Introduction- GRN and Data Protection
The General Data Protection Regulation (or GDPR) is the framework for data protection laws in Europe. Due to increasingly technologically driven and globalised data communications, the GDPR addresses personal data transfers for EU citizens to ensure greater data control and security, within and outside the EU.

Graduate Recruiters Network, also referred to as GRN, is owned by the Graduate Recruitment Bureau (GRB). We are registered with the Information Commissioner’s Office (ICO), number z7502403. We take data privacy very seriously and we are strictly compliant with data protection legislation. We have carefully complied with the Data Protection Directive 1995, Data Protection Act 1998 and now the General Data Protection Regulation.

We have strong data security measures in place, and we have never sold or exchanged member data, and we never will.

Our Service – Why we store personal data
We process and store the personal data of GRN members that opt-in or request to join by agreeing to our Privacy Policy. We hold and store this personal data on individuals so we can efficiently retrieve it at the appropriate time to provide information on events or other related announcements.

Your Data – What Do We Collect and Why?
We have a GRN Member database that stores contact name, company name, email address and phone number so we can communicate marketing of events or other related announcements.

Call Recording
If you are in communication with any member of staff at GRB via telephone, we may store the call as a recording for training or reference.

Data Storage – Where we safely store your data
In terms of storage and website functionality, your data will never leave the EU. Your personal information is being stored in one or more of the following secure UK based locations either temporarily or until your account is deleted:

Our website server
Our backup server
Our cloud storage account
A data entry service
A cloud based document processor
A cloud based call recording system
For security reasons the providers will only be named on legitimate requests.

We ensure that appropriate security of personal data is in place to protect against unauthorised or unlawful access, accidental loss and destruction or damage. We do so by using, amongst others, the following technical, cyber security and organisational measures:

Secure Socket Layer (SSL) certificates installed on the GRB and sister websites
Separate non-public access servers to store candidate data
Enterprise level secure managed hosting
Enforced strong passwords and password change lockouts
Encrypted backups for all systems
Regular auditing of internal computers and laptops
Password or user permissions protected documents and folders
Industry leading anti-virus and firewall software
All staff trained in safely handling data
All third party services used are GDPR compliant with supplied statements
Appointed Data Protection representative

GRB take every possible step to implement measures and procedures that protect your privacy and we ensure that data protection is integral to all processing activities. This includes implementing measures such as:

Data minimisation
Only completely necessary data is requested and stored

Anonymisation
Personal information is anonymised if it is not required for the purpose of use. Individuals who request their personal data to be removed will have their records anonymised.
Anonymisation (of data) is a type of information sanitisation whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.

Privacy Notices – We’ll always tell you and make it clear
It is important that you know exactly what data is being collected and what it is used for. GRB ensure that whenever personal data is collected the individual is clearly notified as to what is going to happen with the data. You will be given at least one of the following notices and will be required to confirm with us that you accept before we process and store your information for our services:

Data Processors – Who handles your personal information
We process all the data internally.

Personal Data Request – Take a look at what we have
If we hold any of your personal data then you or a representative of your behalf can request a copy from GRB. A full copy of your data will be supplied in a Microsoft Excel file within one month. GRB would also be happy to assist if you would like to rectify any inaccurate or incomplete personal data. See Making Requests at the end of this document.

Data Changes and Deletion – Your right to be forgotten
GRB strongly believe in your right to be forgotten. This is both good for the autonomy and respect of our users, and business efficiency. This is at the core of GRB’s values as a company and GDPR.

If you would like your personal data removed then please email your request to GRB (See Making Requests at the end of this document) with confirmation that you would like to be removed entirely, or whether you are happy to remain as a user that does not get contacted in the future (for a specified period or otherwise).

If you would like to be completely removed then a full anonymisation of your record will be put into motion. This process ensures that all personally identifiable data is removed and the profile cannot be identified under any circumstances. If you have given prior consent for your information to be passed on to a recruiter or another third party then we will attempt to reach out and request they follow the same procedure however we can’t enforce or follow-up to prove action from them.

This initial process will be completed within one month of the request made.

Please note that you will be able to re-submit your data again in the future should you wish to. It is also possible to be re-registered via another route that you may not be aware of such as opting-in while registering with one of our partners. As we will not keep a record of people we have removed, we can’t avoid this, so you may be contacted again.

Data Portability – How you can move your data
You have the right to a copy of your data, and where feasible, GRB will send your personal data to a named third party on the individual’s request. We supply your data in Microsoft Excel format which is considered as a good choice for data portability. We can also supply it in other formats on request. Please see Making Requests at the end of this document.

Object to Processing – Your right to ask us to stop
You have the right to object to your personal data being used or profiled by GRB if you feel it’s of public or legitimate interest. You can also object to your personal data being used for direct marketing. Once we receive a request we shall cease using your data, unless we have legitimate grounds to continue which take precedence over your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. To cease using your data we will revert to full anonymisation of your record in all our systems. Please see Making Requests at the end of this document.

Enforcement of Rights – Our responsibility to action your requests in a given timeframe
GRB will act upon any requests relating to your personal data within one month. This includes personal data requests, requests relating to rectification, erasure, restriction, data portability or objection or automated decision making processes or profiling. We may extend this period for two further months where necessary, when taking into account the complexity and the number of requests. These timeframes meet the GDPR standards.

If GRB considers any requests unfounded or excessive due to the request’s repetitive nature we may either refuse to act on the request or may charge a £10 fee per request taking into account the administrative costs involved.

Reporting personal data breaches – How we are prepared
In the unlikely event of a data breach, GRB will take steps to contain and recover the breach. If a personal data breach is likely to result in a risk to the rights and freedoms of any individual, GRB will notify the ICO. If a personal data breach presents a high risk to the rights and freedoms of any individual then GRB will tell all affected individuals without undue delay. If a personal data breach happens outside of the UK, GRB shall alert the relevant supervisory authority for data breaches in the affected jurisdiction.

Making Requests
Please email your request to GRB providing the following information:

What action you would like to take:

Account Deactivated
Your data will remain within the GRB systems but contact will not be made without additional prior consent.

Account Data Request
We will supply a copy of the personal data we hold on your account.

Account Deleted
Your data will be fully deleted in the form of anonymisation.

Other Request
Please specify and direct us to any part of this privacy policy that may assist us with your request

For identification:

Full Name
Email address/addresses that may be registered
Contact phone number
You must make your request from the registered email on your account. In the cases where we can’t identify you with certainty we may ask for further identification such as photographic ID.
Please send the above information from your registered email to datarequests@grb.uk.com