Privacy Notice – Prospective, Current and Past Staff Members

Privacy Notice – Prospective, Current and Past Staff Members

Tony Gee and Partners LLP (Company No. OC316614) of Hardy House, 140 High Street, Esher, Surrey KT10 9QJ is the controller and responsible for your personal data (collectively referred to as Tony Gee, we, us or our in this Privacy Notice).

This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this Privacy Notice.

We are committed to protecting the privacy and security of your personal information.

Purpose

This Privacy Notice describes how we collect and use personal information about you before, during and after your working relationship with us, in accordance with the UK General Data Protection Regulation (UK GDPR). It applies to all members, employees, workers, contractors and applicants, including unpaid ‘work experience’ participants. Where different terms apply to applicants this is outlined in the boxes below.

Where you are an applicant applying to work for us this privacy notice makes you aware of how and why your personal data will be used, namely for the purposes of recruitment, and how long it will usually be retained for.

This notice does not form part of any contract of employment or other contract to provide services. We may update this privacy notice from time to time. If we make material changes, we will change the date on this notice and, in some cases, we may provide additional notice (such as adding a statement to our homepage or sending you a notification).

It is important that you read and retain this notice, together with any other privacy statement we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using that information and what your rights are under the data protection legislation.

In addition, Tony Gee collects and processes data relating to the marketing and business operations of the company. Please refer to the separate Privacy Notice – Marketing and Business Operations.

Contact Details

If you have any questions about this Privacy Notice or our privacy practices, please contact our Data Protection Lead in the following ways:

Full name: Natalie Thurley

Email address: DataProtection@tonygee.com

Postal address: Hardy House, 140 High Street, Esher, Surrey KT10 9QJ

Telephone number: 01372 461600

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Data protection principles

We will comply with data protection law, which says that the personal information we hold about you must be:

  • used lawfully, fairly and in a transparent way;
  • collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  • relevant to the purposes we have told you about and limited only to those purposes;
  • accurate and kept up to date;
  • kept only as long as necessary for the purposes we have told you about; and
  • kept securely

What information does Tony Gee collect?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the person’s identity has been removed (anonymous data).

There are certain types of more sensitive personal data which require a higher level of protection, such as information about a person’s health, sexual orientation or criminal convictions.

We will collect, store and use the following categories of personal information about you:

  • personal contact details such as name, title, addresses, telephone numbers and personal email addresses;
  • date of birth, gender and a staff profile photograph;
  • the terms and conditions of your employment;
  • proof of your qualifications, including certificates;
  • your compensation history, including past and present salary, bonuses and entitlement to financial benefits such as pensions or insurance cover;
  • details of your bank account, national insurance number, payroll records and tax status information;
  • information about your driving qualifications and record, including driving licence checks which will reveal any current convictions;
  • information about your marital status, next of kin, dependants and emergency contacts, and we will retain some of their personal data too, including names and contact details;
  • proof of your entitlement to work in the UK, e.g. passport and work permit if applicable;
  • details of your scheduled days of work and working hours and actual working hours, e.g. timesheet system;
  • details of your arrival and departure at company locations, e.g. door logs / security system;
  • details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
  • start date and, if different, the date of your continuous employment;
  • leaving date and your reason for leaving;
  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
  • employment records, assessments of your performance, including appraisals, skills profile, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence including job titles, work history, training records, professional memberships and professional development records;
  • information to enable accident reporting;
  • logging of computer information and communications systems use, including monitoring aspects of communications sent and received;
  • location of employment or workplace;
  • copy of driving licence;
  • copy of private motor insurance documents (which may contain personal information) when you use a private vehicle for company business;
  • recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process);
  • CCTV footage and other information obtained through electronic means such as swipe card records;
  • photographs; and
  • results of HMRC employment status check, details of your interest in and connection with the intermediary through which your services are supplied.

