When we collect, store, use and share your personal data we are subject to the UK General Data Protection Regulation (UK GDPR). We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to services we offer in the European Economic Area (EEA).
“we”, “us”, “our”
We are registered with the Information Commissioner’s Office (registration number ZA009795).
For the purposes of data protection legislation we act as a data processor.
“you” or “your”
An individual applicant or candidate which the client intends to background-check using VettingGateway services.
The person or firm (normally your employer, potential employer or other 3rd party) in contract with us to use the VettingGateway services from time to time.
For the purposes of data protection legislation the client acts as a data controller.
“Special category personal data”
Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership; or
Genetic data; or
Biometric data (where used for identification purposes); or
Data concerning health or sexual orientation.
A person or firm which features as part of your background-check” (whose personal information may be provided to us by you or by the client).
Any information relating to an identified or identifiable individual.
The identified or identifiable individual who the personal data relates to.
Personal data we collect about you
The personal data we collect about you depends on the particular services we are providing to the client and the types of background check they are undertaking whilst using the VettingGateway services. Such checks may include:
Identity Verification / Right to Work Checks
Adverse Financial Checks
Criminal Record Checks
GSAT (General Security Awareness Training)
Social Media Checks
In undertaking any of the checks listed above, we may collect, store, use and share some or all of the following personal data about you:
Identity information including forenames, middle names, last names, maiden names, usernames or similar identifiers, gender, nationality, place and date of birth, any previous names and National Insurance number;
Information relating to your right to work in the UK;
Contact details including phone numbers and email addresses;
Current address and address history;
Copies of identification documents in relevant combinations in order to meet background checking or employment criteria, which may include but are not limited to your driving licence, passport, birth certificate, bank statements, council tax statements or other utility bills;
Current employment and/or previous employment details, including names, job titles and contact details of referees;
Current and/or previous educational details including where you studied, the qualifications and grades you achieved, and names, job titles and contact details of educational referees;
Details of personal and/or character referees including their names, job titles and contact details;
Information about how you use our website, IT, communication and other systems;
Details of IP addresses and other identifiers;
Criminal record history.
Personal data is collected, stored, used and shared with your consent. If you do not provide your consent or provide the personal data we ask for, this may delay or prevent us from providing services to the client and/or fulfilling our contractual obligations.
How your personal data is collected
Initially we collect your personal data directly from you (or from the client or from a 3rd party) via VettingGateway when you (or the client or a 3rd party) submit the personal data which is necessary to initiate your background checks. For example, your personal data might be contained in completed application forms or may be derived from your passport or other identification documents which you (or the client or a 3rd party) submit via website forms and applications.
Depending on the particular services we are providing to the client and the types of check the client is undertaking, we then subsequently collect information from other third parties with your consent, including from identity verification providers, current and/or previous employers, current and/or previous educational establishments, personal and/or character referees, credit reference agencies, government departments, criminal record bureaus, training providers, social media sources, your referees or references, and educational institutions.
We may also collect your personal data using cookies on our website.
How and where we store your personal data
Your personal data is stored and accessed by us using our 3rd party cloud hosting service provider, Amazon Web Services (AWS). The AWS data centres which we use are located in either the United Kingdom or the European Economic Area (EEA).
How and why we use your personal data
We provide background checking software which is used by (and at the discretion of) the client to assist them in considering individuals for employment and other circumstances where an individual’s background is relevant. The client uses our software to carry-out various types of background check which requires us to use your personal data.
Under data protection law, we can only use your personal data if we have a lawful basis to do so, which may be any of the following:
a. Consent: you have given clear consent for us to process your personal data for a specific purpose.
b. Contract: the processing is necessary for a contract we have with the Client
c. Legal/Regulatory obligation: the processing is necessary for us to comply with the law (not including contractual obligations) or regulation.
d. Vital interests: the processing is necessary to protect someone’s life.
e. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
f. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a 3rd party, unless there is a good reason to protect your personal data which overrides those legitimate interests.
The client determines the lawful basis for use of your personal data under the UK GDPR or the EU GDPR, as the data controller. Further details regarding the client’s determination of lawful basis is generally set forth in the client’s own privacy notice(s) which should be presented or made available directly from the client.
As a data processor under both the UK GDPR and the EU GDPR, we process personal data in accordance with the instructions of our client and comply with the requirements on processors under the UK GDPR or the EU GDPR.
The following personal data we may use is treated as a special category, to which certain additional protections apply under data protection law:
personal data revealing racial or ethnic origin
Where we use such special category personal data, we will also ensure we are permitted to do so under applicable data protection laws, eg where:
we have your explicit consent;
the processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
the processing is necessary to establish, exercise or defend legal claims.
We may also process criminal record data with your consent and at the instruction of our Client. When we process such data we do so in accordance with the Data Protection Act 2018 (Schedule 1, Part 1) because the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the Client or the data subject in connection with employment, social security or social protection.
