read this Privacy Notice and understand how we use your personal data. Please note that we reserve the right to update this Privacy Notice as required.

1.1 Cpl Information

Cpl Group provides recruitment services and matches people with the right jobs every day.

Cpl Group is committed to protecting the rights and privacy of individuals in accordance with both European Union and Irish data protection legislation. Cpl Group shall lawfully and fairly process personal data about candidates, employees, clients, and other stakeholders to achieve its mission and functions.

If you wish to locate further information on us, you can find this on the Cpl website through the following link: https://cpl.com/ie/about

1.2 Legislation

All personal data processed by Cpl Group is done so in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

1.3 Queries and Complaints

If you are unhappy with the way we handle your personal data and wish to complain, or if you simply want further information about the way your personal data will be used, please contact us at the below:

Data Protection Officer

Cpl Recruitment

Ground Floor, One Haddington Buildings, Haddington Road, Dublin 4

Dublin, D04 X4C9

Telephone: +353 1 614 6000

Email: [email protected]

You have the right to lodge a complaint with the Data Protection Commission. To contact the Data Protection Commission, please use the following details:

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2

D02 RD28

Ireland

Telephone: +353 (0)761 104 800

Telephone: +353 (0)57 868 4800

Email: [email protected]

1.4 Breaches

Cpl Group will take all appropriate technical and organisational steps to safeguard your personal data. In the unlikely event of a data breach, we will contact you in line with our legal obligations.

2 How Do We Collect Information?

We collect personal data to enable the provision of services to support the Cpl Group purpose. The following non-exhaustive methods of data collection are an indication of ways in which we may obtain your information:

Obtain personal data directly from you;

Personal data that we receive from other sources; and

When entering our premises, you will be recorded on CCTV surveillance and the Visitor Sign In tablet/book for security purposes.

It is important that the personal data you provide us is up to date and accurate. As outlined in Section 7.4 of this notice, if personal data we hold on you is inaccurate or incomplete, please contact us and we will update the information.

3 What Do We Use Information For?

3.1 Process, Purpose, and Lawful Basis

We use personal data collected to fulfil our obligations to provide recruitment services and to enable the provision of services to support the Cpl Group purpose.

We use personal data we gather for any of the following purposes:

ProcessPurposeLawful Basis
Pre-RecruitmentTo register a prospective data subject’s interest in recruitment for employment.Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract.
Background ChecksTo verify if the data subject is qualified and eligible for certain positions within Cpl Group.Processing is necessary for compliance with a legal obligation to which Cpl Group is subject.
Recruitment

and Selection

To complete the recruitment process and assess data subject suitability.Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract.

Processing relates to our obligations in employment and for assessing data subject’s work capacity.

PensionTo administer a data subject’s pension entitlement and to comply with pension rules.To comply with various pension laws.

Processing is necessary for the performance of a contract to which the data subject is party.

PayrollTo enable Cpl to effect payment to the data subject.Processing is necessary for the performance of a contract to which the data subject is party.
Personnel File To comply with employment and revenue laws and to ensure that terms and conditions of employment are adhered to.Processing is necessary for the performance of a contract to which the data subject is party.

To comply with various employment and revenue laws.

To protect the vital interests of the data subject in the event of an accident or emergency.

Entitlement to WorkTo enable Cpl Group to achieve compliance with its obligations pursuant to any local legislation governing the entitlement to work.Processing is necessary for compliance with a legal obligation to which Cpl Group is subject.
Time and Attendance RecordsTo enable the data subject to avail of their rights and entitlement pursuant to the Organisation of Working Time Act, 1997.The processing is necessary for the performance of contract to which the data subject is party.
Statutory EntitlementTo enable Cpl Group to achieve compliance with:

·     Its obligation to the data subject;

·     Record keeping obligations pursuant to a variety of employment law statutes.

The processing is necessary for compliance with legal obligation to which Cpl Group is subject.
Training RecordsTo ensure that Cpl Group is in a position to assess the data subject’s training needs and to capture proof of training.The processing is necessary for the performance of contract to which the data subject is party.
Performance DetailsTo manage the data subject’s performance in accordance with relevant Cpl Group policies.The processing is necessary for the performance of contract to which the data subject is party.
Grievance

and Disciplinary

To ensure the data subject’s complaints are fairly investigated in accordance with Cpl Group policies.To comply with Cpl Group legal obligation to apply fair procedures to any data subject’s investigation.

The processing is necessary for the performance of contract to which the data subject is party.

Medical InformationTo manage the data subject’s absences, to manage sick pay in accordance with the contract of employment, and to manage the fitness to work of data subjects.Processing is necessary to assess, subject to data subject safeguards, the working capacity of the data subject.

To carry out obligations and exercise rights under employment law.