We may also collect, store and use the following more sensitive types of personal information:

  • information about your race or ethnicity, religious beliefs, sexual orientation;
  • information about criminal convictions and offences;
  • information about trade union memberships;
  • drugs and alcohol test results; and
  • information about your health, including any medical condition and sickness records, including:
    • where you leave employment and under any share plan operated by a group company the reason for leaving is determined to be ill health, injury or disability, the records relating to that decision;
    • details of any absences (other than holidays) from work including time on statutory parental leave and sick leave;
    • any health information in relation to a claim made under the permanent health insurance scheme;  and
    • where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions purposes.
  • any dependant’s information processed for the purposes of setting up cover on the company benefit plans, for example private medical and travel insurance

For applicants:

In connection with your application for work with us, we will collect, store, and use the following categories of personal information about you:

  • your full name, postal address, email address and telephone number(s);
  • information about your education, qualifications, skills, experience and employment history including start and end dates;
  • information about your current level of remuneration, including benefit entitlements;
  • any information that you may provide to us as part of your CV and covering letter; and
  • any information you provide to us in an application form and during an interview.

We may also collect, store and use the following types of more sensitive personal information:

  • information about your race or ethnicity, religious beliefs, sexual orientation and political opinions;
  • information about your health, including any medical condition, health and sickness records; and
  • information about criminal convictions and offences.

How does Tony Gee collect your data?

We collect personal information about members, employees, workers, contractors and applicants in a variety of ways, for example, from CVs or resumes; through application forms; from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, we collect personal data about you from third parties, such as employment agencies, background check providers, credit reference agencies or former employers, and information from criminal records checks permitted by law.

We may also collect personal information from the trustees or managers of pension arrangements operated by us.

We will collect additional personal information in the course of job-related activities throughout the period of you working for us.

For applicants:

We collect personal information from the following sources: You, the applicant; recruitment agencies; background check providers; credit reference agencies; Disclosure and Barring Service in respect of criminal convictions; and your named referees

Why does Tony Gee process personal data?

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • where we need to perform the contract we have entered into with you;
  • where we need to comply with a legal obligation;
  • where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  • where we need to protect your interests (or someone else’s interests);
  • where it is needed in the public interest or for official purposes.
Purpose / Activity Basis for processing
Making a decision about your recruitment or appointment To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Running onboarding and promotion processes To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Determining the terms on which you work for us To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Determining whether your engagement is deemed employment for the purposes of Chapter 10 of Part 2 of the Income Tax (Earnings and Pensions) Act 2003 (ITEPA 2003) and providing you with a status determination statement in accordance with the applicable provisions of ITEPA 2003 To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Checking you are legally entitled to work in the UK To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax and National Insurance contributions (NICs) To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Enrolling you in a pension arrangement in accordance with our statutory automatic enrolment duties To allow us to perform our contract with you

To enable us to comply with legal obligations
Liaising with the trustees or managers of a pension arrangement operated by us, your pension provider and any other provider of employee benefits To allow us to perform our contract with you

To pursue legitimate interests
Administering the contract we have entered into with you To allow us to perform our contract with you

To pursue legitimate interests
Maintaining accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Business management and planning, including accounting and auditing To allow us to perform our contract with you

To pursue legitimate interests
Conducting performance reviews, managing performance and determining performance requirements To allow us to perform our contract with you

To pursue legitimate interests
Assessing qualifications for a particular job or task, including decisions about promotions To allow us to perform our contract with you

To pursue legitimate interests
Operating and keeping a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace including gathering evidence for possible grievance or disciplinary hearings To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Making decisions about your continued employment or engagement To allow us to perform our contract with you

To pursue legitimate interests
Making arrangements for the termination of our working relationship To allow us to perform our contract with you

To pursue legitimate interests
Education, training and development requirements To allow us to perform our contract with you

To pursue legitimate interests
Operating and maintaining an accurate record of employee skills, knowledge and experience to ensure suitable work is allocated to staff, and to permit us to demonstrate staff competence to clients To allow us to perform our contract with you

To pursue legitimate interests
Dealing with legal disputes involving you, or other members, employees, workers and contractors, including accidents at work To allow us to perform our contract with you

To pursue legitimate interests
Ascertaining your fitness to work To allow us to perform our contract with you

