Privacy Policy

1. Introduction

In order to work with you, Pioneer Search Ltd (“the Company”) collects and processes personal data about you.

When it comes to capturing and using data relating to individuals there are some key legal requirements with which the Company needs to comply.  The purpose of this statement is to set out how the Company meets these requirements and to ensure that every individual who provides data to the Company understands the legal basis on which that data is held, what the data is used for, how it is stored and who has access to it. 

The legislation which details the legal requirements that the Company must follow in relation to data is the General Data Protection Regulation 2016 (“GDPR”).

2. Our Business and Use of Data

The Company is a recruitment agency and recruitment business as defined in the Employment Agencies and Employment Businesses Regulations 2003. 

To perform our business activities, we may collect personal information about the following individuals:

  • Prospective and placed candidates for permanent or temporary roles;
  • Prospective and current client contacts;
  • Supplier contacts to support our services;
  • Employees, consultants, temporary workers.

Although the individuals do not have to provide personal information to us, this may restrict or prevent our ability to provide our services.

As individuals may at points in their relationship with us be a candidate and/or a client contact, we may use the personal data provided to contact the individual in regard to either of these services unless the individual advises us to restrict use to specific service.

3. Sources of Data

The sources we may collect personal data about individuals from are:

  • The individual as a
    • candidate while searching for a new role and going through the recruitment process,
    • client contact when looking to place an individual in a job role;
  • Public sources, including LinkedIn, Job boards, and CV databases; and
  • Referrals from third parties who know the individual, either professionally or personally.

Where we collect information through public sources, we may do this with the aid of software which searches publicly available sources of data using specific parameters to find candidates and contacts. The search parameters are restricted to searching for name, contact details, job role, technical skills, experience and location, which is information available on public sites or provided by individuals, where there is a reasonable expectation that such information may be collected and processed by recruiters for the purpose of sourcing candidates for client job roles.

If data regarding individuals is obtained from a third party or public source, the privacy rights are the same as if collected from the individual.

4. Data Processing for Candidates

We collect the information necessary to find available opportunities for candidates and to assess a candidate’s eligibility through the recruitment process. This information may include CVs, identification documents, educational records, work history, employment, comments, references, email addresses and contact details.

The personal data is used to match skills, experience and education with a potential employer. We will initially collect basic information on candidates including contact details, job role and experience. Upon the candidate’s confirmation that we may represent them, we then pass this information to the client for them to determine alignment of skills and experience to the available position. We may require from the candidates, and provide to the clients, additional information regarding the candidate as they progress through the recruitment process.

4.1. For candidates applying for contract roles

Verification checks may be conducted at appropriate points in the process to ensure the information provided is complete and correct.  To perform these checks, candidate information may be shared with:

  • Verifile Limited
  • Experian Limited
  • HSBC

Data will never be sold but may need to be disclosed to a third party as part of the recruitment process.

5. Key Terms

GDPR is an extensive piece of legislation that seeks to protect the right to privacy of individuals.  There are some key terms with which you need to be familiar to understand the approach that the Company takes in relation to GDPR.  These are:

  • Data Subject – the individual to whom the data relates.
  • Personal data – any information relating to an identified or identifiable person.
  • Processing – any action performed with the personal data (collection, recording, sharing, storing etc.)
  • Controller – the person or entity who determines what data to collect and the use of that data.
  • Processor – the person/people who collects and processes the data as per instructions from the Controller.
6. Key roles within the Company

Within the Company the following roles fulfil duties under this Privacy Statement:

  • Controller – Office Manager and Director
  • Processors – Office Manager, Director and employees of Pioneer Search Ltd
7. The Six Privacy Principles

GDPR sets out six privacy principles with which the Company must comply.  These principles are:

7.1. Purpose Limitation

The Company must clearly state the reason that data is being held and can then only process data for that reason.  If the Company wants to use the data for a different reason to that for which the data was collected, then the Company must inform the data subject.

7.2. Data Minimisation

The Company must only collect the data that is needed.

7.3. Accuracy

The Company must take all reasonable steps to ensure that the data held is accurate.

7.4. Storage Limitation

The Company must only keep the data for as long as it is necessary.

7.5 Integrity and Confidentiality

The Company must take all reasonable steps to ensure that the data held is kept securely and is only shared with people who have a legitimate need to have access to it.

7.6. Lawfulness, fairness and transparency

The Company must have a legal basis for processing data and must be transparent about the data held, why it is held, how it is held, who has access to it and for how long it is retained.

8. Our Legal Bases for Processing Data

GDPR states that data can only be processed for one of six reasons – consent, contract, legal obligation, vital interests, public task and legitimate interests.  Of these, there are four which are applicable to the Company.  These are:

8.1. Contract

Contract is a lawful basis for processing data if a company is required to hold the data to fulfil their contractual obligations to the data subject.  Much of the data that the Company holds on you falls under this basis.

8.2. Legal obligation

Legal obligation, as the name implies, relates to data that is needed for a company to fulfil a legal obligation.  Some of the data that the Company holds on you falls under this basis.

8.3. Vital Interests

Vital Interests means there is a need to process data to save someone’s life.  It is extremely unlikely that this will ever apply to the Company.  It is possible, however, that the Company may need to share information with the emergency services should something happen to you and it would be on this basis that the Company would rely.

8.4. Legitimate Interests

Legitimate Interests refer to situations where data is used in a way that an individual would reasonably expect.