Making or Receiving PaymentsTo make or receive any payments in the discharge of normal business functions, dispute settlement, or to carry out any other payment requirements.Processing is necessary for compliance with various employment and revenue laws.

 

The processing is necessary for the performance of contract to which the data subject is party.

Voice of the CustomerTo obtain the data subject’s feedback by survey on the Cpl Group recruitment processes, client services and for research purposes.Processing is based on request of consent which will be taken from the data subject.
Attracting TalentTo provide support and assistance on recruitment services to data subjects via third party sources, such as LinkedIn and other job sites, from which Cpl Group obtain personal data.Processing is based on legitimate interest.
Supporting TalentTo support data subjects in their career guidance and communicate with them directly with useful information, advice, and support materials through email, messaging, or mobile/web notification.Processing is based on legitimate interests and contractual obligations.
Campaign ImagesTo obtain the data subject’s photos which are used externally (e.g. Cpl’s website, on social media or even in marketing) for campaign.Processing is based on request of consent which will be taken from the data subject.
Regulatory ComplianceTo comply with financial regulations and any other relevant laws and regulations.Processing is necessary for compliance with a legal obligation to which Cpl Group is subject.

 

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Third Party

Data Sharing

To allow Cpl Group to conduct and carry out functions with third party service providers that enable us to deliver our services.Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Back-upsTo store personal data and make back-ups of that data in case of emergencies and for disaster recovery purposes.Processing is necessary for compliance with a legal obligation to which the Cpl Group is subject.
Evidence SubmissionsTo gather information for dispute resolution services and legal proceedings.Processing is necessary for compliance with a legal obligation to which the Cpl Group is subject.
Transfer of

Information for

Parties Legal

Proceedings

To allow parties to commence legal proceedings.Processing is necessary for compliance with a legal obligation to which the Cpl Group is subject.
CCTV systemsFor the security, health, and safety of individuals on Cpl Group premises.Processing is based on legitimate interest and is necessary for compliance with a legal obligation to which the Cpl Group is subject.
Accidents and

Incidents

To enable Cpl Group to comply with record keeping obligation pursuant to the Safety, Health, and Welfare Act.Processing is necessary for compliance with a legal obligation to which the Cpl Group is subject.

4 Who do we share this information with?

We may share personal data with other parties in the course of our duties. When this is done, we adhere to the following principles:

The transfer is based on a legal obligation, the performance of a contract, or explicit consent.

Where data is transferred to another party, we ensure appropriate technical and organisational safeguards are used to protect your personal data.

Where we engage a third party to provide a service to us, we ensure the provider has taken appropriate technical and organisational measures to process, store, and safeguard your personal data.

Cpl Group, as a Data Controller, will not sell your data to any third party and will take all appropriate steps to ensure the security of your data in dealings with third parties.

While the parties we engage may change occasionally, we believe it is important you are aware of the types of parties we share data with. The categories and types of third parties outlined below is a non-exhaustive list but provides an indication of the parties we share data with.

4.1 Other Third Bodies

Third parties for the purposes of internal and external audits, carrying out research, general practitioners, and or third parties who may improve our processes and services (such as consultants).

4.2 Government Departments, Bodies or Agencies

Cpl Group is legally obligated to share personal data with state actors which is outlined in the Data Protection Act 2018.

Recipients of this data include Government departments, agencies, bodies, investigatory bodies, local authorities, and the Gardaí.

4.3 International Transfers

Where personal data is transferred outside the European Economic Area, Cpl Group use safeguards known as Standard Contractual Clauses (SCCs).

5 What Type of Information is Collected?

To fulfil our mandate and perform tasks as outlined in this statement, we need to collect various types of personal data.

While the type of personal data may change occasionally, we believe it is important you are aware of the types of data we gather and use. The following table is a non-exhaustive list and provides an indication of the categories and types of data we use to perform our tasks.

Please note that information listed under one category may be used for the performance of a task or in relation to activities under another heading or as outlined under Section 3.

Category

Type of Data

Candidates

First name, last name, date of birth, contact details, email address, passport, identification copy, PPS number, pictures, CVs, work position, qualifications, employment history, job interests, transcripts, education, training history, cover letters, salary details, bank details, next of kin, tax, VAT details, interviews attended, interview feedback, technical data includes username, password, and survey responses (CSAT scores and text entry questions captured as comments).

Special data revealing racial or ethnic origin, VISA, and data concerning health.Garda Vetting and International Police clearance.

Employees

First name, last name, date of birth, address, contact details, email address, family details, financial, tax, pension, remuneration details, performance, visual images details, employee ID, CCTV footage, lifestyle and social circumstances, education, and training details.

Special data revealing racial or ethnic origin and data concerning health.

