Recruitment Privacy Policy

This privacy policy provides you with information about how we collect and use your personal data for recruitment purposes. It takes account of the General Data Protection Regulation (GDPR) and Data Protection Act 2018.


Hazlewoods follows six principles when dealing with your personal data. We will ensure it is:

  • processed lawfully, fairly and in a transparent manner
  • processed for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary
  • accurate and kept up-to-date
  • kept for no longer than is necessary; and
  • processed in a manner than ensures appropriate security

We operate these principles alongside our duty of confidentiality to you.

Back to top


2.1 This policy applies to job applicants and/or those that subscribe to our job alerts.

2.2 Where we have referred to other websites in this policy or elsewhere on our webpage which are run by third parties, visiting those websites may allow third parties to collect or share data about you. We have no control over these external websites or responsibility for the privacy policies they operate, and recommend you review their policies before submitting any personal data to them.

Back to top


3.1 Personal data is information that can be linked to a living individual.

3.2 A data controller can be an individual or an organisation. They decide what personal data to collect and how it will be used.

3.3 Processing data includes collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, aligning, combining, restricting, erasure or destruction of data.

Back to top


4.1 This policy is provided on behalf of the following firms which are registered as data controllers with the Information Commissioner’s Office (ICO):

  • Hazlewoods Financial Planning LLP
  • Hazlewoods Management Services Limited

4.2 The above firms and individuals are referred to collectively as ‘Hazlewoods’, ‘us’ or ‘we’, or ‘the firm’ in this policy.

Back to top


5.1 For data protection queries and to exercise your rights, you can contact us in these ways:

Post: Privacy queries, Hazlewoods, Staverton Court, Staverton, Cheltenham, Gloucestershire, GL51 0UX

Telephone: 01242 680000

Email: Our dedicated email address for data protection matters is

5.2 Hazlewoods does not have a Data Protection Officer. Our Technical Partner and our Finance and Administration Partner oversee data protection matters.

Back to top


6.1 The firm needs to process data as part of the recruitment process and to meet its obligations under relevant legislation. The data used in the recruitment process may be subsequently used for employment purposes if your application is successful.

6.2 In some cases, the firm needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an individual’s entitlement to work in the UK and to comply with health and safety laws.

6.3 In other cases, the firm has a legitimate interest in processing personal data before any employment relationship may develop.

6.4 Processing job applicant data allows the firm to, for example:

  • run recruitment and promotion processes, including providing job alerts
  • maintain accurate and up-to-date recruitment records and contact details
  • operate and keep a record of grievance and disciplinary processes
  • to plan for career development, and for succession planning and talent management purposes
  • obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law
  • ensure effective general HR and other business administration
  • operate our website;
  • respond to and defend legal claims
  • conduct monitoring of IT and communication systems and operate CCTV

6.5 Some special category data, such as medical records and other information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities). We rely on these obligations as one of the processing conditions under data protection legislation to process this kind of data. See section 8.1.2.

6.6 Where the firm processes other special category data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. This is to carry out its obligations and exercise specific rights in relation to employment.

6.7 Certain information, such as your right to work in the UK, have to be provided to enable the firm to know whether it will be able to enter into a contract of employment with you. If you do not provide other information, this will hinder the organisation’s ability to administer the rights and obligations arising as a result of any subsequent employment relationship efficiently.

Back to top


7.1 Hazlewoods must have a lawful basis to process your personal data.

7.2 These are the bases we most often rely on:

7.2.1 Contractual The processing is necessary because you have asked us to take specific steps before entering into a contract of employment with us. This is regardless whether the contract negotiation successful, i.e. whether the recruitment process leads to you being employed by the firm. It also includes processing personal data where we ask you to take an assessment and the result leads to a solely automated decision about your application. We would be unable to carry out contract negotiations with you if you did not provide or we were unable to process your personal data under this lawful basis.

7.2.2 Legal obligation The processing is necessary for us to comply with the laws or regulations we are subject to (not including our contractual obligations). We would be unable to process your application if you did not provide or we were unable to process your personal data under this lawful basis.

