1: Introduction

Policy Overview

Redcone Recruitment is committed to ensuring that all personal data is collected, processed, stored, and shared in full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Data Protection Act 2018, and all other applicable UK laws and regulations. This policy outlines the company’s approach to handling personal data, ensuring privacy rights are upheld, and establishing robust data protection mechanisms in line with our commitment to transparency, integrity, and legal compliance.

As a traffic management recruitment agency and subcontractor, Redcone Recruitment collects and processes personal data related to employees, job applicants, subcontractors, suppliers, and clients. This policy sets out the principles and guidelines that the company will follow to ensure the lawful, fair, and secure handling of all personal data.

1.2 Objective

The objective of this GDPR Policy is to ensure that Redcone Recruitment:

• Protects the privacy of individuals whose personal data it
• Complies with GDPR requirements and other relevant UK data protection
• Ensures that personal data is processed lawfully, fairly, and
• Implements appropriate technical and organisational measures to safeguard personal
• Provides individuals with clear and accessible rights regarding their personal

2: Purpose

Key Data Protection Objectives

This GDPR Policy is designed to:

• Ensure full compliance with GDPR and the Data Protection Act 2018 in the collection, processing, and storage of personal data.

• Provide clear guidelines to all employees, subcontractors, and business partners on their roles and responsibilities regarding data protection.

• Protect the rights of individuals (data subjects) by ensuring that personal data is handled securely and

• Promote transparency in Redcone Recruitment’s data processing

• Ensure timely and effective responses to data subject requests, data breaches, and other data protection- related

3: Scope

• Application of the Policy

This GDPR Policy applies to all employees, contractors, subcontractors, and stakeholders of Redcone Recruitment who process personal data on behalf of the company. It covers all personal data collected, stored, and processed in the context of Redcone Recruitment’s operations, including recruitment, employment, subcontracting, and client services.

3.2 Legal and Regulatory Compliance

Redcone Recruitment will comply with the following legislation and regulations:

• The General Data Protection Regulation (GDPR) (EU) 2016/679
• The Data Protection Act 2018
• The Privacy and Electronic Communications Regulations (PECR) 2003
• ICO (Information Commissioner’s Office) Guidelines
• ISO 27001: Information Security Management (where relevant).

4: Data Protection Principles

• Lawfulness, Fairness, and Transparency

Redcone Recruitment will ensure that personal data is processed lawfully, fairly, and transparently, providing clear information to individuals about how their data will be used.

4.1.1 Legal Basis for Processing

Personal data will only be processed where there is a valid legal basis, such as:

• The individual has given clear consent for their data to be
• Processing is necessary for the performance of a
• Processing is necessary for compliance with a legal
• Processing is necessary to protect vital interests (e.g., health and safety).
• Processing is necessary for the legitimate interests of Redcone Recruitment or a third party, except where such interests are overridden by the rights and freedoms of the data subject.

4.1.2 Transparency

Redcone Recruitment will provide data subjects with clear and easily understandable privacy notices, explaining the purpose of data processing, how their data will be used, their rights, and how they can exercise them.

4.2 Data Minimisation

Redcone Recruitment will collect only the personal data that is necessary for the specific purposes outlined in this policy and will not process excessive or irrelevant data.

4.2.1 Collection and Purpose Limitation

Personal data will be collected for specific, explicit, and legitimate purposes and will not be further processed in ways that are incompatible with those purposes.

4.3 Accuracy

Redcone Recruitment will take all reasonable steps to ensure that personal data is accurate, up-to-date, and complete.

4.3.1 Data Subject Rights

Individuals will be provided with mechanisms to update or correct their personal data where necessary. Any inaccuracies identified will be rectified without delay.

4.4 Storage Limitation

Personal data will be retained only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law.

4.4.1 Data Retention Schedules

Redcone Recruitment will establish and adhere to data retention schedules that outline how long different categories of personal data will be kept and when they will be securely disposed of or anonymised.

4.4.2 Secure Disposal

When personal data is no longer required, Redcone Recruitment will ensure it is securely deleted, shredded, or otherwise destroyed to prevent unauthorised access or misuse.

4.5 Integrity and Confidentiality (Security)

Redcone Recruitment will implement appropriate technical and organisational measures to ensure the security of personal data and protect it from unauthorised or unlawful processing, accidental loss, destruction, or damage.

4.5.1 Data Encryption and Access Control

Sensitive data will be encrypted both in transit and at rest, and access to personal data will be restricted to authorised personnel based on job roles and responsibilities.

4.5.2 Data Protection by Design and Default

Redcone Recruitment will adopt data protection by design and default in all systems, processes, and projects, ensuring that privacy and data protection considerations are embedded from the outset.

5: Data Subject Rights

• Right to be Informed

Data subjects have the right to be informed about the collection and use of their personal data. Redcone Recruitment will provide privacy notices explaining how personal data is collected, used, shared, and retained.

