Data Protection Policy

When supplying the Services to the Customer, the Service Provider may gain access to and/or acquire the ability to

transfer, store or process personal data of employees of the Customer.

The parties agree that where such processing of personal data takes place, the Customer shall be the 'data controller'

and the Service Provider shall be the 'data processor' as defined in the General Data Protection Regulation (GDPR) as

may be amended, extended and/or re-enacted from time to time.

For the avoidance of doubt, 'Personal Data', 'Processing', 'Data Controller', 'Data Processor' and 'Data Subject' shall

have the same meaning as in the GDPR.

The Service Provider shall only Process Personal Data to the extent reasonably required to enable it to supply the

Services as mentioned in these terms and conditions or as requested by and agreed with the Customer, shall not retain

any Personal Data longer than necessary for the Processing and refrain from Processing any Personal Data for its own

or for any third party's purposes.

The Service Provider shall not disclose Personal Data to any third parties other than employees, directors, agents, subcontractors

or advisors on a strict 'need-to-know' basis and only under the same (or more extensive) conditions as set

out in these terms and conditions or to the extent required by applicable legislation and/or regulations.

The Service Provider shall implement and maintain technical and organisational security measures as are required to

protect Personal Data Processed by the Service Provider on behalf of the Customer.

Further information about the Service Provider's approach to data protection are specified in its Data Protection Policy,

which can be found on application from our office. For any enquiries or complaints regarding data privacy, you can

contact our Data Protection Officer at the following e-mail address: gary@rmuk.com.

Credit Reference and Affordability Checks

To help us assess applications, prevent fraud, and meet our legal and regulatory obligations, we may obtain information about you from credit reference agencies (CRAs).

We obtain this information via Creditsafe, which uses its data partner TransUnion to supply consumer credit and identity data.

• Creditsafe Business      Solutions Limited      is authorised and regulated by the Financial Conduct Authority
•      FCA Firm Reference Number: 742313
• TransUnion International      UK Limited      is authorised and regulated by the Financial Conduct Authority
•      FCA Firm Reference Number: 737740

The information we receive may include data relating to your identity, credit commitments, payment history, and public record information. This data is used solely for legitimate business purposes, including creditworthiness assessment, identity verification, and fraud prevention, in accordance with applicable data protection laws.

Further information about how Creditsafe and TransUnion process your personal data can be found in their respective privacy notices:

• Creditsafe Privacy /      Transparency Notice:
• Transparency      Notice | Customers & Suppliers
• TransUnion CRAIN (Credit      Reference Agency Information Notice):
• https://www.transunion.co.uk/legal/privacy-centre/pc-credit-reference
• TransUnion Bureau      Privacy Notice:
• https://www.transunion.co.uk/legal/privacy-centre/pc-bureau

Purpose of Processing Personal Data 

Our organisation processes personal data only where necessary and for defined, lawful purposes. These purposes include: 

• Delivering and      supporting contracted services, including services that involve or support      TransUnion data or systems. 
• Managing customer,      supplier, and business relationships 
• Complying      with applicable legal, regulatory, and contractual obligations 
• Supporting fraud      prevention, identity verification, and risk management activities where      applicable 
• Protecting the      confidentiality, integrity, and availability of personal data      through appropriate technical and organisational security      measures 
• Managing system access,      authentication, logging, monitoring, and audit activities 
• Detecting, preventing,      and responding to security incidents, unauthorised access, or data      breaches 
• Maintaining records      required for governance, compliance, and      accountability purposes. 

Legal Basis for Processing Personal Data 

Personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Depending on the activity, we rely on the following lawful bases: 

• Performance of a      contract – where processing is necessary to deliver services or meet      contractual obligations, including obligations      involving TransUnion. 
• Legal obligation –      where processing is required to comply with applicable      laws, regulatory requirements, or statutory obligations. 
• Legitimate      interests – where processing is necessary for legitimate business      purposes such as system security, fraud prevention, risk management,      audit, and compliance, and where such interests do not override the rights      and freedoms of individuals. 
• Consent – where      required by law, and where individuals have been provided with a      clear choice and the ability to withdraw consent at      any time. 

Where legitimate interests are relied upon, appropriate assessments are conducted to ensure that the rights and freedoms of data subjects are protected. 

Our legitimate interests include operating our business, fulfilling contractual obligations, ensuring system and data security, preventing fraud, supporting audit and compliance activities, and protecting TransUnion data. These interests are balanced against the rights and freedoms of individuals, with appropriate safeguards in place. 

We may collect and process the following categories of personal data, as necessary to provide our services and meet our legal, contractual, and security obligations: 

• Identity data –      including name, date of birth, title, username, or      other identifiers.  
• Contact data – including      postal address, email address, telephone number.  
• Account and access data      – including user IDs, login details, access permissions, and      authentication information.  
• Professional or      employment data – including job title, employer name, and business      contact details.  
• Financial and      transactional data – including payment details, billing information, and      transaction records (where applicable)   
• Technical and usage data      – including IP address, device information, browser type, operating      system, access logs, and usage activity.  
• Security and audit data      – including system logs, monitoring records, access records,      and incident related information. ‑related  
• Communications data –      including correspondence, emails, and records of interactions      with us.  
• Compliance and risk data      – including records required for regulatory, audit, or due diligence purposes.  