7.2.3 Legitimate interests We also undertake processing in our legitimate interests or the legitimate interests of a third party. We check beforehand that this processing is not going to override your rights and interests. We rely on legitimate interests to allow us for example, to:

  • communicate with you or other relevant parties
  • undertake internal administration and management around recruitment matters
  • administer our website, and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
  • improve our website to ensure that content is presented in the most effective manner for you and for your computer
  • keep our website safe and secure, including the monitoring and enforcement of any terms in policies concerning use of our website
  • allow you to participate in interactive features of our website or services, when you choose to do so
  • ask you to complete and/or sign documentation online
  • facilitate meetings, seminars or other events we arrange with you and other business partners
  • carry out management planning, modelling and internal analysis
  • enhance and develop our business and services
  • support the development of data processors’ services and products
  • undertake benchmarking activity, quality and risk management reviews, and compile and issue associated reports
  • establish, exercise or defend legal claims
  • carry out CCTV monitoring and maintain records of who has entered our premises
  • take photos or capture video footage of events and activities

7.2.4 Consent We may ask your consent in specific circumstances. We may be unable to process or continue with your application if you did not provide consent, as we could not process the personal data. We may seek consent from you to share your personal data with other parties, which are not identified under the other lawful bases we use.

We ask you to consent to the use of cookies when using our website. More information about cookies can be found in section 9 of this policy, along with how to withdraw your consent.

Back to top


8.1 We deal with two kinds of personal data as defined under the legislation.

8.1.1 Personal data

This is information that can be linked to a living individual. The firm collects and processes a range of information about you. This includes, for example:

  • your name, address and contact details, including email address and telephone number, date of birth and gender;
  • details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the firm;
  • information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
  • information about your nationality and entitlement to work in the UK;
  • details of your proposed schedule (days of work and working hours) and attendance at work;
  • details of forthcoming periods of leave which will need to be taken by you, including holiday, sickness absence, family leave or other absences, and the reasons for the leave;
  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
  • psychometric testing outcomes for recruitment purposes.

8.1.2 Special category data (also referred to as sensitive personal data)

Hazlewoods seeks this kind of data in limited circumstances. It should not be provided to us unless specifically requested or required. Although often described as information about your physical and mental health, this category of data also covers personal data referring to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; sexual orientation and health, along with genetic data and biometric data. Information about medical or health conditions, includes whether or not you have a disability for which the firm would need to make reasonable adjustments. Equal opportunities monitoring information includes information about your ethnic origin, sexual orientation and religion or belief. As well as needing a lawful basis, we must follow an additional rule (processing condition) to process special category data. Hazlewoods most often uses the following processing conditions:

Where you have given your explicit consent for us to use it. You can withdraw this consent at any time, by contacting us using any of the contact details in section 5 of this policy. Without this consent we may be unable to advise you in part or in full, or provide services which require this information to be used. We may also be unable to meet your requirements when attending a meeting, seminar or other event we have arranged;
Where we need to use this data for the establishment, exercise or defence of legal claims; 
Where substantial public interest applies;
Where such data has been manifestly made public by you.
Where there is public interest in the area of public health and we are following the advice given by the Government’s public health advisers.
Please see Appendix 1 regarding the processing of special category personal data during a pandemic or emergency situation. This may also include providing your contact details and other necessary data as part of any test and trace procedure. 
To protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (such as a medical emergency).

Hazlewoods may draw upon other processing conditions listed in data protection legislation. Criminal conviction data is not classed as special category data under this legislation. However, Hazlewoods relies on a similar set of similar processing conditions if it is necessary to process this kind of data. 

8.1.3 If you are providing us with information about other individuals, you should make them aware that we will be processing their personal data

8.1.4 Photos and video recording

We may take photographs and/or make video recordings of the events, including fundraising activities, that we arrange, facilitate or are involved in, and which you attend or participate. This material may be used by us or business partners, and/or distributed in social media in order to publicise this event.

If you would prefer not to be included in these photos or videos, please inform us prior to the start of the event or otherwise make us aware at the time.

We operate CCTV monitoring at our premises for safety and security purposes.

As part of our recruitment procedures, we may receive video presentations from individuals interested in working with Hazlewoods. We use these video presentations in our initial assessment of an individual’s suitability for a role with us. This material is not shared outside Hazlewoods without the individual’s consent.

Back to top



9. SOURCES OF DATA including our website and cookies information

9.1 The firm may collect information about you in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; or through interviews, meetings or other assessments.

9.2 In some cases, the firm may collect personal data about you from third parties, such as references supplied by former employers, educational institutions, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.

