Privacy Notice 

​

1. What is the purpose of this document 

Archangel Autonomy (“Archangel”) is the data controller and responsible for deciding how we process (collect, store and use) your personal data.  This privacy notice tells you how we, Archangel, will collect and use your personal data for service provision, correspondence purposes, fulfilling legal obligations, and other legitimate interests. ​This notice does not form part of any contract of employment or other contract to provide services.​ 

 

We may update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical. 

Archangel commits to protecting the privacy and security of your personal information by following these data protection law and principles, which means that your data will be: 

  

• Used lawfully, fairly and in a transparent way. 

• Collected only for valid, lawful purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes. 

• Relevant to the purposes we have told you about and limited only to those purposes. 

• Accurate and kept up to date. 

• Kept only as long as necessary for the purposes we have told you about. 

• Kept securely. 

 

2. Roles and responsibilities 

2.1 We have appointed a data protection officer (DPO) who is responsible for ensuring that this notice is made available to data subjects prior to Archangel collecting/processing their personal data and for overseeing questions in relation to this privacy notice.  

2.2 All Employees/Staff of Archangel who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and their consent to the processing of their data is secured. 

 

3. Our privacy policy 

3.1 Scope 

​​All prospective, current and former employees, workers and contractors​ data subjects and candidates applying for work with us whose personal data is collected.  

 

Our website, products and services are not intended for children and we do not knowingly collect data relating to children. 

 

What is personal data? 

Under General Data Protection Regulation (GDPR), personal data is defined as: “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."  

It does not include data where the identity has been removed (anonymous data). 

 

 

3.2 How and why we use and collect your personal data 

3.2.1 How is your personal data collected? 

We use different methods to collect data from and about you including through: 

  

• Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise ​as part of your application, recruitment and employment activities with you. We will collect additional personal information in the course of job-related activities throughout the period of you working for us.​ 

• Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies.  

• ​​3rd parties authorised by you such as employment agency, former employers, credit reference agencies, background check agencies, the trustees or managers of pension arrangements operated by a group company​ 

 

3.2.2 Your consent  

Consent not always required 

 

Generally, we do not rely on consent as a legal basis for processing your personal data; although we will get your consent before sending third party direct marketing communications to you via email or text message. We will get your express opt-in consent before we share your personal data with any third party for marketing purposes. We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.  

 

​​We do not need your consent if we use your personal information to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You are not contractually required to agree to any consent request from us.​ 

 

Withdrawing consent 

You may withdraw any previous consent and/or opt out of receiving marketing messages at any time by filling in this form or contacting privacy@archangelautonomy.com.  Where you opt out of receiving marketing messages, this will not apply to personal data provided to us ​in order to fulfil other purposes.​ 

 

 

3.2.3 The personal data we would like to collect from / process on you is: 

Personal data type 

Examples 

Source  

Identity Data 

 

- First name, maiden name, last name, username or similar identifier, marital status, title, National Insurance number, date of birth and gender. 

- Identity documents such as driving licence, passport 

Direct 

 

Photographs, CCTV footage and other information obtained through electronic means such as swipe card records 

Automated 

Contact Data 

- billing address, delivery address, email address and telephone numbers 

​​- Next of kin and emergency contact information​ 

Direct 

Financial Data 

bank account and payment card details 

Direct 

Transaction Data 

details about payments to and from you and other details of products and services you have purchased from us 

Direct 

Technical Data 

internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website. 

Automated 

Profile Data 

your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses 

Direct and automated 

Usage Data 

- how you use our website, products and services 

- how you use of our information and communications systems 

Direct and automated 

Marketing and Communications Data 

your preferences in receiving marketing from us and our third parties and your communication preferences 

Direct and automated 

​​Recruitment and Employment details​ 

​​- Payroll records and tax status information.  

​- Compensation history: Salary, annual leave, pension and benefits information.  

​- Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process) 

​- Employment records (including job titles, work history, start date, the date of your continuous employment, leaving date and your reason for leaving, location of employment or workplace, working hours, holidays, training records and professional memberships) 

​- Performance information, disciplinary and grievance information 

​- Results of HMRC employment status check, details of your interest in and connection with the intermediary through which your services are supplied​ 

​​Direct, automated and/or via referee/ recruitment agency/ background check provider/ publicly accessible source.​ 

 

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy. 

 

Special categories of personal data concerned   

We may also collect, store and use the following more sensitive types of personal information: 

Examples 

Source 

Race or ethnicity, religious beliefs, sexual orientation and political opinions. 

 

Direct 

Trade union membership 

Direct and/or via referee / recruitment agency 

Information about your health, including any medical condition, health and sickness records, including: 

- where you leave employment and under any share plan operated by a group company the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision; 

- details of any absences (other than holidays) from work including time on statutory parental leave and sick leave; and 

- where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions and permanent health insurance purposes. 