To pursue legitimate interests
Managing sickness absence including operating and keeping a record of absence and absence management procedures, to allow effective workforce management and ensure that members, employees etc. are receiving the pay or other benefits to which they are entitled To allow us to perform our contract with you

To pursue legitimate interests
Obtaining occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meets its obligations under health and safety law, and ensure that members, employees etc. are receiving the pay or other benefits to which they are entitled. To allow us to perform our contract with you

To pursue legitimate interests
Complying with health and safety obligations To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
To prevent fraud To allow us to perform our contract with you

To pursue legitimate interests
Monitoring your use of our information and communication systems to ensure compliance with our IT policies To allow us to perform our contract with you

To pursue legitimate interests
Ensuring network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution To allow us to perform our contract with you

To pursue legitimate interests
Conducting data analytics studies to review and better understand employee retention and attrition rates To allow us to perform our contract with you

To pursue legitimate interests
Operating and keeping a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that we comply with duties in relation to leave entitlement, and to ensure that members, employees etc. are receiving the pay or other benefits to which they are entitled To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Ensuring effective general HR and business administration To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Providing references on request for current or former members and employees To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Responding to and defending against legal claims To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests
Equal opportunities and diversity monitoring To allow us to perform our contract with you

To enable us to comply with legal obligations

To pursue legitimate interests

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

Where we rely on legitimate interests as a reason for processing data, we have considered whether those interests are overridden by the rights and freedoms of members, employees or workers and have concluded that they are not.

How Tony Gee uses particularly sensitive personal information

Some special categories of personal data, such as information about health or medical conditions, and in rare circumstances, your political opinions, are processed to carry out employment law obligations (such as those in relation to members and employees with disabilities and for health and safety purposes).

Some special categories of personal data, such as the results of drugs and alcohol testing, are processed to enable the business to meet its contractual obligations with clients and to accredited industry bodies, as well as protecting you and others from harm.

Where we process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that we use for these purposes are anonymised and/or are collected with the express consent of employees, which can be withdrawn at any time.  Members and employees are entirely free to decide whether to provide such data and there are no consequences of failing to do so.

We may be given information about trade union membership as part of our disciplinary process, when employees are allowed to invite trade union reps to meetings or hearings, but this data would not be stored anywhere other than within the notes of such meetings.

We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit written consent;
  • where we need to carry out our legal obligations or exercise rights in connection with employment;
  • where it is needed in the public interest, such as for equal opportunities monitoring;
  • where it is necessary to protect you or another person from harm.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

In general, we will not process particularly sensitive personal information about you unless it is necessary for performing or exercising obligations or rights in connection with employment. On rare occasions, there may be other reasons for processing, such as it is in the public interest to do so. The situations in which we will process your particularly sensitive personal information are listed below.

  • We will use information about your physical or mental health, or disability status, to:
    • ensure your health and safety in the workplace;
    • assess your fitness to work;
    • provide appropriate workplace adjustments;
    • monitor and manage sickness absence; and
    • administer benefits including statutory maternity pay, statutory sick pay, and pensions and permanent health insurance.
  • We need to process this information to exercise rights and perform obligations in connection with your employment:
    • if you apply for an ill-health pension under a pension arrangement operated by us, we will use information about your physical or mental health in reaching a decision about your entitlement;
    • if we reasonably believe that you or another person are at risk of harm and the processing is necessary to protect you or them from physical, mental or emotional harm or to protect physical, mental or emotional wellbeing;
    • we will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation to ensure meaningful equal opportunity monitoring and reporting;

Do we need your consent?

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

We do not need your consent where the purpose of the processing is to protect you or another person from harm or to protect your well-being and if we reasonably believe that you need care and support, are at risk of harm and are unable to protect yourself.

Information about criminal convictions

We envisage that we will hold information about criminal convictions. We may only use information relating to criminal convictions where the law allows us to do so. This is usually where that processing is necessary to carry out our obligations and provided we do so in line with our Data Protection Policy.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information during your time working for us, for example, if you are put forward to be part of the team working on a project which requires national security vetting. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.

