KEYSIGMA Candidate Privacy Notice

Revision 1 – 29/05/2026
POL-010

1. At a glance

KEYSIGMA (key Sigma Ltd) uses candidate personal data to manage recruitment, assess suitability, communicate with applicants, make recruitment decisions and complete checks required for employment.

We do not sell candidate data. We do not use candidate data for unrelated marketing unless you have specifically agreed to this. We normally keep unsuccessful candidate records for up to 12 months after the recruitment decision, unless a longer period is justified.

Candidates should avoid including unnecessary sensitive personal data in CVs, cover letters or messages, such as health information, family circumstances, religion, ethnicity, trade union membership or criminal offence information, unless it is relevant to the recruitment process or a reasonable adjustment request.

2. Purpose of this notice

This Candidate Privacy Notice explains how KEYSIGMA collects, uses, stores and protects personal data during the recruitment process. It applies to individuals who apply for roles with KEYSIGMA, are considered for work opportunities, attend interviews, communicate with us about vacancies, or are otherwise involved in our recruitment and selection process.

KEYSIGMA is committed to handling candidate personal data fairly, lawfully and transparently, and in accordance with UK data protection law, including the UK GDPR and the Data Protection Act 2018.

3. Who we are

KEYSIGMA is the controller of the personal data we process about candidates during recruitment. If you have any questions about this notice or how your personal data is used, you can contact us at:

Email:info@keysigma.co.uk
Postal address: Suite 2, Chargrove House, Shurdington Road, Cheltenham, Gloucestershire, England, GL51 4GA

4. What personal data we collect

We may collect and use the following types of personal data during recruitment:

Category	Examples
Identity and contact details	Name, address, email address, phone number
Application information	CV, cover letter, application form, employment history, education history, qualifications, skills, professional memberships
Recruitment information	Role applied for, application date, interview notes, assessment results, scoring, shortlisting decisions, communications with you, salary expectations, notice period, availability
Right to work and eligibility information	Right to work status, proof of identity, work eligibility documentation
Reference information	Referee details, employment references, character references where applicable
Background check information	Information required for pre-employment checks, such as DBS or other screening checks where relevant to the role
Reasonable adjustment information	Information you provide about adjustments needed for interview, assessment or the recruitment process
Online or publicly available information	Publicly available professional information, such as LinkedIn profile information, where relevant and proportionate to the role
Technical and system data	Emails, message metadata, applicant tracking records, Indeed or recruitment platform records, audit logs and system activity where applicable

We may also collect personal data from third parties, such as recruitment platforms, referees, background check providers, professional networking sites, previous employers, education providers, or publicly available sources.

5. Recruitment platforms, including Indeed

We may receive applications through recruitment platforms such as Indeed.

If you apply through Indeed, Indeed will process your personal data under its own terms and privacy notice. Once KEYSIGMA receives your application, KEYSIGMA is responsible for how it uses that application data for recruitment purposes.

Your agreement to a recruitment platform’s terms and conditions covers your relationship with that platform. It does not remove KEYSIGMA’s responsibility to explain how we use your personal data once we receive it.

6. Special category data

We may receive applications through recruitment platforms such as Indeed.

7. Reasonable adjustments

If you ask us to make reasonable adjustments during the recruitment process, we will use the information you provide to assess and implement appropriate adjustments.

Access to this information will be restricted to those who need it for recruitment and adjustment purposes. We will only use reasonable adjustment information for the purpose of supporting your participation in the recruitment process, unless we are legally required to use it for another purpose.

8. Criminal offence data and background checks

Some roles may require background checks, such as DBS checks or other pre-employment screening. We will only carry out DBS or other background checks where they are relevant, necessary and proportionate for the role, and usually only at the appropriate stage of the recruitment process.

Criminal offence data may include information about criminal convictions, offences, allegations, proceedings, security measures, or the absence of convictions.

Where criminal offence data is processed, KEYSIGMA will ensure that it has an appropriate lawful basis and a condition under the Data Protection Act 2018. Access to this information will be restricted.

Unless there is a specific and documented reason to retain more detailed information, KEYSIGMA will usually retain only a minimal record of the check, such as the type of check, date completed, reference number, decision outcome and verifier.

9. References

We may request references as part of the recruitment process.

We will usually only contact referees once you have been shortlisted or offered a role, unless we tell you otherwise. We will only ask for information that is relevant and proportionate to the role and recruitment decision.

10. Why we use candidate personal data

We use candidate personal data for the following purposes:

to manage the recruitment process;
to assess your suitability for a role;
to communicate with you about your application;
to arrange and conduct interviews or assessments;
to verify information provided in your application;
to check your right to work in the UK;
to obtain references where appropriate;
to carry out role-specific background checks where required;
to make recruitment decisions;
to prepare an offer of employment or engagement;
to keep records of the recruitment process;
to respond to queries, complaints or recruitment challenges;
to comply with legal, regulatory and employment obligations;
to improve our recruitment processes and maintain appropriate records.

