Log-in




Data Protection Policy

DOCUMENT DETAILS

Document Title:

Data Protection Policy

Version Number:

1.0

Issue date:

29.09.22

Author:

Cristina Vannini-Goodchild

DOCUMENT AUTHORISATION

This document is issued under the authority of:

Name

Organisation

John Ambrose

Complete Careers LLP
   

Amendment Record

Version

Date

Description

Initials

v2

Dec2025

Updated to include company details

KL

v3

April 2026

Additional email addresses

KL
       

1. Policy statement

1.1 During the course of our activities, Complete Careers LLP (‘the Company’) as the data controller will process personal information and we recognise the need to treat it in an appropriate and lawful manner.

1.2 This policy sets out how the Company and its staff handle the personal data of our customers, suppliers, business contacts, employees, workers, and other individuals that the Company has a relationship with. In processing personal data, the Company will comply with the General Data Protection Regulation and the Data Protection Act 2018 (together the ‘Data Protection Legislation’). 

1.3 This policy also applies to staff who process personal data offsite i.e. when working from home or at other sites, additional care must be taken in these circumstances to ensure the security of the data.

2.  Status of the policy

2.1 This policy must be complied with by all staff working for the Company (including, employees (whether permanent, fixed term or temporary), self-employed personnel, volunteers and agency workers).

2.2 This policy is non-contractual, and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal.

2.3 Any questions or concerns about the operation of this policy should be referred in the first instance to John Ambrose.

3. Definitions

3.1 Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the processing of personal data relating to them.

3.2 Data Subject: for the purpose of this policy include all living, identified or identifiable individuals about whom we hold personal data. A data subject need not be a UK national or resident.

3.3 Explicit Consent: consent which requires a very clear and specific statement.

3.4 Personal Data: data relating to a living individual who can be identified from that data (or from that data and other information in our possession).  Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal).

3.5 Processing or Process: any activity that involves use of personal data.  It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it.  Processing also includes transferring personal data to third parties.

3.6 Special Category Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and personal data relating to criminal offences and convictions.

4. The Data Protection Principles

4.1 All staff processing personal data must comply with the data protection principles. These provide that personal data must be:

(a) Processed lawfully, fairly and in a transparent manner;

(b) Collected only for specified, explicit and legitimate purposes;

(c) Adequate, relevant and limited to what is necessary in relation to the proposes for which it is processed;

(d) Accurate and where necessary kept up to date;

(e) Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed;

(f) Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage;

4.2 We will demonstrate compliance with the data protection principles.

5. Lawfulness, fairness and transparency

5.1 Lawfulness and fairness: For personal data to be processed lawfully, certain conditions have to be met.

In most circumstances, the Company will rely upon the following conditions for processing personal data:

(a) the data subject has consented to the processing;

(b) the processing is necessary for our legitimate interests;

(c) the processing is necessary for the performance of a contract; and/or

(d) the processing is necessary for vital or public interest;

(e) the processing is conducted to meet our legal obligations.

Further information on the processing of personal data is set out in our Privacy Notices available from admin@complete-careers.com.

5.2 Consent: A data subject consents to processing of their personal data if they indicate agreement clearly either by a statement or positive action to the processing.

5.3 Transparency: Whenever we collect personal data directly from data subjects, including for HR or employment purposes, we will provide the data subject with specific information including:

(a) that we are the data controller; and

(b) how and why we will process that personal data.

This is provided through a Privacy Notices available from admin@complete-careers.com

When personal data is collected indirectly (for example, from a third party or publicly available source), we will provide the data subject with all the information required by the Data Protection Legislation as soon as possible after collecting/receiving the data.

6. Processing for limited purposes

6.1 Personal data may only be processed for the specified, explicit and legitimate purposes. This means that personal data must not be collected for one purpose and used for another without assessing the necessity, proportionality, purpose and lawful basis and we have informed the data subject of the new purpose(s).

6.2 Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You may only process personal data that you require for your job duties.

6.3 We process personal data to enable us to:

(a) Provision of contracted services

(b) Maintain our accounts and records;

(c) Promote our services;

(d) Undertake analytical studies; and

(e) Support and manage employees.

6.4 We will ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised.

7.  Accurate data

We will ensure that personal data we hold is accurate and where necessary, kept up to date. We will take steps to ensure the accuracy of the data held at regular intervals and take reasonable steps to destroy or amend inaccurate or out of date data.

8. Timely processing 

8.1 We will not keep personal data in an identifiable form for longer than is necessary for the purposes for which the data was gathered. We will take all reasonable steps to ensure that data is destroyed or erased from our systems when it is no longer required, unless a law requires such data to be kept for a minimum time. This includes requiring third parties to delete such data where applicable.

Our retention policy and schedule are available from admin@complete-careers.com

8.2 In some circumstances we may anonymise personal data (so that it can no longer be associated with the data subject) for research or statistical purposes in which case we may use this information indefinitely without further notice to the data subject.

9. Data security

9.1 We will ensure that appropriate security measures proportionate to the size, scope and available resources of our Company are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

9.2 We will regularly evaluate the effectiveness of the safeguards put in place. Personal data may only be transferred to a third-party data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures. We will exercise particular care in protecting special category personal data.