9.3 We will also obtain personal data from you when you, for example:

  • enquire about any aspect of our business or vacancies, or wish to interact with us
  • correspond with us via our website, by phone, e-mail or otherwise
  • participate in, seminars or other events (including fundraising activities) we arrange
  • fill in forms on our website and submit information to us
  • participate in other social media functions on our website, or otherwise connect to our website via online social media platforms
  • report a problem with our website, provide other feedback or make a complaint to us
  • enter a competition, promotion or survey
  • visit our offices; or
  • use the wi-fi network in our offices

Our website and cookies.

When you visit our website, it is set up to collect some information about you automatically, this may include:

  • technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, device, operating system and platform; and
  • information about your visit, including the full Uniform Resource Locators (URL), real time information, clicks made through and from our site (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and where you visited our page from (such as search engines and social media)

Our website uses cookies to distinguish you from other users of our site. This helps us to provide you with a better experience when you browse our site and also allows us to improve our site. Cookies are usually a string of numbers and/or letters that a website transfers to your hard drive. The cookies enable the website to ‘remember’ you, either for the duration of your visit (session cookies) or for repeat visits (persistent cookies).

The most common kinds of cookies we use are :

  • Strictly necessary cookies – these cookies are essential to enable you to navigate around websites securely and to provide you with services you have specifically requested.
  • Functionality cookies – these cookies enhance the functionality of websites by storing your preferences. For instance, they can remember your name and location, if you provide this information.
  • Performance cookies – these cookies improve the performance of websites. For instance, they help pages load more quickly.
  • Online behavioural cookies – these cookies store information about your behaviour online, such as your browsing history. For instance, they help us tailor the advertising we show to you.

Most web browsers automatically accept cookies but, if you prefer, you can change your browser settings to prevent this. Cookies can be managed through the browser menu and are commonly referred to as ‘preferences’, ‘privacy’ or ‘security’.

You are not obliged to accept cookies, however, you may not be able to take full advantage of our site or use certain functions if you disable them.

We will also collect location information from you e.g. your IP address when completing or signing documentation online. Such online signing applications (sometimes called e-signature), capture your signature electronically on documents connected with the recruitment activity work we undertake with you and related parties, and record details of the date, time and location (IP address) of the signature made. You might be asked or choose to complete other fields or provide additional information when using these applications.

9.4 We may obtain or receive information about you from third parties and publicly- available sources, such as

  • family and other associates
  • professional advisers
  • analytics providers
  • publicly-available databases, such as Companies House or details on a company website
  • social media sites.

9.5 Data will be stored in a range of different places, including in your personnel file, in the firm’s HR management systems and in other IT systems (including the firm’s email system).

Back to top


10.1 Depending on the nature of the activity being undertaken, the lawful basis and purpose of processing, we may need to share your personal data between the Hazlewoods data controllers listed at the beginning of this policy, suppliers and others involved in the running of the firm or with whom we need to deal. These parties are subject to data protection legislation and principles. We will usually have notified you of the sharing of your data with these parties. However, certain legislation may prevent us from doing so. Many of these parties both receive personal data from us and provide it to us.

10.2 Your information may be shared internally, including with members of the HR and recruitment team, health and safety representatives, the relevant manager or managers in the recruitment activity, directors, partners and IT staff if access to the data is necessary for performance of their roles.

10.3 The firm shares your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third- party providers and obtain necessary criminal records checks from the Disclosure  and Barring Service.

10.4 Other parties may include:

  • analytics providers
  • social media sites, including those associated with fundraising activities
  • social event organisers, venues and websites
  • providers of technical, payment and delivery services
  • HM Revenue & Customs, other Government agencies and departments
  • law enforcement agencies and courts
  • solicitors, accountants, auditors and other professional advisers
  • banks and other financial institutions
  • agents and representatives
  • credit reference and fraud prevention agencies
  • providers of credit reference or fraud prevention services
  • quality assurance assessors and other business consultants
  • our insurers 
  • business gift and hospitality providers 
  • data processors

10.5 Furthermore, we will disclose your personal information:

10.5.1 in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets, or their advisers.

10.5.2 if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about job applicants will be one of the transferred assets.

10.5.3 if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property, or safety of Hazlewoods LLP or Hazlewoods Financial Planning LLP, Hazlewoods Management Services Limited, our clients, or any other third parties.


Hazlewoods has a legal obligation to follow prevailing anti-money laundering legislation and takes steps to prevent fraud. It is also in our legitimate interests to do so.