Direct and/or via referee / recruitment agency 

Genetic information and biometric data 

Direct 

Information about criminal convictions and offences 

Direct and/or via government security checks 

 

 

3.2.4 The purposes, legitimate interests, and legal basis for processing your personal data  

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: 

 

• Where we need to perform the contract we are about to enter into or have entered into with you. 

• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. 

• Where we need to comply with a legal obligation. 

 

We only process particularly sensitive personal data in the following circumstances: 

• With your explicit written consent (Given consent can be withdrawn at any time) 

• Where we need to carry out our legal obligations or exercise rights in connection with employment 

• Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme 

• Where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public 

• We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. 

  

​​In details:​ 

 

Purpose/Activity 

  

Type of data 

  

Lawful basis for processing including basis of legitimate interest 

  

Correspondence and service provision 

To manage our relationship with you which will include: 

(a) Notifying you about changes to our terms or privacy policy 

(b) Asking you to leave a review or take a survey 

  

(a) Identity 

(b) Contact 

(c) Profile 

(d) Marketing and Communications 

  

(a) Performance of a contract with you 

(b) Necessary to comply with a legal obligation 

(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) 

  

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) 

  

(a) Identity 

(b) Contact 

(c) Technical 

  

(a) Performance of a contract with you  

(b) Necessary to comply with a legal obligation 

(c) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)  

Marketing 

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you 

  

(a) Identity 

(b) Contact 

(c) Profile 

(d) Usage 

(e) Marketing and Communications 

(f) Technical 

  

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) 

  

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences 

  

(a) Technical 

(b) Usage 

  

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) 

  

To make suggestions and recommendations to you about goods or services that may be of interest to you 

  

(a) Identity 

(b) Contact 

(c) Technical 

(d) Usage 

(e) Profile 

(f) Marketing and Communications 

  

Necessary for our legitimate interests (to develop our products/services and grow our business) 

We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you, in order to decide which products, services and offers may be relevant for you (we call this marketing). 

To enable you to partake in a prize draw, competition or complete a survey 

  

(a) Identity 

(b) Contact 

(c) Profile 

(d) Usage 

(e) Marketing and Communications 

  

(a) Performance of a contract with you 

(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business) 

  

Sensitive data 

- to ensure your health and safety in the workplace  
- to assess your fitness to work and  provide appropriate workplace adjustments 
- to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance 

your physical or mental health, or disability status 

(a) Performance of a contract with you, including to determine your rights and entitlements under share plan, pension plan, or other benefits schemes. 

(b) Necessary for our legitimate interests (to ensure a  healthy and productive workplace and team and to ensure meaningful equal opportunity monitoring and reporting) 

 

  

to carry out our obligations where it’s appropriate, required and lawful for the role and that we do so in line with our privacy standard 

Criminal convictions data 

- Necessary to comply with a legal obligation 

- Necessary for our legitimate interests (projects requiring roles with certain level of security clearance) 

 

3.2.5 Change of purpose 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.  

  

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

  

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. 

 

3.2.6 Automated Decision-Making 

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.  

 

We do not envisage that any decisions will be taken about you using automated means.  

This position might change if: 

- it is necessary to perform the contract with you, you have given explicit written consent, or it is justified in the public interest, and 

- appropriate measures are in place to safeguard your rights, and 

- you have been notified and given 21 days to request a reconsideration. 

 

3.3 Keeping your data secure 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

  

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

 

3.4 Disclosure, sharing and transfers 

3.4.1 Sharing with third parties 

We may pass your personal data on to third-parties where required by law or where they are contracted to help us fulfil the purposes above, such as individual consultants, accounting firms, solicitor firms, other service providers and other entities within our group of related Archangel companies.  

 

Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to fulfil the service they provide you on our behalf . When they no longer need your data to fulfil this service, they will dispose of the details in line with Archangel’s procedures. ​Example of activities: payroll, pension administration, IT services, business restructuring.​ When they no longer need your data to fulfil this service, they will dispose of the details in line with Archangel’s procedures. 

 

If we wish to pass your sensitive personal data onto a third party, other than designated individuals within our group, we will only do so once we have obtained your consent, unless we are legally required to do otherwise. 

 

3.4.2 Safeguarding measures 

In addition to the security measures outlined above, any third parties that we may share your data with are obliged to: 

• keep your details securely using equivalent measures eg using authenticated access and/or data encryption as appropriate. 

• use them only to fulfil the service they provide you on our behalf.  

• dispose of the details in line with Archangel’s procedures when they no longer need your data to fulfil this service.  

