Privacy Statement

Recruitment privacy notice for prospective employees

As part of our recruitment processes, Hafod collects, stores, and processes personal data about job applicants. We are committed to protecting your privacy and personal data, and are therefore transparent regarding the data we collect, how the data are collected, where the data are stored, and how the data are processed. The following notice details all of the above, setting out our obligations under both the General Data Protection Regulations 2016/679 (“GDPR”) and the Data Protection Act 2018 (“DPA”).

It applies to all individuals who apply for any position with Hafod

The data we collect

Information we collect from you

  • Basic personal details including but not limited to your name, email address, contact number(s), postal address
  • Work eligibility details and details relating to spent or unspent convictions
  • Documents or other information you provide as part of the application process including but not limited to CVs, covering letters, application forms and assessments. These documents may contain information on your employment history, academic qualifications/history, professional training/certifications, skills, and experience
  • Application details including but not limited to the source of your application, the date/time, the role(s) you applied for, and Equal Opportunities responses
  • Records of electronic communications, including but not limited to the content and attachments of emails

Information we collect or generate about you

  • Publicly available data including but not limited to your professional social networks (primarily LinkedIn, but also Facebook and similar networks)
  • Job application progress including but not limited to the stages you complete as part of the recruitment process, interview dates/times, records of interviews including information provided such as notice period or salary details, interview notes/feedback, assessment feedback, and job offer or rejection details

How the data is collected

Personal data may come from a combination of any of the following sources:

  • Information you provide on application forms, or through documentation you send such as CVs or covering letters, in email and telephone conversations with our colleagues, and in interviews or assessments, either in person or online
  • Information we collect from publicly available sources online
  • Information we generate following your interactions with our colleagues, systems, and processes
  • Information provided by third parties, such as recruitment agencies, or via referrals or references (references are not sought without your express prior permission, and typically happen at the point of offer)

How the data is stored

All personal data provided, collected, generated, or obtained will be shared with Blue Octopus, a cloud based applicant tracking system, engaged by us to help manage our recruitment, selection and on-boarding processes.

We take appropriate measures to ensure that all personal data is kept secure, including security measures to prevent personal data from being accidentally lost, or used or accessed in an unauthorised way. Within Hafod, we limit access to your personal data to those who have a genuine need to access it: the HR, recruitment team, the hiring managers for the role in question, interviewers or assessors for the role in question, and members of the executive team in the directorate in which the role sits (note that there may be overlap between the people in those positions). Occasionally, members of other directorates may be involved in stages of the selection process, where there is a reason for their involvement, for example the role being recruited may work closely with another directorate. Those processing your personal data will do so only in an authorised manner, and are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of electronically transmitted data. Any transmission therefore remains at your own risk.

How the data is processed

Lawful basis for processing

Our lawful basis for the collection and processing of your personal data is for taking steps to enter into a contract of, or for, employment or services with you. We rely on legitimate business interest as the lawful basis on which we collect and use your personal data, specifically in the instances of collecting references and running background checks.

Purposes of processing

We use information held about you in a number of ways, including but not limited to:

  • Considering your application in respect of the role for which you have applied
  • Considering your application in respect of other roles at Hafod, both at present and in the future (see How Long We Keep Your Personal Data below for more information on our data weeding and retention policy)
  • Communicating with you in respect of any recruitment processes
  • Enhancing any information that we receive from you with information collected, generated, or obtained throughout our recruitment processes
  • To help Hafod improve the effectiveness and efficiency of our recruitment systems and processes

Rights of access, correction, and erasure

Under the GDPR, you have a number of important rights, including the right to access the personal data we hold about you, and to request corrections or partial/full erasure. We have taken steps to ensure speedy compliance with any such request.