5.2 Right of Access

Data subjects have the right to access their personal data held by Redcone Recruitment.

5.2.1 Subject Access Requests (SARs)

Individuals may submit a subject access request to obtain copies of their personal data. Redcone Recruitment will respond to such requests within one month, in accordance with GDPR requirements.

5.3 Right to Rectification

Data subjects have the right to have inaccurate or incomplete personal data corrected. Redcone Recruitment will rectify inaccuracies promptly when notified by the data subject.

5.4 Right to Erasure (Right to be Forgotten)

Data subjects have the right to request the deletion of their personal data in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected, or where consent has been withdrawn.

5.4.1 Erasure Requests

Redcone Recruitment will comply with valid requests for data erasure, except where retention is required by law or where other legitimate grounds for retaining the data exist (e.g., legal claims, regulatory requirements).

5.5 Right to Restrict Processing

Data subjects have the right to request the restriction of their personal data processing in certain circumstances, such as when they contest the accuracy of the data or when processing is unlawful.

5.6 Right to Data Portability

Where applicable, data subjects have the right to request that their personal data be provided in a structured, commonly used, and machine-readable format, and to have it transmitted to another organisation.

5.7 Right to Object

Data subjects have the right to object to the processing of their personal data based on legitimate interests, direct marketing, or processing for research or statistical purposes.

5.8 Rights Related to Automated Decision-Making and Profiling

Redcone Recruitment does not engage in automated decision-making or profiling that has a legal or significant impact on individuals. If this changes, individuals will be informed of their rights related to such processing.

6: Data Breach Response

• Definition of a Data Breach

A personal data breach refers to any incident that leads to the accidental or unlawful destruction, loss, alteration,

unauthorised disclosure of, or access to personal data. This includes breaches resulting from both human error and technical failures.

6.2 Data Breach Notification

In the event of a data breach, Redcone Recruitment will:

6.2.1 Assess the Impact

Promptly assess the nature and severity of the breach to determine its impact on individuals and the business.

6.2.2 Notify the ICO

If the breach is likely to result in a high risk to the rights and freedoms of individuals, Redcone Recruitment will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.

6.2.3 Notify Affected Individuals

Where the breach poses a high risk to individuals’ privacy, Redcone Recruitment will notify the affected individuals without undue delay, explaining the nature of the breach and any measures they can take to protect themselves.

6.3 Mitigation and Remediation

Redcone Recruitment will take immediate steps to mitigate the impact of the data breach and prevent its recurrence, including:

• Conducting an internal
• Implementing corrective measures to address any security
• Reviewing and updating data protection policies and procedures as

7: Data Protection Officer (DPO)

• Appointment of a DPO

Redcone Recruitment will designate a Data Protection Officer (DPO) or a designated data protection lead where

required by law or organisational needs. The DPO will be responsible for overseeing data protection compliance and acting as the main point of contact for data subjects and regulatory authorities.

7.2 DPO Responsibilities

The DPO will be responsible for:

• Monitoring compliance with GDPR and other data protection
• Advising the company on data protection
• Conducting internal audits and assessments to ensure GDPR
• Responding to data subject requests and liaising with the ICO when
• Reporting data breaches and advising on remediation

8: Third-Party Data Processors

• Use of Data Processors

Where Redcone Recruitment engages third-party data processors (e.g., payroll providers, IT service providers), the company will ensure that:

• Processors are carefully vetted to ensure they have adequate data protection measures in
• Data processing agreements are established, clearly outlining the responsibilities and obligations of both parties in relation to personal data protection.
• Processors act only on Redcone Recruitment’s documented instructions and comply with the company’s GDPR

8.2 Regular Audits and Monitoring

Redcone Recruitment will conduct regular audits of third-party data processors to ensure their ongoing compliance with data protection laws and contractual obligations.

9: Policy Review

• Ongoing Review

This GDPR Policy will be reviewed annually, to ensure its continued compliance with GDPR, UK data protection laws, and relevant ISO standards.

9.2 Policy Updates

Any changes to this policy will be communicated to all employees, contractors, and relevant stakeholders. Updates will be incorporated promptly in response to new legislation, regulatory guidance, or organisational changes.

10: Relevant Legal and Regulatory Considerations

• Compliance with Legislation

This GDPR Policy has been developed in accordance with the following laws and regulations:

• General Data Protection Regulation (GDPR) (EU) 2016/679
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR) 2003
• ISO 27001: Information Security Management (where applicable)

10.2 Commitment to Legal Compliance

Redcone Recruitment is committed to ensuring that its data protection practices comply with all applicable data protection laws and standards. Regular reviews, audits, and employee training will be conducted to maintain compliance and uphold data protection best practices.

This GDPR Policy outlines Redcone Recruitment’s approach to protecting personal data and ensuring compliance with GDPR and the Data Protection Act 2018. By adhering to this policy, Redcone Recruitment aims to safeguard

individual privacy rights, minimise data protection risks, and promote a culture of transparency and accountability within the organisation.