We may collect personal data about you from: 

• you directly 
• employers/clients when      you apply for a role or are considered for an opportunity. 
• referees (where relevant      and permitted) 
• publicly available      sources (for example professional networking sites,      business websites, and public records) 
• credit reference      agencies (CRAs) where required for consumer      credit, identity, or affordability checks. 
• third party service      providers used to support recruitment, screening, and      compliance processes. 

We may transfer personal data to recipients or service providers located outside the UK and/or European Economic Area (EEA). 

Where such transfers take place, we ensure appropriate safeguards are in place to protect personal data in accordance with applicable data protection laws. These safeguards may include the use of approved standard contractual clauses, international data transfer agreements, or transfers to countries that have been recognised as providing an adequate level of data protection. 

The rights of data subjects, including:

a. Right of access 

 b. Right to rectification 

 c. Right to erasure (“right to be forgotten”) 

 d. Right to restrict processing. 

 e. Right to data portability 

 f. Right to object 

Under UK data protection law, you have the following rights in relation to your personal data: 

• Right of access – You have the right to request a copy of the personal data we hold about you and information about how it is used. 

• Right to rectification – You have the right to request that inaccurate or incomplete personal data is corrected. 

• Right to erasure (“right to be forgotten”) – You have the right to request that we delete your personal data where there is no lawful reason for us to continue processing it. 

• Right to restrict processing – You have the right to request that we limit how we use your personal data in certain circumstances. 

• Right to data portability – You have the right to receive your personal data in a structured, commonly used, and machine readable format, and to request that we transfer it to another organisation where technically feasible, readable format, and to request that we transfer it to another organisation where technically feasible. 

• Right to object – You have the right to object to the processing of your personal data where we rely on legitimate interests or where data is used for direct marketing. 

You have the right to complain to the UK Information Commissioner’s Office (ICO) or another relevant data protection authority if you are dissatisfied with how we manage your personal data. 

Provision of Personal Data 

Is the provision of personal data statutory or contractual? 

The provision of certain personal data is primarily contractual and, in some circumstances, required to meet legal and regulatory obligations. 

Personal data is required to: 

• enter into and      perform contracts with customers, suppliers, or      business partners. 
• process orders, manage      accounts, and deliver goods and services. 
• verify identity and      prevent fraud; and 
• comply with applicable      legal, regulatory, accounting, and tax obligations. 

What are the consequences of not providing personal data? 

If you choose not to provide the personal data, we request: 

• we may be unable to      enter into a contract with you. 
• we may be unable to      fulfil orders, supply goods, or provide services. 
• we may be unable      to conduct necessary verification, compliance, or fraud      prevention checks; and 
• as a result, our      services may be delayed, restricted, or declined. 

Where personal data is requested for optional purposes, such as marketing communications, providing this data is not mandatory, and you may withdraw your consent at any time without affecting your ability to receive goods or services from us. 

1. Details      of any automated decision-making or profiling, including meaningful      information about the logic involved and potential consequences for the      data subject. 

Wording for privacy policy below based on which method is used. 

Based on this if they do NOT use Automated Decision Making 

 Non-Automated Decision Making and Profiling

We may use automated systems and tools to support certain business processes, such as risk assessment, fraud prevention, affordability checks, identity verification, or record management. 

These tools may analyse personal data using predefined criteria or rules to generate indicators, scores, or recommendations. However, we do not make decisions that have a legal or similarly significant effect on individuals based solely on automated processing. Any such decisions are subject to meaningful human review. 

The use of these tools may influence the speed or level of review applied to an application or request, but individuals will not be subject to automatic rejection or adverse decisions without human involvement. 

Based on this if they DO use Automated Decision Making 

Automated Decision Making and Profiling 

In some circumstances, we may conduct automated decision making or profiling using personal data. This involves the use of automated systems to evaluate certain information about an individual, such as risk factors, affordability indicators, or fraud signals, based on predefined rules or algorithms. Making or profiling using personal data. This involves the use of automated systems to evaluate certain information about an individual, such as risk factors, affordability indicators, or fraud signals, based on predefined rules or algorithms. Making or profiling using personal data. This involves the use of automated systems to evaluate certain information about an individual, such as risk factors, affordability indicators, or fraud signals, based on predefined rules or algorithms. 

Where automated decision making is used, it may result in decisions such as the approval, restriction, or rejection of an application or service. Making is used, it may result in decisions such as the approval, restriction, or rejection of an application or service. Making is used, it may result in decisions such as the approval, restriction, or rejection of an application or service. 

Individuals have the right to request human intervention, to express their point of view, and to challenge decisions made solely by automated means. Further information about automated decision making and how to exercise these rights can be obtained by contacting us using the details provided in this Privacy Policy. Making and how to exercise these rights can be obtained by contacting us using the details provided in this Privacy Policy‑making and how to exercise these rights can be obtained by contacting us using the details provided in this Privacy Policy.