THE VERY GROUP CANDIDATE PERSONAL INFORMATION PRIVACY NOTICE
The purpose of this notice
The purpose of this notice is to ensure that we recognise and respect the privacy of all The Very Group candidates. This notice explains what information we collect, how this will be used and how it is protected.
About The Very Group
The Very Group comprises two subsidiary companies; Shop Direct Home Shopping Limited and Shop Direct Finance Company Limited.
The Data Protection Regulations
The Very Group when processing any personal data is bound by the UK GDPR and the Data Protection Act 2018. These regulations are enforced by the Information Commissioner’s Office. The Very Group is registered with the ICO and has an appointed Data Protection Officer.
Personal information we collect about you
The information we collect about potential employees may depend on the role a potential employee is applying to fulfil and the type of contract they may have with The Very Group (permanent/temporary contract employees/contractors) and this may include special category data. This notice also applies to potential sub-contractors to The Very Group and its group of companies.
The information we collect includes (but isn’t limited to)
- Your name, address, contact details (i.e. email addresses, telephone numbers etc) and date of birth
- Details we need to verify your identity and process your application for employment (including performing credit reference checks, fraud checks, Disclosure and Barring Service checks) and Right to Work checks.
- Personal information on a relevant Curriculum Vitae and any accompanying cover letter or additional documentation provided by the candidate upon application
- Financial details for payroll, benefits and expenses purposes
- CCTV recordings at certain locations
- Candidate call recording obtained and retained for monitoring and training purposes
- Details of any accounts you hold within The Very Group of companies
- Your employment application forms and all references
- Contracts of employment with us (and any amendments to it)
- Whether you require any reasonable adjustments for interview
- Correspondence with you, or about you e.g. communications to you about interviews, screening information requests, confirmation of successful applications and communications confirming that you have not been successful with your employment application with us
- Information deemed essential e.g. your own contact and emergency contact details, information needed for equal opportunities monitoring policy and records relating to your education / career history, such as certificate of achievements to confirm qualifications
- Information about criminal convictions and offences.
- Special category data for the purposes of diversity and inclusion reporting
How is your personal information collected?
We collect personal information through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other from data already available in the public domain via social media sites such as, but not limited to, LinkedIn.
How we will use information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
1. Where we need to comply with a legal obligation.
2. Where it is necessary for our legitimate interests
3. Where criminal record checks are necessary
We may also use your personal information in the following situations, which are likely to be rare:
1. Where we need to protect your interests (or someone else's interests)
2. Where it is needed in the public interest or for official purposes.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How we use particularly sensitive personal information
"Special categories" of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
1. In limited circumstances, with your explicit written consent.
2. Where we need to carry out our legal obligations and in line with our Data Protection policy.
4. Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
We will use your special category information in the following ways:
- We may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
- If you are invited to attend an interview, we may ask whether you require any special adjustments to be able to attend
Do we need your consent?
In limited circumstances, we may approach you for your consent to allow us to process certain special category data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
We may process special category information without consent if there is a legal obligation to do so.
Information about criminal convictions
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our Data Protection policy.
We will only hold criminal record information for a limited period of time.
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us.
How we store and secure your personal information
We protect all our potential employee information by maintaining relevant physical, electronic and procedural processes to safeguard and prevent any unauthorised access, accidental loss, disclosure or destruction of your data.
How long we will store your personal information
We have policies in place to ensure we only store the relevant candidate information we need and we will ensure it is securely destroyed when it is no longer needed. We will store candidate information for 12 months from the application closing. If you are successful we will retain your data for a longer period detailed in our retention schedule.
Your rights as a Data Subject
Accessing your data: You have the right to request from us access to any data we hold about you. Restrictions may be placed on providing you with certain information we hold about you (e.g. if they relate to the prevention and detection of crime and taxation, or any information we are hold about you under legal privilege via legal advice and proceedings). To make a subject access request please contact Talentacquisition@theverygroup.com
Rectification: If you believe that we hold inaccurate personal data about you, then you can either update this information directly by logging into your career site and updating the relevant details or you can request that we carry out a review by emailing our Talent Acquisition Team on Talentacquisition@theverygroup.com Depending on the type of personal data you believe is inaccurate, we may ask you for further proof to ensure that the personal data is being corrected properly. If we are satisfied that the personal data is inaccurate we will make the necessary changes.
Erasure: You have a right to ask for your personal data to be erased in certain circumstances. However, this right does not apply where we have to comply with a legal obligation or where we need personal data for the establishment, exercise or defence of legal claims. Therefore we cannot comply to an erasure request where you have been involved in a selection process where we must keep records.
Restricting automated processing and profiling: You have the right to have automated processing and profiling restricted
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We may take decisions about you using automated means as part of the assessment and selection process, such as but not limited to literacy & numeracy assessment. There are a number of consequences of automated processing:
- We may refuse your application for employment
We may decide to offer you alternative roles within our employment
You can request for a human intervention for any automated decision by contacting Talentacquisition@theverygroup.com.