9. The rights of data subjects

You, as a data subject, have particular rights under GDPR.  These are:

9.1. The right to be informed

You have the right to know what data the Company holds about you, how it is held, what it is used for, who has access to it, how long it is held for, how you can see the data and the legal basis on which the data is held.  The Company will meet the obligations under this right through this Privacy Statement and through the additional policies named in the introduction.

9.2. The right of access

You have the right to see the data that the Company holds about you.  the Company will meet the obligations under this right through the Subject Access Request Procedure.

9.3. The right to rectification

You have the right to have any errors in the personal data held about you corrected.

9.4. The right to erasure

You have a right to request that personal data is deleted or destroyed where there is no compelling reason for the Company to continue to hold this data.  It is important to note that if the Company is required to keep the data to fulfil a legal obligation, then the right to erasure does not exist.

9.5. The right to restrict processing

You have a right to ‘block’ the processing of personal data.  This means that the Company can continue to store it but can no long process it.  This applies in very specific circumstances and cannot be applied if the restriction would prevent the Company from meeting any obligations under your contract of employment or from meeting a legal obligation.

9.6. The right to data portability

You have a right to move, copy or transfer data from one IT environment to another.  This is unlikely to be relevant to the data held by the Company.

9.7. The right to object

You have the right to object to data being processed where the legal basis for that processing is either one of legitimate interest or the performance of a task in the public interest.  You can also object if the processing of that data is for direct marketing.

9.8. Rights in relation to automated decision making and profiling

You have a right to request that a human be involved in automated decision making.  This is unlikely to be applicable in relation to the Company as no automated decision-  making processes are used.

10. The data we typically hold

Below is a table that sets out full information relating to our data processing.  This helps us to ensure that you are fully informed; you, however, have shared responsibility for this.  If you feel that there is anything missing from the list, you should raise this with the Office Manager.

For all candidates, we’ll hold the following information:

Data Item

Basis for processing


Who has access?

Who is responsible for it?

Name and address 

6. Legitimate Interest

To enable communication and, for contractors, to execute the contract.

Permanent candidates: All employees

Contract candidates: All employees, HMRC, accountant, client, with organisation used to support candidate background checks. 

Office Manager / Director

Telephone number

6. Legitimate Interest

To enable communication.

All employees

Office Manager / Director

Personal email address

6. Legitimate Interest

To enable communication.

All employees

Office Manager / Director


6. Legitimate Interest

To support recruitment activity.

All employees

Office Manager / Director

Date of birth

6. Legitimate Interest

We don't require this information and do not use it during the recruitment process, but it is sometimes included in a CV.

All employees

Office Manager / Director

For candidates for contract roles, we may hold the additional information:

Data Item

Basis for processing


Who has access?

Who is responsible for it?

Information used to conduct background checks (bank statement/utility bill, proof of address etc.)

2. Contract

To execute the contract.

Verifile and other regulated agencies used to conduct background checks.

Office Manager / Director

Result of background checks (reports from agencies used, references, copy of passport, copy of academic qualifications, copy of professional qualifications etc.)

2. Contract

To execute the contract.

Potentially with client.

Office Manager / Director

Contract/service agreement

2. Contract

To process the contract.

Operations Manager and Director.  Legal professional should a dispute arise.

Office Manager / Director

Copy of right to work evidence

2. Contract

Held on file to prove compliance with immigration rules.

Office Manager and Director.  Will be shared with relevant legal body if required.

Office Manager / Director

Bank details 

2. Contract

To process payments.

Office Manager and Director.  Accountant.

Office Manager / Director

Work undertaken records

6. Legitimate Interest

Providing future references

All employees have access to the information as CV is stored in CRM.

Office Manager / Director

11. Privacy by design

The Company has adopted the principle of privacy by design and will ensure that the definition and implementation of all new or significantly changed systems (that collect or process personal data) will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.

The data protection impact assessment will include:

  • Consideration of how personal data will be processed and for what purposes
  • Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
  • Assessment of the risks to individuals in processing the personal data
  • What controls are necessary to address the identified risks and demonstrate compliance with legislation
12. Data Protection Officer

A defined role of Data Protection Officer (DPO) is required under the GDPR if an organization is a public authority, if it performs large scale monitoring or if it processes particularly sensitive types of data on a large scale. The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to an appropriate service provider.

Based on these criteria, the Company does not require a Data Protection Officer to be appointed.

13. Breach Notification

It is the Company’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority (DPA) will be informed within 72 hours. This will be managed in accordance with the Data Breach Notification Procedure which sets out the overall process of handling information security incidents.

14. Addressing Compliance to the GDPR

The following actions are undertaken to ensure that the Company always complies with the accountability principle of the GDPR:

  • The legal basis for processing personal data is clear and unambiguous
  • the Company communicates with all individuals regarding the data held and the rights that individuals have in relation to that data
  • All staff involved in handling personal data understand their responsibilities for following good data protection practice
  • Routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively
  • Regular reviews of procedures involving personal data are carried out
  • Privacy by design is adopted for all new or changed systems and processes
15. Concerns and Questions

The Company will continue to adopt best endeavours to ensure on-going compliance but any individual who has concerns regarding any of the actions that are taken or feels that they are unclear as to how the Company is complying with elements of the legislation should raise their concerns with the Office Manager. Your concerns will be investigated and responded to within 28 days.

Please email if you would like a copy of Record Retention and Protection Policy.