Recruitment Privacy Notice

Cherwell Software Limited Recruitment Privacy Notice

  1. What is this policy about?

    Cherwell Software Limited (“the Company/we/us”) needs to obtain and keep certain information about candidates to allow it to offer recruitment services.  Laws about data protection set out rules on how personal information relating to individuals is obtained, processed, disclosed to others and transferred outside of the EU.  We are committed to complying with the Data Protection Act 1998 (DPA) and the General Data Protection Regulation (known as GDPR) and any subsequent national data protection laws which in due course replaces or amends the DPA and GDPR. 

    This notice explains the types of information which we hold about candidates and your rights in relation to that information.

  2. What type of information is covered by data protection laws?

    The law protects all information which relates to an individual i.e. personal data. 

    Some information is considered special information because it relates to race or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health or sexual life or includes biometric information.  Such sensitive information is given special protection. Similar additional safeguards are also applied to information about criminal allegations, proceedings and convictions and associated security measures (which we call a criminal record in this notice).

  3. Principles of Data Protection

    The Company will ensure that it complies with the data protection principles:-

    1. fair, lawful and transparent processing of information;
    2. processing for specified, explicit and legitimate purposes;
    3. information is adequate, relevant and limited to what’s necessary for the purpose for which it is obtained or maintained;
    4. information is accurate and kept up to date, with inaccurate information being corrected or deleted promptly;
    5. information is not kept for any longer than is necessary;
    6. all information is kept securely;
    7. information will not be transferred outside of the EU unless appropriate safeguards are in place.

    “Processing” means collecting, recording, organising, structuring, storing, changing, retrieving, using, sharing, limited access to and deleting.

  4. Types of personal information held about you and from whom it is obtained

    Application stage

    Initially, we will receive details set out in your CV and contact details either directly from you uploading them via the careers section of our website or from job boards, for example CW jobs and Totaljobs, on which you have posted your CV or from LinkedIn. Please do not include any of the following details in your CV: date of birth, marital status, nationality, racial/ethnic origin, religion or a photograph – none of these characteristics are relevant to the decision as to whether you have the skills and experience to perform a particular role. 

    We may hold information about any disabilities which you tell us about, particularly if you would like adjustments made to the recruitment process or the role.

    If we receive information about you from someone else, such as a job board or LinkedIn, we will send you a copy of this privacy notice as soon as possible.  

    We will only create a profile for you in our applicant tracking system, Greenhouse, once you have confirmed that you are interested in talking to us about a potential role with us. On receipt of your application we will contact you to obtain further information such as salary expectations, your availability to start work, previous interaction with us, why you are interested in the role, why you think that you would be a good candidate, quota attainment in previous jobs (for sales roles) and details of your greatest accomplishments in previous roles.

    As part of our recruitment vetting process we engage a background checker. We are currently reviewing background check providers and will update this notice once we have engaged a new provider.  As part of the background check details of any unspent criminal records will be provided to us.  Before the background check is undertaken you will be asked for your express consent to a check of any criminal record.


    We will retain notes of interviews which we conduct.  We also retain copies of all emails which we exchange with you during the recruitment process.

    Following a successful interview, further information will need to be collected about you. This includes checking that you are legally entitled to work in the UK, obtaining proof of your qualifications and obtaining references from your referees.

    Successful candidates

    If you are offered a position with us you will be sent an offer letter and contract of employment and asked to provide further information such as bank details and emergency contact details. At this point you will be sent a further Privacy Notice which applies to the information we hold about our staff.

    We do not make any decisions based on automated decision making i.e. an electronic system uses personal information to make a decision without any human involvement.

    Please refer to our Cookie Policy at for details of how we use cookies.

  5. The lawful basis for processing information about you

    We are processing the majority of your information for our legitimate interests of seeking suitably qualified candidates to work for us and for your legitimate interests in offering you relevant work opportunities.  As explained above, we seek your express consent to hold details of any criminal record.

    We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will tell you and we will explain the legal basis which allows us to do so.

  6. Storing your information

    We use the Greenhouse applicant tracking system during the recruitment process. Further information from Greenhouse about GDPR is available on their website:; here is a link to their Privacy Notice:

  7. Keeping your information up to date

    You need to help us to ensure that the information which we hold about you is up to date and correct so as soon as any details change (such as your address, phone numbers, email addresses, details of next of kin) you should tell your recruiter immediately.