Data portability: You have the right to request that the information we process by automated means is sent to you or another nominated data controller in a commonly used electronically readable format.
Restricton of Process: You can request The Very Group stop processing your data if you believe the data is being used unlawfully, if you believe we should no longer be holding the data or if you believe the data being used is not accurate.
Right to Object: You can request that we stop processing your data. However, we may continue to process your data if we can show that we have a compelling reason for doing so.
To invoke any of the above rights please contact Talentacquisition@theverygroup.com or DPO@theverygroup.com
Links to other sites
During the course of our employee onboarding process, you may be required to log in to other sites of our third-party service providers (such as Complete Background Screening and Experian) who may be assisting us with relevant background checks we are required to carry out on potential employees, for which you may potentially need to provide personal data. You should be aware that our Candidate Privacy Notice won’t apply once you enter the other websites.
Sharing, receiving and exchanging potential employee data
We may have to share your data with third parties, including third-party service providers and other entities in the group. We require third parties to respect the security of your data and to treat it in accordance with UK Data Protection law.
Why might you share my personal information with third parties?
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Which third-party service providers process my personal information?
"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group. The following third-party service providers process personal information about you for the following purposes:
- Other companies in The Very Group for purposes connected with your potential employment
- Partners or agents who assist us with our onboarding processes for new employees
- Regulators, courts or other public authorities
- Other financial services providers to prevent fraud and to verify identities
- Cifas databases established for the purpose of allowing organisations to record and share data on relevant conduct
- Credit referencing agencies
- The Police, NCA, Action Fraud, DWP or HMRC in relation to prevention or detection of financial crime
- Emergency Services
How secure is my information with third-party service providers and other entities in our group?
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We will check your details against the Cifas databases established for the purpose of allowing organisations to record and share data on their fraud cases, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct ("Relevant Conduct") carried out by their staff and potential staff. "Staff" means an individual engaged as an employee, director, trainee, homeworker, consultant, contractor, temporary or agency worker, or self-employed individual, whether full or part time or for a fixed-term.
The personal data you have provided, we have collected from you, or we have received from third parties, will be used to prevent fraud and other relevant conduct and to verify your identity.
Details of the personal information that will be processed include: name, address, date of birth, any maiden or previous names, contact details, document references, National Insurance Number, and nationality. Where relevant, other data including employment details will also be processed.
We and Cifas may also enable law enforcement agencies to access and use your personal data to detect, investigate, and prevent crime
When we and fraud prevention agencies process your personal data, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also necessary to enable us to enter into and perform our contracts with you.
We, and fraud prevention agencies, may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
Consequences of processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse or withdraw employment terms with you. Should our investigations identify fraud or any other Relevant Conduct by you when applying for or during the course of your engagement with us, your new engagement may be refused or your existing engagement may be terminated or other disciplinary action taken (subject to your rights under your existing contract and under employment law generally).
A record of any fraudulent or other Relevant Conduct by you will be retained by Cifas and may result in others refusing to employ you. If you have any questions about this, please contact the organisation that referred you to this page.
Cifas may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then Cifas will ensure your data continues to be protected by ensuring appropriate safeguards are in place. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data, request that your personal data is erased or corrected, and request access to your personal data.
For more information or to exercise your data protection rights, please contact The Very Group at DPO@theverygroup.com
You also have a right to complain to the Information Commissioner's Office which regulates the processing of personal data.
What about other third parties?
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may need to share your personal information with a regulator or to otherwise comply with the law.
Transferring information outside the EEA
We may transfer your data to countries outside the EEA on certain occasions. When sending any of your data outside of the EEA we ensure that the data is processed in a way which is in line with UK GDPR. To ensure this is the case, we will put the appropriate safeguards in place including standard contractual clauses. We will only transfer your personal data to third parties who adhere to appropriate data security standards and controls.
Credit reference agencies
We will use credit reference agencies to check your identity and to provide us with information on how your accounts are conducted. It is likely that they may record our enquiries
We use the following credit reference agencies;-
- Experian, PO Box 8000, Nottingham, NG80 7WF
- Equifax, 8 Fletcher Gate, Nottingham NG1 2FS
- Call Credit Ltd, PO Box 491, Leeds, LS3 1WZ
Credit referencing agencies do publish details of their privacy notices referred to as CRAIN (Credit Referencing Agency Information Notice). You can view this at www.experian.co.uk/crain
You have the right to apply directly to these agencies for more details of the information that they hold about you.
Contact details of controller and Data Protection Officer
If you have any concerns as to how your data is processed you can contact The Very Group’s Data Protection Officer at DPO@theverygroup.com or you can write to the Data Protection Officer at the following address: DPO Office
You can also contact the Information Commissioner at www.ico.org.uk or by post at:
Information Commissioner's Office
Updates to our ‘Candidate’ Privacy Notice
This Privacy Notice was last updated October 2023.