For applicants:

We will use the personal information we collect about you to:

  • take steps at your request prior to entering into a contract with you.
  • assess your skills, qualifications, and suitability for the role;
  • carry out background and reference checks, where applicable;
  • communicate with you about the recruitment process;
  • keep records related to our hiring processes; and
  • comply with legal or regulatory requirements.

It is in our legitimate interests to decide whether to appoint you to role since it would be beneficial to our business to appoint someone to that role.

We also need to process your personal information to decide whether to enter into a contract of employment with you.

We also have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm an applicant’s suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.

We process health information if we need to make reasonable adjustments to the recruitment process for applicants who have a disability. This is to carry out our obligations and exercise specific rights in relation to employment.

For some roles, we are obliged to seek information about criminal convictions and offences. Where we seek this information, we do so because it is necessary for us to carry out our obligations and exercise specific rights in relation to employment.

Who has access to data?

We may have to share your data with third parties, including third-party service providers and other entities in the Tony Gee group.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We may transfer your personal information outside the UK.

If we do, you can expect a similar degree of protection in respect of your personal information.

Data is stored in a range of different places, including in your personnel file, in the HR and payroll management systems and in other IT systems, including the Tony Gee email system.

Access to your personal data is permission controlled. Your information will be shared internally, including with members of the HR and payroll team, the Executive Board, managers in the business area in which you work and IT staff, if access to the data is necessary for performance of their roles.

We may share your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service.

We also share your data with third parties that process data on our behalf, in connection with payroll, the provision of benefits, the provision of occupational health services, the provision of outsourced IT services and software, and the provision of training and accreditation services.

We may share limited personal data, such as name, job title, qualifications and experience with third parties in the process of winning work for the business.  We will process such data as part of our statutory duty to ensure that designers working on projects are competent, and may share it to demonstrate this to clients.  The information shared with third parties will be no more than that on the standard company corporate ‘CV’ documents (which a member of staff can view at any time), unless specific consent is obtained.

When might Tony Gee share personal information with other entities in the group?

We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data. We will share personal data relating to your participation in any share plans and pension arrangements operated by us or any group company with other entities in the group for the purposes of administering the share plans and pension schemes.

Transferring information outside the UK

Your data may be transferred outside the UK to our offices based in China, United Arab Emirates, Malaysia, Australia and Canada. Data is transferred outside the UK on the basis of specified relevant safeguards e.g. declaration of adequacy, binding corporate rules or other safeguards, and are linked to relevant documents or information if possible, such as an International Data Transfer Agreement.

How does Tony Gee protect data?

We take the security of your data seriously. There are internal policies and controls in place to protect the security of your information. Further details are set out in the Data Protection Policy and Procedure and the Record of Processing Activity schedule.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure. Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions and are under a duty of confidentiality. They are obliged to implement appropriate technical and organisational measures to try to ensure the security of data and to process it in accordance with your rights.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

For how long does Tony Gee keep data?

We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting or reporting requirements. Details of retention periods for different aspects of your personal information are available in our Data Retention Policy which is available from the HR Department.

To determine the appropriate retention period for personal data, we consider:

  • the amount, nature and sensitivity of the personal data;
  • the potential risk of harm from unauthorised use or disclosure of your personal data;
  • the purposes for which we process your personal data and whether we can achieve those purposes through other means; and
  • the applicable legal requirements.

In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use that information without further notice to you. Once you are no longer an employee, worker or contractor of the company, we will retain and securely destroy your personal information in accordance with our Data Retention Policy.

For applicants:

We will retain your personal information for a period of 12 months after we have communicated to you our decision about whether to appoint you to a role. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information.

Your legal rights

As a data subject, you have a number of rights. You can:

  • Request access to your personal information (commonly known as a data subject access request). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you would like to exercise any of these rights, please contact the Data Protection Lead (as defined above).

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Lead. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

What if you do not provide personal data?

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

For applicants:

You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

Automated decision-making

Recruitment processes and employment decisions are not based solely on automated decision-making.

What will we do if anything changes?

We reserve the right to update this privacy notice at any time. Changes to our Privacy Notice will be posted here. Where the changes are significant, we may also email those affected by the updates.

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Last reviewed: May 2025