Who we share your personal data with
We may share your personal data with:
a. the client, as consented to by you, with whom we also have a contractual obligation to share such personal data;
b. third parties (the details of which you or the client have provided) where you have consented to our sharing of your personal data with the third party, eg referees for the purposes of reference checks;
c. third parties we use to help deliver our services to the client and consented to by you, eg background checking service providers;
d. other third parties we use to help us run our business based on a legitimate interest, eg our cloud hosting service provider.
We only share your personal data with those organisations in (c) and (d) above if we are satisfied that they take appropriate measures to protect your personal data. Where appropriate, we also impose contractual obligations on them to ensure that they can only use your personal data to provide services to us.
More details about who we may share your personal data with and why are set out in the table below
Recipient of the personal data
Reason for sharing personal data with the recipient
Complete Background Screening Limited —a company incorporated in England with registered number 05435348, whose registered office is at The Screening House, Cwm Cynon Business Park, Mountain Ash, Wales, CF45 4ER
To undertake a criminal record check
Experian Limited — a company incorporated in England with registered number 00653331, whose registered office is at The Sir John Peace Building Experian Way, Ng2 Business Park, Nottingham, NG80 1ZZ
To undertake the following types of check:
Adverse financial check
Redline Assured Security Ltd – a company incorporated in England with registered number 05915087, whose registered office is at C/O Air Partner Plc 2 City Place, Beehive Ring Road, Gatwick, United Kingdom, RH6 0PA
To facilitate General Security Awareness Training (GSAT)
YHH Technologies Ltd – a company incorporated in England with registered number 10113268, whose registered office is at Mallory House, Goostrey Way, Mobberley, Cheshire WA16 7GY
To undertake a social media check
TrustID Limited – a company incorporated in England with registered number 05953015, whose registered office is at The Blade, Abbey Street, Reading, England, RG1 3BA
To undertake an identity verification and right to work (RTW) eligibility check
Amazon Web Services EMEA SARL, located at Avenue John F. Kennedy 38, Luxembourg, 1855, Luxembourg
Web and data hosting services, ie storing your personal data on computer equipment so it can be accessed by us and permitted third parties online in order to run our business and provide services to the client.
If you would like more information about who we share our data with and why, please contact us by email (see ‘How to contact us’ below).
How long your personal data will be stored
We will not store your personal data for longer than we need it for the purpose for which it is used.
The retention period for your personal data is set by the client as the data controller. For more information on retention periods, please contact the client.
If you no longer have an account with us or we are no longer providing services to you and to the client, we will delete or anonymise your personal data in accordance with our client’s instructions.
Transferring your personal data out of the UK but inside the EEA
We may need to transfer your personal data to sources outside the UK and the EEA depending on your prior employment, education or address history and the extent to which our client requests us to do so. For example, if you were employed or were in education outside the UK and the EEA we may need to transfer certain personal data to liaise with former employers, former educational establishments or other 3rd parties outside the UK and the EEA. In such cases we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.
As we are based in the UK we may also transfer your personal data between the UK and the EEA.
More details about the countries outside the UK but inside the EEA to which your personal data is transferred at the date of this policy are set out in the table below.
Recipient of the personal data
Reason for sharing personal data with the recipient
Amazon Web Services EMEA SARL, located at (AWS) Avenue John F. Kennedy 38, Luxembourg, 1855, Luxembourg
Web and data hosting services, ie storing personal data on computer equipment so it can be accessed by us and permitted third parties online in order to run our business and provide services to the client.
Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018
If you would like further information about data transferred outside of the UK but inside the EEA then please contact our Data Protection Officer (see ‘How to contact us’ below).
A cookie is a small text file which is placed onto your device (eg computer, smartphone or other electronic device) when you use our website or access VettingGateway. These cookies help us recognise you and your device and store some information about your preferences or past actions.
Your rights as a data subject
You have the following rights, which you can exercise free of charge:
The right to be provided with a copy of your personal data
The right to require us to correct any mistakes in your personal data
Erasure (also known as the right to be forgotten)
The right to require us to delete your personal data—in certain situations
Restriction of processing
The right to require us to restrict processing of your personal data in certain circumstances, eg if you contest the accuracy of the data
The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
The right to object:
—at any time to your personal data being processed for direct marketing (including profiling);
—in certain other situations to our continued processing of your personal data, eg processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims
Not to be subject to automated individual decision making
The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you
The right to withdraw consents
If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time
Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn
If you exercise any of the above rights, it may (depending on the circumstances) delay or prevent us from providing services to the client, and/or fulfilling our contractual obligations.
If you would like to exercise any of the above rights, please:
Utilise functionality available on the VettingGateway platform; or
Contact us by email—see below: ‘How to contact us’ providing enough information to identify yourself (eg your full name, address and date of birth) and any additional identity information we may reasonably request from you. Please also let us know what right you want to exercise and the information to which your request relates.
For more information on each of those rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below) or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights.
How we keep your personal data secure
We maintain appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
How to complain
Please contact us by email if you have any queries or concerns about our use of your personal data (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.
You also have the right to lodge a complaint with the Information Commissioner in the UK who may be contacted using the details at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.
This privacy notice was last updated on 5th June 2023. We may change this privacy notice from time to time. When we do we will inform you via our website or, where appropriate, other means of contact such as email.
How to contact us