  8. Sharing your personal information

    Internally, within the Cherwell Group, we will limit access to the majority of your personal information to colleagues who need to know the information to be able to perform their role such as members of the Talent team and HR teams.

    As we have explained above we store your information on Greenhouse.

    We may share some of your personal information with other people outside of the Company where this is required by law (e.g. an audit of our records), or where we have a legitimate business interest (such as with our external HR consultant or legal advisors).

    Where we share your personal information with external service providers we protect it by requiring those service providers to take appropriate security measures to protect your personal information in line with our policies. We also tell our external service providers that they can only use your personal information for the purpose of providing the service to us and not for their own purposes. We only allow them to process your personal information for specified purposes and in accordance with our instructions.

    We may also need to share your personal information with a regulator or to otherwise comply with the law.

  9. Transfer of your personal information out of the EU

    Within the EU all businesses have to protect personal information in the same way as employers do in the UK.  However, outside of the EU data protection laws vary from country to country, some have similar laws to the EU, others have very different laws.

    We will only transfer your personal information outside of the EU where there is adequate protection for your information or where it’s necessary for the performance of your employment contract/contract for services or for legal claims.  

    We may transfer your personal information to the United States.  The US and EU have agreed a mechanism which allows the transfer of personal information between the US and countries in the EU which is compatible with EU data protection law – it’s called the Privacy Shield. Our parent company has agreed to comply with the Privacy Shield which means that there is an adequate level of protection of your personal data when we share it with our parent company.

    Greenhouse is a US based company and so your information is held by Greenhouse on servers hosted in the US.

  10. Security

    A very important part of looking after the personal information which we hold about you is ensuring that it’s secure.

    We have considered how to protect your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed inappropriately.  We have put in place measures to achieve these objectives. 

    All information about you will be held on secure databases or in locked filing cabinets.

    However, data transmission over the internet and email cannot be guaranteed to be entirely secure. As a result, we cannot guarantee the security of your information and submission of information to us is therefore at your risk.

  11. Breach of security

    If we discover that our security measures have failed and this results in personal information being lost, destroyed, corrupted or disclosed or someone accessing the information or passing it on without proper authorisation, we will assess the risk that such a breach may have on you.  If the breach will result in a high risk of a negative impact for you we will tell you and we will tell the Information Commissioner

  12. Deleting your personal information

    If your application was not successful, we will delete your information within 6 months of us notifying you that your application was unsuccessful.

    If your application is successful, you will be sent our Staff Privacy Notice which sets out more detail about the length of time for which we will hold your information. Generally speaking we will hold your information for up to 7 years after your employment with us ends.

  13. Your Rights

    You have the following rights in relation to the personal information which we hold about you:

    1. Right to withdraw consent

      Where you have consented to us processing your personal information, you are entitled to withdraw that consent at any time.  If you wish to do so, please contact explaining which information you are referring to. We will stop processing this particular personal information as soon as possible after receiving your withdrawal. You will not be penalised in any way for withdrawing consent to undertaking a background check. However, we will not be able to progress your application as it will involve the processing of information about criminal records for which we need express consent to be able to process it lawfully.

    2. Right to object including to direct marketing

      Even if you have agreed to us contacting you for marketing purposes, you may object to us processing your personal information for direct marketing purposes at any time.  You may object to being contacted in a particular manner in which case let us know which ways you are happy to be contacted (e.g. by email) and which means you are not happy with us using (e.g. text message)  If you do object, we will stop processing your personal information as requested immediately.

      You have the right to object, for reasons relating your particular situation, to us processing your personal information where we are processing your personal data for reasons of our legitimate interests (including profiling).  When we receive any objection to processing on this ground, we will restrict access to the relevant information (see paragraph e) below while we assess whether our legitimate interests override your objection.  If we can demonstrate that they do or the information is needed for legal claims, we are allowed to continue to process your personal information; otherwise we will stop processing it.  Where we are processing your data for other reasons such as compliance with our regulatory obligations we will continue to hold as much information as we need to in order to satisfy those obligations.

      If you wish to object to us processing information about you for any of the above purposes please contact

    3. Right of access – data subject access request

      This is commonly known as a "data subject access request" or simply a “subject access request”. The purpose of a subject access request is for you to know about the personal information about you which we hold and to check that we are lawfully processing it.

      Usually we will not charge you a fee for providing a copy of the information which you request but we may charge an administrative fee if you ask for further copies of the information or if your request is manifestly unfounded or excessive, in particular if it is repetitive. 