Other Stakeholders

First name, last name, address, contact details, email address, PPS number, job title, CCTV footage, visitor sign in, financial details, technical data includes IP address, browser history, and survey responses (CSAT scores and text entry questions captured as comments).

Special data revealing racial or ethnic origin and data concerning health.

6 How Long Do We Retain Information?

We have developed a record retention schedule for all the personal data we hold. Each retention period varies dependent on the nature and the purpose of the processing.

The main factors which determine retention periods are as follows:

How long it is required to perform the task;

Any legal requirements to hold onto the data;

Any pending legal actions.

If you would like to see a copy of the Retention Policy, please contact the DPO at [email protected]

7 What Are Your Rights?

As a data subject, you will have the following rights as outlined in this section. However, restrictions may apply in certain situations.

7.1 Where do I send requests?

Please send all your requests to the contact details provided in Section 1, with as much detail as possible about your requirements to allow us to deal with your request efficiently. To answer your request, we may ask you to provide identification for verification purposes.

7.2 How long will a request take?

Upon receipt of a request, we will have 30 days to provide an answer with an extension of two further months if required. If we require more time to deal with your request, we will notify you of the delay and the reasons behind it within 30 days of the receipt of the request. If we refuse your request, we will also notify you within 30 days of the receipt of the request accompanied by the reasons for the refusal.

We will not charge a fee for any requests, provided we do not consider them to be unjustified or excessive. If we do consider these to be unjustified or excessive, we may charge a reasonable fee (also applicable for multiple copies) or refuse the request.

You are entitled to contact the Data Protection Commission if we refuse your request.

7.3 Right of Access

You have a right to know what personal data we hold on you, why we hold the data, and how we are processing your personal data.

When submitting your request, please provide us with information to help verify your identity and as much detail as possible to help us understand the information you wish to access (i.e. date range, subject of the request) and email [email protected]

Please note that an access request is free of charge, however, where we determine a request to be unjustified or excessive, we may charge you a reasonable fee.

7.4 Right to Rectification

You have a right to request that our information held on you is up to date and accurate.

Where information is inaccurate or incomplete, we encourage you to contact us to have this information rectified. Upon receipt of request, we will ensure that the personal data is rectified and as up to date as is reasonably possible.

7.5 Right to be Forgotten

You have the right to seek the erasure of your personal data in the following circumstances:

  • The personal data is no longer required for the purposes for which is was obtained;

  • Where data is being processed on the basis of consent, you withdraw consent to the processing and no other lawful basis exists;

  • The personal data is being unlawfully processed;

  • You object to the processing of personal data and there are no overriding legitimate grounds for the processing;

  • Your personal data requires deletion in line with legal requirements.

However, we will be unable to fulfil an erasure request if the processing of personal data is necessary for the following:

  • Exercising the right of freedom of expression and information;

  • Compliance with a legal obligation or for the performance of a task carried out in public interest;

  • Reasons of public interest in the area of public health;

  • Archiving or statistical purposes in the public interest;

  • The establishment, exercise, or defence of legal claims;

Please note that the where the legal basis for our processing of personal data is on the basis of a legal obligation, some processing in relation to your data may not be subject to the right to erasure.

To determine your request for erasure, we will carry out an assessment of the justification for the retaining your personal data where a legal requirement applies and contact you if we are unable to fulfil your request.

Please be aware that in some circumstances we may need to retain some information to ensure all of your preferences are properly respected. For example, we cannot erase all information about you where you have also asked us not to send you marketing material. Otherwise, we would delete your preference not to receive marketing material.

7.6 Right to Restriction

You have the right to restrict the extent of personal data processed by the us in circumstances where:

  • You believe the personal data is not accurate (restriction period will exist until we update your information);

  • The processing of the personal data is unlawful, but you wish to restrict the processing of data rather than erase it;

  • Where the personal data is no longer required by us, but you require retention of the information for the establishment, exercise, or defence of a legal claim;

  • You have a pending objection to the processing of the personal data;

When processing is restricted, your personal data will only be processed: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of other people; or for reasons important to public interest.

We will contact you confirm where the request for restriction is fulfilled and will only lift the restriction after we have informed you that we are doing so.

7.7 Right to Data Portability

You have the right to the provision of all personal data held in relation to you in a structured, commonly used and machine-readable format where:

  • Processing is completed on the basis a contract;

  • Processing is completed based on consent by the you;

  • Processing is carried out by automated means.

You may also request that we send this personal data to another data controller where technically feasible.

7.8 Right to Object

You have the right to object to the processing of your personal data; however, the processing must have been undertaken on the basis of public interest or legitimate interest by us.

If you wish to object to the processing of data, please contact us with your request. We will then stop the processing of personal data unless it is required for legal proceedings.