9.3 Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:

(a) Confidentiality means that only people who are authorised to use the data can access it.

(b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.

(c) Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.

9.4 Security procedures include:

(a) Entry controls. Any stranger seen in entry-controlled areas should be reported.

(b) Secure lockable desks and cupboards. Desks and cupboards should be kept locked when left unattended.  (Personal information is always considered confidential.)

(c) Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required by giving them to the IT Department.

(d) Equipment. Staff should ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.

(e) Password Protection/Encryption. Personal data held on computers must be stored confidentially by means of password protection and encryption. Each employee has a password to access the system and these passwords are not held anywhere.  Password are changed every 6 months.

(f) System protection. Antivirus software is installed on computers and the server and this is updated automatically when a new version is available.

(g) Pseudonymisation. Staff is encouraged to use pseudonymisation as an additional security measure where applicable.

(h) Back-ups. Regular back-ups take place on a daily basis. This is a security measure for ensuring availability of the data.

(i) Printing. Printed material should not be left unattended on the printer tray.  If the printed material contains children’s data, it must be collected immediately.

10. Disclosure of personal information including the transfer of Personal Data to a country outside the UK

10.1 We may also disclose personal data we hold to third parties:

(a) In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.

(b) If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.

(c) If we are under a duty to disclose or share a data subject’s personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; to protect our rights, property, or safety of our employees, customers, or others; or to comply with a request of a regulator. This includes exchanging information with other companies and organisations for the purposes of fraud protection and debt collection.

(d) To undertake surveys and research.

10.2 We may only share the personal data we hold with third parties, such as our service providers if:

(a)    they have a need to know the information for the purposes of providing the contracted services;

(b)    sharing the personal data complies with the privacy notice provided to the data subject and, if required, the data subject’s consent has been obtained;

(c)     the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;

(d)    the transfer complies with any applicable cross border transfer restrictions; and

(e)    a fully executed written contract that contains Data Protection Legislation approved third party clauses has been obtained (where appropriate and necessary).

10.3 We may transfer any personal data we hold to a country outside the UK, provided that one of the following conditions applies:

(a) The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.

(b) The data subject has given his explicit consent.

(c) The transfer is necessary for one of the reasons set out in the Data Protection Legislation, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.

(d) Appropriate safeguards are in place such as: international data transfer agreement, EU standard contract clauses + UK addendum, binding corporate rules (BCR) approved by the Information Commissioner’s Office.

(e) The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.

Processing in line with Data Subject’s rights

10.4 Data subjects have rights when it comes to how we handle their personal data. These include rights to:

  • withdraw consent to processing;

  • receive certain information about our processing activities;

  • request access to their personal data that we hold;

  • prevent our use of their personal data for direct marketing purposes;

  • ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;

  • restrict processing in specific circumstances;

  • challenge processing which has been justified on the basis of our legitimate interests or in the public interest;

  • request a copy of an agreement under which personal data is transferred outside of the UK;

  • object to decisions based solely on automated processing, including profiling;

  • prevent processing that is likely to cause damage or distress to the data subject or anyone else;

  • be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;

  • make a complaint to the supervisory authority; and

  • in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format.

Some of these rights are not automatic or absolute.

10.5 You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing personal data without proper authorisation).

10.6 If a data subject wishes to exercise a right, you must immediately forward the request you receive to john.ambrose@complete-careers.com

11. Reporting a Personal Data Breach

11.1 The Company has put in place procedures to deal with any suspected personal data breach (i.e. the loss, or unauthorised access, disclosure or acquisition, of personal data), and will notify the data subject or any applicable regulator where it is legally required to do so.

11.2 If a member of staff knows or suspects that a personal data breach has occurred or may occur, they should not attempt to investigate the matter themselves. They should immediately contact john.ambrose@complete-careers.com and preserve all evidence relating to the potential personal data breach.

12. Accountability, Training and Record-Keeping

12.1 The Company has adequate resources and controls in place to ensure and to document data protection compliance including:

(a) implementing Privacy by Design when processing personal data and completing privacy impact assessments where processing presents a high risk to rights and freedoms of data subjects;

(b) integrating data protection into internal documents including this policy, related policies and privacy notices;

(c) regularly training relevant staff on the Data Protection Legislation, this policy, related policies and data protection matters including, for example, data subject’s rights, consent, legal basis, privacy impact assessments and personal data breaches; and

(d) regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.

12.2 We will keep and maintain accurate records reflecting our processing including records of data subjects’ consents and procedures for obtaining consents.

13. Automated Processing and Automated Decision-Making

Automated Decision-Making is where a decision is made based on the automatic processing of personal data which significantly affects an individual. The Company does not take any decisions using automated means. However, if this position changes this policy will be updated and a new version made available to all staff and any other relevant personnel.

14. Monitoring and review of the policy

We reserve the right to change this policy at any time without notice to you. This policy is reviewed annually by the Management Team to ensure it is achieving its stated objectives.

We have launched our new Career Mark Members Area. If you are a member and have not already done so, please click this link to re-set your password and gain access.