Consequently, we are required to obtain satisfactory evidence to confirm your identity at such times as we consider necessary. In order to verify personal information provided by you we may undertake searches via an independent third party: SmartCredit Limited, otherwise known as ‘Smartsearch’. You can find their privacy policy here. In turn, Smartsearch works with credit references about which you can find information here: Equifax and TransUnion You may be contacted by Smartsearch to assist us with our anti-money laundering checks. Smartsearch works with credit reference or fraud prevention agencies. The process will include checking the information against any database (public or otherwise) to which they have access. The agencies may record details of such a search and may disclose your information and the fact that a search was made to their other customers, to assist companies for verification purposes or in assessing the risk of giving credit, to prevent fraud and money laundering, and to trace debtors. The searches do not impact your credit rating.


Where data sharing takes place between Hazlewoods and others, where both or all parties are independent data controllers, our approach is described in this section of our policy. We may apply an exemption to this section, for example we will not seek a warranty from data controllers such as HMRC and other similar organisations. 

We warrant, and require all other data controllers associated with any agreed data sharing to warrant, that:

We shall each be considered an independent data controller in relation to personal data, unless otherwise agreed in writing between us. Each of us will comply with all requirements and obligations applicable to us under the data protection legislation in respect of personal data. Sharing of the data does not imply any consent (explicit or otherwise), permission or confirmation has been received from the data subjects, provider or processor of the data that the data can be used in any particular way. Each party will make its own assessment of what it is permissible for them to do with the data under data protection legislation. 

Personal data will only be disclosed between parties where each party warrants that:

  • the necessary information has been provided to the relevant data subjects regarding its use (this may include the use of this privacy policy for this purpose) where legislation requires such notification be made
  • there is a lawful basis for sharing the personal data with and between us; and
  • all the necessary requirements under the data protection legislation have been compiled with to permit the data sharing to take place
  • We shall only process the personal data shared with or between parties as per this privacy policy, which includes the application of appropriate technological and organisational measures and of necessary safeguards when transferring data outside the UK

We shall only process the personal data shared with or between us for the agreed purpose(s).

In respect of personal data shared with or between us, provided that we are legally permitted to do so, we shall notify the relevant other data controller(s) in the event that:

  • we receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their data subject rights under the data protection legislation or in respect of our processing of their personal data
  • we are served with an information, enforcement or assessment notice (or any similar notices), or receive any other material communication in respect of our processing of the personal data from a supervisory authority as defined in the data protection legislation (for example in the UK, the Information Commissioner’s Officer (ICO)); or
  • we reasonably believe that there has been any incident which resulted in the accidental or unauthorised access to, or destruction, loss, unauthorised disclosure or alteration of, the personal data

Upon the reasonable request of the other, we shall each co-operate with the other and take such reasonable commercial steps or provide such information as is necessary to enable each of us to comply with the data protection legislation in respect of the services provided to clients, the holding of events, or for any other agreed purpose(s), in accordance with the engagement letter or other documentation with them in relation to those services.

Where we agree that we will be acting as joint data controllers, as defined under GDPR as ‘Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers’ we will agree the necessary steps to meet the requirements under data protection legislation if the parties consider they are not covered by the above wording. This may include stating a central point of contact for all relevant data subjects.

Where Hazlewoods has agreed to provide access to an application, platform or other means to share data and documentation, Hazlewoods will be advised immediately when that access is no longer required or needs to be removed. Any login information and passwords linked to such access will be retained securely and not shared with any other party.

Back to top


13.1 Where we are appointing any individual or organisation to process your personal data on our behalf (otherwise known as ‘data processors’), they may only do so for specified purposes and according to our written instructions. Hazlewoods seeks confirmation of the processor’s IT security arrangements and whether personal data is processed outside the European Union. Some data processors may use anonymised or pseudonymised data for research, statistical or survey purposes, or to enable ongoing development of their services or products.

Back to top


14.1 Where possible, we or our appointed data processors will process your personal data within the European Union (EU). If your personal data does need to be transferred outside the EU, we ensure appropriate safeguards are in place to ensure that your data is properly looked after.

14.2 We ensure personal data is adequately protected and take into account:

14.2.1 Where the UK Government has decided that a country, a territory or one or more specific sectors in a country, or an international organisation, ensures an adequate level of protection. 

14.2.2 Other safeguards available to us under data protection legislation to transfer data internationally, such as Standard Contractual Clauses. Further details can be provided upon request.

