Metamorphic (“We”) is a recruitment business which provides recruitment and work-finding services to its clients. Metamorphic must process personal data so that it can provide these services and in doing so we act as a “data controller.”

A “data controller” means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in the privacy notice.

This notice informs you of how we protect your personal data and informs you about your legal rights when we obtain your personal data, in accordance with the new General Data Protection Regulation (GDPR). This notice does not act or form part of any contract to provide you with recruitment or work-finding services.

· Who is the Data Protection Officer at Metamorphic ?

For more information and/or to exercise any of your rights at any time you can contact our Data Protection Officer, Imogen Paul (“our Data Protection Officer”) on

· Legal basis for processing my personal data? Metamorphic holds and processes personal data by obtaining your written or verbal consent wherever possible. We can also hold and process your personal data under a ‘legitimate interest.’ A ‘legitimate interest’ is where there is some good commercial reason for processing your personal data, for example where you have uploaded your personal data to a jobs board and we use this data for the purposes of securing you an interview or job. We will only use your personal data in situations where the law allows us to.

· What personal data do you hold? The categories of personal data we may collect and process are including but not limited to:

o your identity (name, gender, address, date of birth and marital status);
o evidence of right to work in the UK;
o contact information;
o professional experience and employment history;
o education history, skills and other qualifications;
o salary information;
o details of disabilities;
o unspent criminal/motoring convictions.

The holding of this data is required for us to ensure that you are suitable for opportunities being managed by us. We hold this data for the purposes of providing you with work-finding services and/or information relating to roles relevant to you.

· Who will you share my data with? We will share your personal data with clients and sometimes third parties associated with those clients, but only with your permission. We will take steps to make sure that your personal data is adequately protected when passed to our clients or third parties and we may require the recipient to sign a contract confirming that they are compliant with the GDPR.

Your data will not be shared outside of the EEA unless for a specific opportunity and with your express permission.

· How will you use my data? We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. For example, future job adverts via email around relevant job opportunities. Should you wish to opt-out at any time please contact our Data Protection Officer.

· Where do you find candidate data? You may give your personal details to us directly, such as on an application or registration form or via our website, or we may collect them from another source where your information is available, such as a jobs board database (Reed, Gaap Web, Careers in Audit, Taxation Jobs, Exec Appointments) and/or social media sites, such as, LinkedIn and Twitter.

· Where do you store my data? Metamorphic uses Bullhorn Inc. (a Customer Relationship Management Company) to manage and store data. Bullhorn uses a cloud database where all data is uploaded onto the cloud system and stored within the UK. We also use an outsourced IT provider to manage our IT systems, with information stored on a Metamorphic server within the UK. Both the CRM and IT provider that we use are bound by a data privacy and confidentiality contract.

· What about sensitive data? Special category data is personal data which is of a sensitive nature. These include, but are not limited to:

o race;
o ethnic origin;
o politics;
o religion;
o trade union membership;
o health;
o sexual orientation.

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in the following circumstances:

o In limited circumstances, with your explicit written consent.
o Where we need to carry out our legal obligations or exercise rights in connection with employment.
o Where it is needed in the public interest, such as for equal opportunities monitoring

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

· How long will you store my data? Metamorphic will retain your personal data for as long as necessary in order to fulfil our obligations to you. If you no longer require the services of Metamorphic we will keep your personal data on file for as long as necessary pursuant to all and any relevant legislation at the time. Upon expiry of that period we will seek further consent from you. Where consent is not granted the Company will cease to process your personal data.

· How do you protect candidate data? Metamorphic are dedicated as a company to protecting and respecting your privacy and the data you supply to us. Metamorphic use various security measures such as effective firewalls and anti-virus programs which are monitored daily by our IT support team which enables us to protect the data we store. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

All our data security measures are available upon request from our Data Protection Officer.

· What rights do I have? You have the right to:

o Be informed about the collection and use of your personal data;
o A right of access to copies of any information that may be considered to have been compromised in your personal data;
o A right to object to decisions being taken by automated means;
o A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
o A right to claim compensation for damages caused by breach of the GDPR or any relevant Data Protection Law at time to time in force.

You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.