All personal data held by Hafod about you is stored in Blue Octopus, our recruitment system. Functionality exists within the system to export all data relating to specific individuals. This functionality is only employed in the event an individual explicitly requests access to, or a copy of, the personal data we hold about them. The file includes personal information (name, email address, postal address, title etc.), application details (the role you applied for, when, via what channel, information submitted on the application form, work eligibility status etc.), recruitment progress (status, stage, interviewers/assessment reviewers, feedback from those dealing with your application, rejection reasons, offer details etc.), and any documents submitted, or subsequently provided or obtained. In the event you make an explicit request to access this data, Hafod will generate the abovementioned data file and share this with you within 30 days of the request.

In order to correct any inaccuracies in your personal data held by Hafod, you must make an explicit request to us, clearly indicating which information is in need of amendment, along with the correct information to take its place. Hafod will act on personal data correction requests within five working days of receipt, and send a confirmation email to you upon resolution of the issue/s.

In order to request partial or full erasure of your personal data, you must make an explicit request to us. In the event you desire a partial erasure, you must clearly indicate which data points you would like to be erased. If you do not clearly indicate which data points you would like to have erased in a partial erasure, we reserve the right to delete all personal data we hold about/on you. Hafod reserves the right to escalate any partial erasure request into a full erasure at our discretion; you will be notified of this outcome via email immediately before the erasure if we opt for the escalation. In the event you desire a full erasure, you must clearly indicate this in your request. Hafod will act on partial and full erasure requests within five working days of receipt, however, no confirmation email will be sent following the completion of the request.

Please note that your right to have your personal data erased is not an absolute right, and we reserve the right to refuse such a request, where there is an appropriate legal justification for doing so. For example, we must retain candidate/application data for a period of six months following a rejection notice. You will be notified accordingly in the event we are unable to process your data erasure request.

If, at any point, you would like to make a request for access, correction, or erasure of your personal data held by Hafod, you should email, providing enough information for us to be able to identify you in our system and carry out your request.

How we process your data for roles outside of your formal application

From time to time following your initial engagement with our recruitment processes, we may decide to consider your application for another role at Hafod. This may occur:

  • At the time of your original application when, following an initial review of your application, we conclude you would be better suited to a different opportunity currently vacant at Hafod
  • At some point after your original application, when we chose to reactive your status as a candidate and make you aware of a new opportunity in future
  • If you are not offered but it is apparent from interview that you have the necessary skills for the role, a reserve list may be drawn up so that if a vacancy occurs for a post requiring similar skills within a maximum of 6 months of the interview date, an offer of employment may be made with or without undertaking a further selection process

In either scenario, our Recruitment Team will inform you of this decision, and you will have the opportunity to confirm your interest in the new role or to decline our consideration. Equally, the abovementioned rights of access, correction, and erasure will remain open to you for as long as we hold your personal data.

How long we keep your personal data

We will retain all personal data relating to your engagement/s with our recruitment team for at least six months and one week from your last interaction with our staff, processes, and/or systems (the date of the last email you sent to us, the date of your last interview etc. whichever occurs latest). In all cases, the absolute maximum amount of time we will retain your personal data after the recruitment for the role applied for has been archived will be 12 months and one week.

These retention periods, as well as consent to retain personal data for the extended period, is tracked in Blue Octopus. Functionality exists within the system to automate the erasure of all personal data that could be used to identify the individual/s in question; including any documents they may have submitted as part of any recruitment process they were involved in. For the purposes of reporting on and improving the effectiveness and efficiency of our recruitment systems and processes, we retain a handful of personal data points about you (such as the stage you reached in the process, and the overall reason you were rejected), however, none of these data points are personally traceable to you.

In order to have your personal data deleted ahead of the deadline, you must notify the recruitment team of your desire according to the instructions outlined in the Rights of Access, Correction, and Erasure section above.

How to Complain

We hope that we can resolve any query or concern you raise about our use of your personal data, however, if you are not satisfied with our processes or approach, the GDPR gives you the right to file a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, live, or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at or on 0303 123 1113.

You may also be able to claim compensation for damages caused by a breach of the GDPR or DPA. For further information on your rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office.

Contacting Hafod

If you have any questions, queries, or issues relating to our recruitment policies and processes, or how they relate to our adherence to both the GDPR and DPA, then please contact