1. Our Recruitment Privacy Notice Screwfix Direct Limited (Company Number 03006378) of Trade House Mead Avenue Yeovil BA22 8RTis committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after our application and recruitment processes. It applies to all current and former job applicants and potential candidates for employment. Screwfix is a "data controller" with regard to the personal information we hold about you by virtue of your involvement in our recruitment processes. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection law to notify you of the information contained in this privacy notice. This privacy notice does not form part of any contract of employment or other contract to provide services offered to candidates hired by us. It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using this information. 2. Data protection principles We comply with data protection law, meaning that the personal information we hold about you must be: Used lawfully, fairly and in a transparent way. Collected only for valid purposes that we have clearly explained to you, and not used in any way that is incompatible with those purposes. Relevant to the purposes for which we use it. Accurate and kept up to date. Kept only as long as necessary for the purposes for which we use it. Kept securely. 3. The kind of information we hold about you Personal information means any information about an individual who can be identified. It does not include data where the identity has been removed (anonymous data). We will collect, store and use the following categories of personal information about you: Personal contact details, such as name, title, addresses, telephone numbers, and personal email addresses. Employment records, including job titles, work history and professional memberships. Education history, including achievements and test results. Right to work documentation. Compensation history. Assessment performance information. References. Photographs and images from recorded assessments or from on-site CCTV footage. Results of pre-employment screening checks, such as information on professional or other social networks and websites. We may also collect, store and use the following "special categories" of more sensitive personal information, which require a higher level of protection: Information about your race or ethnicity. Information about your health, including any medical condition, health and sickness records. We may also capture information about any criminal convictions and offences, as explained further in the “Information about criminal convictions and offences” section below. 4. How is your personal information collected? We usually collect personal information directly from you when you apply for a role with us, such as information included in CVs, application forms, application videos or cover letters. We may also collect personal information about you from an employment agency, recruitment consultant or background check provider; and sometimes collect additional information from professional or other social networks and websites, and third parties including former employers, credit reference agencies or other background check agencies. 5. When and how we will use your personal information We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances: Legal Obligations – where we need to comply with a legal obligation. Legitimate Interests – where it is necessary for our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests. Pre-Contract Steps – where it is necessary in order to take steps at your request prior to entering into a contract of employment, or other contract to provide services, with you. Where we need to protect your vital interests (or someone else’s interests). The purposes for which we will process your personal information are listed below, along with the key legal basis for each processing. Identifying candidates for potential employment, as well as for future roles that may become available. (Legitimate Interests) Making a decision about your recruitment or appointment. (Legitimate Interests) Determining the terms on which you work for us. (Legitimate Interests) Checking you are legally entitled to work in [the UK]. (Legal Obligations) To prevent fraud. (Legitimate Interests) Conducting pre-employment screening checks. (Legitimate Interests) Equal opportunities monitoring. (Legal Obligations) Complying with legal or regulatory obligations placed on us with regard to our hiring, such as those relating to candidates with disabilities. (Legal Obligations) Dealing with legal disputes involving you and protecting our legal rights to the extent authorised or permitted by law. (Legitimate Interests) Complying with health and safety obligations. (Legal Obligations) Record keeping in relation to our recruitment processes. (Legitimate Interests) Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information. In addition, we require a further legal basis if the information is in a “special category” of personal information. See the “When and how we use particularly sensitive personal information” section below for more detail. 6. If you fail to provide personal information If you fail to provide certain personal information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require references for a role and you fail to provide us with relevant details, we will not be able to take your application further. 7. When and how we use particularly sensitive personal information "Special categories" of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy, documents and safeguards which we are required by law to maintain when processing such information. We may process special categories of personal information in the following circumstances: Employment Rights and Obligations – where we need to carry out our legal obligations or exercise rights in connection with employment. Explicit Consent – in limited circumstances, with your explicit written consent. Other – less commonly: Where it is needed in relation to legal claims. Where it is needed to protect your vital interests (or someone else's interests) and you are not capable of giving your consent. Where you have already made the information public. We will use your particularly sensitive personal information in the following ways and on the basis of the legal grounds specified. We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, such as to enable you to take online assessments and attend interviews. (Employment Rights and Obligations) We will use information about your race or ethnic origin to ensure meaningful equal opportunity monitoring and reporting. (Employment Rights and Obligations) 8. Do we need your consent? We do not need your consent if we use your personal information in accordance with our written policy. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive information. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of any contract you may enter into with us that you agree to a request for consent from us. You can withdraw your consent at any time – please see the “Right to withdraw consent” section below for more detail. 9. Information about criminal convictions and offences We may collect information about your criminal convictions history if it is appropriate given the nature of the role and where the law allows us to do so. This will usually be where such processing is necessary to carry out our legal obligations or exercise rights in connection with employment, and provided we do so in line with Kingfisher’s Data Protection Policy. Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your vital interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. 10. Automated decision-making Automated decision-making takes place when an electronic system uses personal information to make a significant decision without human intervention. We are allowed to use automated decision-making in the following circumstances: Where we have notified you of the decision and given you 1 month to request a reconsideration or to request that we take a new decision that is not based solely on automated processing. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you. Please note that we will ask whether you have a lawful right to work in the UK, and if you are unable to confirm this then we will automatically de-select your application as we are not legally able to employ you without you having a lawful right to work in the UK. 11. Sharing your personal information with third parties We will only share your personal information with third parties for the purposes of processing your application. Third parties include: Other entities within the Kingfisher group – including Kingfisher plc, Kingfisher IT Services Limited, and B&Q plc. Taleo (our talent management software application) Hirevue, our video interview platform Former employers, for the purposes of obtaining references from you. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal information for their own purposes. We only permit them to process your personal information for specified purposes and in accordance with our instructions. 12. Transferring your personal information outside the EU We may transfer the personal information we collect about you to the following countries outside the EU in order to process your application. To ensure that your personal information does receive an adequate level of protection we have put in place the following appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection: Project Name Countries of Transfer Protection Mechanism Purpose of Transfer Microsoft Azure Services (One Drive, Office 365, AADP), Sharepoint USA, Hong Kong, India, Canada, China, Egypt, Israel, Japan, Singapore Model Clauses entered into between KITS and Microsoft Inc. Optimisation of IT capability, back-up and support services 13. Keeping your personal information secure We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and where they are subject to a duty of confidentiality. For details of these measures, please contact us using the “How to contact us” section below. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 14. How long we will use your personal information for If your application with us is unsuccessful, we will hold your personal information for a period of nine (9) months after we have communicated that decision to you. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with the Kingfisher Record Keeping and Document Retention Policy and Standard. If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your consent to retain your personal information for a fixed period on that basis. If your application with us is successful, the personal information gathered during the recruitment process will be transferred to your Human Resources file and retained during your working relationship with us. The periods for which your personal information will be held will be communicated to you in our privacy notice for employees, workers and contractors. 15. Your rights in connection with your personal information By law you have the right to object to processing of your personal information in certain circumstances, where there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. You also have the right by law under certain circumstances to: Request access to your personal information (commonly known as a "Data Subject Access Request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. Request erasure of your personal information. This enables you to ask us to delete or remove personal information where, for example, there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see above). Please note that this right does not apply in some cases, such as where we are required by law to retain your data or where the data is required for us to bring or defend a legal claim. Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it. Request the transfer of your personal information to another party. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. If you want to exercise these rights, please contact us using the details in the “How to contact us” section below. 16. Right to withdraw consent In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us using the details in the “How to contact us” section below. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose or purposes you originally agreed to, unless we have another basis for doing so in law. 17. How to contact us If you have any questions about this privacy notice or how we handle your personal information, or if you would like to exercise any of the rights set out in the “Your rights in connection with your personal information” section above, please contact us using your preferred method of the following: Phone: 03330 112 112 Email: firstname.lastname@example.org Post: Data Protection Officer, Screwfix Direct Limited, Trade House, Mead Avenue, Yeovil BA22 8RT 18. Complaints If you are concerned about how we use your personal information, you have the right to make a complaint at any time to either the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues, or (if different) the supervisory authority in your place of residence or the place in which the relevant infringement has taken place. Their contact details are: Email: email@example.com Phone: 0303 123 1113 (local rate) or 01625 545 745 Post: Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF. Website: www.ico.org.uk 19. Changes to this privacy notice We reserve the right to update this privacy notice at any time.