      Alternatively, if the request is unfounded or excessive we may refuse your request. If we refuse your request, we will explain why to you and you will have the right to complain to the Information Commissioner (whose details are set out below).

      Before we provide copies of your personal information we need to be sure that the person making the request is actually you.  Therefore, we may ask for further information to confirm that you are the person making the request, particularly if the request comes from a personal email account which is unfamiliar to us or by an unsigned letter or from someone who says that they are acting on your behalf.

      We have to protect other people’s personal information which means that we may have to remove or cover up information in a document before we can give you a copy.  We also have to protect confidential information and intellectual property and so we may remove any information for these purposes.

      We will respond to any data subject access request within one month unless your request is complex or numerous in which case we may extend the timeframe for our response up to a total of 3 months from the date of your request so long as we tell you within the first month and explain why we need the extra time.

      If you email us, your request we will provide electronic copies of the requested information.

      If you wish to make a subject access request, please contact  Please be specific in your request.  If you make a very general request, we may ask you to specify which information you would like to see.

    4. Right to request correction

      If you think that any personal information about you which we hold is incorrect or incomplete you have the right to request that the information is changed. If you wish to correct any information we hold about you, please contact If we disagree that the information is incorrect, we will tell you why. In that scenario, we have the right to retain the information and you can ask us to add a supplementary statement. 

      While we are assessing whether the information is incorrect or incomplete we will restrict the information (see paragraph f below for further details).

      If we have provided incorrect or incomplete information about you to someone else, we will update the information following your request to correct the information.

      We will respond to your request within one month unless your request is complex in which case we will respond within 3 months.

    5. Right to request deletion – so called “right to be forgotten”

      In the following situations you have the right to have your personal information deleted:

      1. Where the personal information is no longer necessary for the purpose for which it was originally collected/processed;
      2. When we have asked you for consent to process your information and you have withdrawn that consent;
      3. When you object to the processing (see paragraph d below) and there is no overriding legitimate interest for continuing the processing;
      4. When the personal information was unlawfully processed; or
      5. When the personal information has to be erased in order to comply with a legal obligation.
    6. Right to restrict processing

      If you tell us that you think some personal information we hold about you is incorrect or incomplete or you object to us processing your personal information for reasons of our legitimate interests (including profiling), we will restrict access to the relevant personal information while we assess whether or not it is incorrect/incomplete or whether we are allowed to continue processing your personal information. This means that we will continue to store the relevant personal information but we won’t use it for any other purposes.

      If we no longer need the information but you need it for legal claims you may ask us to restrict access to it rather than delete it.

      If we have previously provided the restricted information to someone else, we will, where possible, ask them to also restrict the information.

    7. Right to transfer of your information

      Where you have provided information to us and we are processing it via automated means either based on your consent or for the performance of your employment contract/contract for services, you have the right to request that the information is provided to you, or to someone else, in a commonly used electronic form.

                  We will not charge you for the transfer of your information.

      We have to protect other people’s personal information which means that we may have to remove some information before transferring your information. 

      We will respond to any request to transfer your information within one month unless your request is complex or numerous in which case we may extend the timeframe for our response up to a total of 3 months from the date of your request so long as we tell you within the first month and explain why we need the extra time.

      If you wish us to provide such information to you in this manner please contact

      If we do not transfer your information following a request for you to do so, we will tell you why as soon as possible and at least within one month of your request. You would have the right to complain to the Information Commissioner (whose details are set out below).

      1. Contact information

        Cherwell Software Limited, 100 Longwater Avenue, Reading, RG2 6GP tel: 01793 544888 is the company which processes personal information about you (known as the “data controller”).

        We have appointed Jason Chlebus as our Data Protection Officer. Jason can be contacted on 00 1 719 362 8633 or If you have any queries relating to your personal information or your responsibilities with respect to other people’s personal information please contact Jason.

        The Information Commissioner is the UK supervisory authority with responsibility for data protection. Various ways of contacting the Information Commissioner are detailed on their website: You can complain to the Information Commissioner at any time.

      2. Date of and changes to this notice

    We can refuse your request if the information is needed for current or potential legal claims.

    If we have provided the information about you which you wish to be deleted, to someone else, we will, where possible, ask them to also delete the information.

    If you wish to request that some information relating to you is deleted, please contact

This policy is dated 25 May 2018.


We reserve the right to update this notice at any time. We will post updates to this notice on our website and send you an updated copy of material changes. We may also notify you in other ways from time to time about the processing of your personal information.