Back to top


15.1 We operate a series of security measures concerning access to our offices and our systems. The level and extent of each individual measure may vary, but can include, for example:

15.2 Access controls to buildings, systems and, where appropriate, individual IT applications; anti-virus and malware prevention; breach logging; encryption; equipment/access logs; horizon scanning; arranging back-up copies of personal data; penetration testing, system monitoring and system updates (e.g. patching).

15.3 For applications running on our in-house systems, we operate a back-up facility as contingency. Our back-up data is held off-site within the UK.

15.4 We have a Business Continuity Plan (BCP) in place which is tested periodically. The BCP covers for example: Business continuity and disaster, recovery management strategy and policy; key contacts and crisis management team members; triggers for invoking and revoking plans; roles and responsibilities; communication plans– internal and external, including with service providers and IT suppliers; specific threat plans.

15.5 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our systems, you are responsible for keeping this password confidential. We ask you not to share that password with anyone.

15.6 The transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us or vice-versa; any transmission is at your own risk.

15.7 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site or any other website we direct you to as part of our recruitment activity, you are responsible for keeping this password confidential. We ask you not to share that password with anyone.

Back to top


16.1 In line with data protection principles, we only keep your data for as long as we need it for.

16.2 If your application is unsuccessful and we have sought your consent to keep your data on file for future job opportunities and you have provided consent, we will keep your data for twelve months once the recruitment process ends. At the end of this period, we will delete or destroy your data, unless you have already withdrawn your consent to our processing of your data in which case it will be deleted or destroyed upon withdrawal of consent.

16.3 If your application is successful, your data will be kept and transferred to the systems we administer for employees. We have a separate privacy policy for employees, which will provided to you if appropriate.

16.4 The timescales for the retention of your personal data and related documentation are subject to various legal, regulatory or contractual requirements, which will reflect the purpose and lawful basis for processing the data.

Back to top


17.1 Data protection legislation provides the following legal rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right to enquire about any automated decision making and profiling we undertake concerning your application.

We may use your personal data in automated decision making as part of our recruitment processes. For example, you may need to answer initial questions or complete an online test before being invited to attend a telephone or face-to-face interview. If you do not meet the minimum requirements for the position you are applying for, complete the test or do not reach the required pass mark, this will mean that we are unable to proceed with shortlisting you for an interview or continue processing your application.

The personal data you submit as part of any psychometric or other assessment may subsequently be used by the provider for research purposes, but the data will be anonymised or aggregated so that no individual can be identified.

17.2 You can exercise your rights at any time by contacting us using any of the contact details at the beginning of this policy. More information is available from the Information Commissioner’s Office website

17.3 Some rights can only be exercised under certain circumstances. If we are unable to comply with your request for any reason, we will contact you to explain our reasoning.

Back to top


18.1 Hazlewoods aims to deal efficiently with any query or to resolve any complaint you might have about how we handle your personal data.

18.2 Your right to complain

18.2.1 If you consider we have processed your data in a way that infringes the legislation, you have the right to complain to the Information Commissioner’s Office. Their contact details are:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF


19.1 The content of this privacy policy may change periodically.

19.2 Each version of the policy will be uniquely referenced.

Back to top


Appendix 1

Hazlewoods is required to have an appropriate lawful basis for processing the personal data and/or Special Category Data (e.g. health information) (SCD) collected from individuals relating to Covid-19. This approach would also apply to other pandemics or emergency situations. The identification of lawful bases and processing conditions is noted below.

  Is this lawful basis applicable to Hazlewoods? Additional steps/comments
Legitimate interests – re business continuity management and the well-being of individuals who it needs to deal with.   COVID-19 is a pandemic disease. The nature of the data being collected is going to be minimised, kept secure and not shared beyond the personnel who need to deal with it.

Hazlewoods does not believe that processing such data would outweigh the interests or fundamental rights and freedoms of individuals.

The processing would be necessary for dealing with legal claims against us.

We also rely on legitimate interests to contact others about non-contractual matters. This would include the holding of contact data for those whom individuals would wish us to contact in an emergency.

For SCD, Hazlewoods also needs to identify an appropriate processing condition Is this processing condition applicable to Hazlewoods?  
Public interest in the area of public health.  Yes Hazlewoods is following the advice given by the Government’s public health advisers. This may also include providing your contact details and other necessary data as part of any test and trace procedure.
Additional lawful basis and processing condition re legal claims   Hazlewoods relies on the legitimate interests lawful basis and the legal claims processing condition to process relevant special category data in this instance.