Job Applicant
Privacy Notice (policy)

last updated: 09.05.2025.

This Privacy Notice explains who we are, how and why we collect, store, share and use your personal information, and how you can exercise your rights.

NormCyber Limited (‘NormCyber’, ‘we’, ‘us’, and ‘our’) is committed to respecting and protecting the privacy of individuals and to fully complying with all the requirements of the UK GDPR and all other applicable data protection laws and regulations.

If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided elsewhere in this Privacy Notice.

 

Data Protection Officer

We have appointed a Data Protection Officer (DPO). If you wish to contact our DPO you can do so via: dpo@normcyber.com

This Privacy Notice applies to our job applicants/candidates.

 

What is personal information?

Personal information is anything that enables you to be identified or identifiable. Personal information is also called “personal data”. We collectively refer to handling, collecting, protecting, storing or otherwise using your personal information as ‘processing’.

You do not have to provide any of your personal information to us, but if you do not provide all the information we ask for, we may not be able to consider your application/candidacy.

 

Collecting (obtaining) your Personal Information

Most of the personal information we process is provided to us directly by you because you have applied for a job, position or role with us.

We may also obtain your personal information indirectly, such as from:

  • Public registers/records.
  • Social

 

Purpose for Processing Personal Information

Our purpose for processing this information is to assess your suitability for a job, position or role you have applied for and to help us develop and improve our recruitment process.

 

Lawful bases (legal grounds) for Processing Personal Information

We will collect personal data from you on one or more of the following lawful bases:

  • Consent: We may process your personal information after you have consented (agreed) to us doing Your consent may have been obtained by us, or by third parties on our behalf. You have the right to withdraw your consent at any time.
  • Contract: We may process your personal information when we need to enter into a Contractual Agreement with you.
  • Legal obligation: We may process your personal information when we need to comply with a legal obligation.
  • Legitimate interest: We may process your personal information when we need to for our or another’s legitimate interests, where these interests are not overridden by your rights.

The lawful bases we rely on for processing your personal data are consent, contract and our legitimate interest.

If you provide us with any information about reasonable adjustments you require under the Equality Act 2010 the lawful basis we rely on for processing this information is our legal obligations.

The lawful basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious, sexual orientation or ethnicity information is article 9(2)(b) of the UK GDPR, which relates to our obligations in employment and the safeguarding of your fundamental rights.

The additional DPA 2018 processing conditions we rely on are Schedule 1 part 1(1) which again relates to processing for employment purposes and Schedule 1, part 2 paragraph 6 – statutory etc purposes.

We process information about applicant criminal convictions and offences. The lawful basis we rely on to process this data is Article 6(1)(f) for the purpose of our legitimate interests. In addition, we rely on the processing condition at Schedule 1 part 1 paragraph 1 (1)(a).

 

Using your Personal Information

We’ll use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract with us.

We’ll use the contact details you give us to contact you to progress your application. We may also contact you to request your feedback about our recruitment process. We’ll use the other information you provide to assess your suitability for the role.

We may share your personal information with third parties (other organisations or individuals). We use data processors who are third parties which provide elements of services for us (see ‘Do we use any data processors?’ below).

We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct them to.

These third parties may use subcontractors (also known as sub-processors) that have access to your personal data.

It is our policy to only share your personal information with third parties that are legally or contractually bound to protect your personal information to the same standards as we are, and that will flow those same standards to their subcontractors.

In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share your personal information.

We will not sell your personal information to any third party.

 

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary.

The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for, but it may affect your application if you don’t.

We will use any feedback you provide about our recruitment process to develop and improve our future recruitment campaigns.

 

Application stage

We ask you for your personal details including name and contact details. We’ll also ask you about previous experience, education, referees and for answers to questions relevant to the role. Our recruitment team will have access to all this information.

You will also be asked to provide equal opportunities information. This is not mandatory – if you don’t provide it, it won’t affect your application. We won’t make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. Any information you provide will be used to produce and monitor equal opportunities statistics. This information may also be shared with external equality and diversity auditors.

 

Assessments

We may ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; attend an interview; or a combination of these. Information will be generated by you and by us. For example, you might complete a written test, or we might take interview notes.

If you are unsuccessful after assessment for the role, we may ask if you would like your details retained in our talent pool. If you say yes, the lawful basis we will rely on to process your details will be article 6 (1)(a), your consent. We will contact you should any further suitable vacancies arise.

 

Conditional offer

If we make a conditional offer of employment, we’ll carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability.

You must therefore provide:

  • Proof of your identity –we’ll take copies
  • Proof of your qualifications –we’ll take copies
  • A criminal records declaration to declare any unspent convictions
  • We’ll also ask you to complete an application for a Basic Criminal Record check via the Disclosure and Barring Service which will verify your declaration of unspent convictions, on occasion we will need to carry out more advanced Depending on your role, we may also require you to obtain Security Clearance, and provide additional personal information to do so.
  • We’ll contact your referees, using the details you provide in your application, directly to obtain references
  • We’ll ask you to complete a questionnaire about your health to establish your fitness to work
  • We’ll also ask you about any reasonable adjustments you may require under the Equality Act 2010. This information will be shared with relevant staff to ensure these are in place for when you start your employment

If we make a final offer, we’ll also ask you for the following:

  • Bank details – to process salary payments
  • Emergency contact details – so we know who to contact in case you have an emergency at work

 

How we make decisions about recruitment

Final recruitment decisions are made by hiring managers and members of our recruitment team. We take account of all the information gathered during the application process.

You can ask about decisions on your application by speaking to your contact in our recruitment team.

 

Sharing your Personal Information

We may share your personal information with third parties (other organisations or individuals) for:

  • The purpose(s) for which the information was
  • As agreed between

We share personal information with third parties that act as data processors to provide elements of our service by processing personal information on our instructions (see ‘Data Processors’ below).

We may share your personal information with third parties in connection with our corporate transactions, (e.g., mergers and/or acquisitions), as a result of which your personal information may be assigned to a third party.

We may share your personal information with law enforcement, regulatory and other government agencies and professional bodies, as required by and/or in accordance with applicable law or regulation.

In some circumstances we are legally obliged to share information. For example, under a court order.

It is our policy to only share your personal information with third parties that are legally or contractually bound to protect your personal information to the same standards as we are, and that will flow those same standards to their subcontractors.

In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share your personal information.

We will not sell your personal information to any third party.

 

Data processors

We may use several processors to provide elements of our recruitment service for us.

 

Transfers of your personal information to outside the UK

Your personal information may be transferred (sent) outside the UK. Any such transfer will be only:

  • To you; or
  • To a recipient located in a country which provides an adequate level of protection for your personal information, (i.e., a country where the data protection standards are the same or better than in the UK), for example, a country in the European Union (EU), or European Economic Area (EEA); or
  • To a recipient under a contractual agreement which satisfies UK legal requirements for the transfer of personal information, to ensure that appropriate safeguards are in place to protect your personal information in accordance with UK levels of data protection; or
  • To a recipient under the UK-US Data Bridge; or
  • When your personal information has first been anonymised The countries/areas to which we may transfer personal data* are:

EU/EEA: To a recipient located in a country which provides an adequate level of protection for your personal information.

*This does not mean that your personal data will definitely be transferred to any of these countries.

For more information about transfers of your personal information to outside the UK please contact us.

Retention (Storage) of Personal Information

If you are unsuccessful after assessment for the role, we may ask if you would like your details retained by us. If you say yes, the lawful basis we will rely on to process your details will be article 6 (1)(a), your consent. We will contact you should any further suitable vacancies arise.

We may retain your personal information for up to 12 months or until you revoke your consent.

 

Your data protection rights:

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access: You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.

Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.

Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here.

Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.

Your right to object to processing: You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests. You can read more about this right here.

Your right to data portability: This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

If you wish to exercise any of your rights please contact us.

 

Security

We use appropriate technical and organisational measures to protect the personal data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal data. Please be aware that, we cannot guarantee the security of all personal information transmitted to or by us.

 

Social Media

We use the following social media platform(s):

  • LinkedIn
  • X
  • Instagram

We may use these social media platform(s) to process your personal data for some of the purposes set out elsewhere in this Privacy Notice.

 

Automated Decision Making

We will not use your personal information for automated decision making or profiling

 

Visiting our premises

If you visit our premises you may be asked to provide your name and other personal information for security and safety reasons.

 

CCTV

Closed-circuit television (CCTV) operates at our premises for security and safety reasons. The lawful basis we rely on to process your personal data is article 6(1)(f) of the UK GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

 

Wi Fi

We provide Wi-Fi on site for the use of visitors. We’ll provide you with the address and password. We record the device address and will automatically allocate you an IP address whilst on site. We also log traffic information in the form of sites visited duration and date sent/received. The purpose for processing this information is to provide you with access to the internet whilst visiting our site. The lawful basis we rely on to process your personal data is article 6(1)(f) of the UK GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

 

Our contact details

We can be contacted as follows:

  • Email: dpo@normcyber.com
  • Phone: 020 3666 0918
  • Post: NormCyber Limited, Arena Business Centre, Lancaster Court, 8 Barnes Wallis Road, Fareham, PO15 5TU

 

Cookies

We use a cookies tool on our website to gain consent for the optional cookies we use. Cookies that are necessary for functionality, security and accessibility are set and are not deleted by the tool. For information about the cookies and any other similar technologies we use, please see our cookies policy.

 

Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us and we’ll respond.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s office (ICO), the UK supervisory authority (data protection regulator). Please follow this link to see how to do that.

 

Updating

We may update this Privacy notice at any time by publishing an updated version here. So that you know when we make changes, we will amend the revision date at the bottom of this page. The new modified or amended privacy policy will apply from that revision date.