 

3.4.3 International transfers 

Whenever we transfer your personal data out of the EEA, we also ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: 

  

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries. 

• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries. 

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA. 

 

3.5 Retention period 

Archangel will store the personal data for as long as necessary to fulfil the above purposes, to comply with legal obligations, such as information needed for income tax, accounting, legal, reporting, and audit purposes, and in the case of legal claims. 

• ​​Personal data about candidates not hired will be retained for 2 years (extendable) counting from your application date. If we wish to retain your personal information on file to consider you for future roles, we will seek a separate, explicit consent to retain your personal data for  a 2-year period on that basis. 

• ​Personal information of employees, including terms and conditions of employment, disciplinary records, reviews and annual leave records will be kept for seven (7) years after employment ends 

• ​The company will keep hold of employees’ PAYE, and Payroll records for seven (7) years after employment ends given the relevance to any pay disputes and as HMRC may request to see them in this time​ 

• Occupational Health records will be kept in a suitable form for a maximum of 12 years. 

 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and the applicable legal requirements.  While following recommended practices on retention periods, personal data may be held in addition to these periods depending on individual business needs, ​as per our Retention of Records Procedure.​ 

 

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use and store such information indefinitely without further notice to you. 

 

3.6 Your duty and rights as a data subject 

3.6.1 Your duty  

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information ​changes during your application for work / your working relationship with us to meet our obligations as a prospective / current employer and other legal obligations such as right to work checks and supporting employees with disabilities.​  

 

​​If you fail or refuse to provide certain information when requested, we may not be able to  

• ​consider and process your application (such as evidence of qualifications or work history). For example, if we require references for this role and you fail to provide us with relevant details, we will not be able to take your application further 

• ​perform the contract we have entered into with you (such as paying you or providing a benefit) 

• ​complying with legal obligations (such as to ensure the health and safety of our workers).​ 

 

3.6.2 Overview of your rights 

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights: 

• Right of access (commonly known as a “data subject access request”)– you have the right to request a copy of the information that we hold about you. 

• Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete. 

• Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records eg where there is no good reason for us continuing to process it or where you have exercised your right to object to processing.  

• Right to restriction of processing – to suspend the processing eg to establish the accuracy or the reason of processing your personal data. In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.  

• Right of portability – you have the right to have the data we hold about you transferred to another organisation. 

• Right to object – you have the right to object to certain types of processing such as direct marketing, automated processing, including profiling as well as to the legal effects of automated processing or profiling.  

• Right to judicial review: in the event that Archangel refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 3.6 below. 

 

​​If you would like to exercise any of these rights, please contact the HR team at hr@archangelautonomy.com. If you believe that the company has not complied with your data protection rights, you can complain to our Data Protection Officer.​ 

 

All of the above requests will be forwarded on should there be a third party involved (as stated in 3.4 above) in the processing of your personal data.  

 

No fees usually required 

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances. 

 

3.6.3 Making Subject Access Requests 

Archangel at your request, can confirm what information we hold about you and how it is processed. If Archangel does hold personal data about you, you can request the following information:  

• Identity and the contact details of the person or organisation that has determined how and why to process your data. In some cases, this will be a representative in the EU/UK.  

• Contact details of the data protection officer, where applicable. 

• The purpose of the processing as well as the legal basis for processing. 

• If the processing is based on the legitimate interests of Archangel or a third party, information about those interests. 

• The categories of personal data collected, stored and processed. 

• Recipient(s) or categories of recipients that the data is/will be disclosed to. 

• If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The EU and/or the UK has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information. 

• How long the data will be stored. 

• Details of your rights to correct, erase, restrict or object to such processing. 

• Information about your right to withdraw consent at any time. 

• How to lodge a complaint with the supervisory authority. 

• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data. 

• The source of personal data if it wasn’t collected directly from you. 

• Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing. 

 

The best way to make a Subject Access Request is by filling in this form. Archangel will require ID verification prior to fulfilling such requests. Acceptable form of IDs are passport, driving licence, birth certificate. 

​

3.7 Getting in touch 

In the event that you wish to enquire, exercise your rights or make a complaint about how your personal data is being processed by Archangel (or third parties as described above), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and Archangel’s data protection representatives Data Protection Officer. We would appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance. 

 

The details for each of these contacts are:  

​​UK Supervisory authority - Information Commissioner’s Office (ICO) 

​Address (Head office): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 

​Email / webchat / contact form: https://ico.org.uk/global/contact-us/  

​Telephone: 0303 123 1113 

​Website: www.ico.org.uk​ 

 

Data Protection Officer ​ contact details:. 

Email: privacy@archangelautonomy.com 

Telephone: +441865600415 

​