11. Lawful basis for processing

We rely on different lawful bases depending on the recruitment activity.

Processing purpose	Lawful basis
Receiving and reviewing applications	Legitimate interests and/or steps prior to entering into a contract
Assessing suitability, shortlisting and interviewing candidates	Legitimate interests and/or steps prior to entering into a contract
Communicating with candidates about applications	Legitimate interests and/or steps prior to entering into a contract
Making an offer of employment or engagement	Legitimate interests, steps prior to entering into a contract
Checking right to work	Legal obligation
Carrying out role-specific pre-employment checks	Legal obligation, legitimate interests, and/or employment law obligations depending on the check
Obtaining references	Legitimate interests and/or steps prior to entering into a contract
Retaining recruitment records for a limited period	Legitimate interests, including defending legal claims and maintaining recruitment records
Processing reasonable adjustment information	Legal obligation, employment law obligations and/or substantial public interest where applicable
Equality, diversity and inclusion monitoring	Legitimate interests and/or substantial public interest, where applicable; data should be anonymised or separated where possible
Keeping candidates in a talent pool for future vacancies	Consent

We do not rely on consent for standard recruitment processing. Where we ask for consent, for example to keep your details for future vacancies, you can withdraw that consent at any time.

12. Third-party services

We may use third-party service providers for recruitment administration, background checks, communication, document signing, email, file storage or HR administration. These may include recruitment platforms, background check providers, email providers, e-signature tools, cloud storage providers and HR systems. We will only share candidate personal data with third parties where there is a valid reason to do so and appropriate safeguards are in place.

13. Who we share candidate personal data with

We may share candidate personal data with:

internal HR, recruitment, management and interview staff;
hiring managers and interview panel members;
referees and previous employers where appropriate;
recruitment platforms, such as Indeed;
background check providers, such as DBS or screening service providers where relevant;
IT, email, cloud storage and HR system providers;
e-signature providers where offer documents or contracts are signed electronically;
legal advisers, insurers, auditors or professional advisers where necessary;
regulators, courts, tribunals, government bodies or law enforcement where required by law.

We will only share personal data where there is a valid reason to do so and will limit sharing to what is necessary.

14. International transfers

Some of the systems or service providers used in recruitment may process personal data outside the UK.

Where personal data is transferred outside the UK, we will ensure that appropriate safeguards are in place where required, such as adequacy regulations, standard contractual clauses, the UK International Data Transfer Agreement, or other lawful transfer mechanisms.

15. How long we keep candidate personal data

We will not keep candidate personal data for longer than necessary.

Data type	Retention period
Unsuccessful candidate applications, CVs, interview notes, messages and recruitment records	Up to 12 months after the recruitment decision
Successful candidate recruitment records	Transferred to the employee HR/personnel file and retained in accordance with the employee HR retention schedule
Talent pool records	Retained only for the period explained when opt-in is obtained, or until consent is withdrawn
Right to work records for successful candidates	Retained for the duration of employment and 2 years after employment ends
DBS certificate information, where applicable	Usually no longer than 6 months after the relevant recruitment or employment decision, unless exceptional circumstances justify longer retention
Minimal background check audit record	Retained in accordance with KEYSIGMA’s HR retention schedule where justified

Unsuccessful candidate applications, CVs, interview notes, messages and recruitment records are normally retained for up to 12 months after the recruitment decision, then deleted unless there is a documented reason to retain them longer, such as a complaint, dispute, legal claim, recruitment challenge or legal hold.

Successful candidate recruitment records are transferred to the employee HR/personnel file and retained under KEYSIGMA’s HR retention schedule.

Where personal data is no longer required, it will be deleted, anonymised or securely destroyed.

16. How we protect candidate personal data

We use appropriate technical and organisational measures to protect candidate personal data, including:

restricting access to staff who need the information for recruitment purposes;
using secure systems and access controls;
limiting downloads and local copies;
using secure storage locations;
applying appropriate retention and deletion controls;
reviewing access to recruitment systems;
training staff on data protection and confidentiality;
securely deleting or anonymising records when no longer required.

17. Your rights

You have rights under data protection law. Depending on the circumstances, these may include the right to:

access your personal data;
request correction of inaccurate personal data;
request deletion of personal data;
restrict processing;
object to processing;
request data portability;
withdraw consent where processing is based on consent;
complain to the Information Commissioner’s Office.

Some rights may be limited where we need to retain or process information for legal, recruitment, regulatory or dispute-related reasons.

18. How to contact us

If you have any questions about this notice or wish to exercise your data protection rights, please contact: