The legal basis for using your information

When we use information for the purposes set out here, we will do so either on the basis of your consent (provided it is freely given, specific, informed, unambiguous and positively given) or because we need to for one or more of the following reasons:

• To perform a contractual obligation owed to the individual the data relates to (i.e. to provide property purchasing or selling services);
• In order to comply with legal obligations (such as obligations imposed by Data Protection Laws, or obligations requiring us to verify a person’s identity); or
• To pursue our legitimate interests and those of third parties, including;
• contacting existing customers to build and maintain relationships;
• promoting our services, brand and the success of our business; and
• to operate our business, for example when using personal information for record keeping, training or administrative purposes

Recruitment

We collect, store and use personal data about individuals who apply to join us. This may include information:

• you provide to us (such as in CVs, application forms, and through correspondence);
• you provide during an interview;
• obtained from previous employers and referees;
• provided to us by recruitment agencies; and
• received as a result of our carrying out background checks (such as checks for criminal convictions with the Disclosure and Barring Service).

The information we collect might include sensitive personal data, such as information about your health and sickness records. If we need to process sensitive personal data then we will ask for your explicit consent before doing so.

If you apply for a position with us, we may carry out a check for criminal convictions in order to satisfy ourselves that there is nothing in your history which makes you unsuitable for the role. We do this because working with us involves a high degree of trust (as you will have access to confidential information).

If we carry out a criminal record check or ask for references, this will only ever be done at the last stage of the application process, when making an offer of employment.

How we use applicant information

We use the personal data we collect about you to:

• assess your skills, qualifications, and suitability for a role;
• carry out background and reference checks;
• communicate with you about your application;
• keep records related to our hiring process; and
• comply with legal or regulatory requirements.

We do all of this because either it is a necessary part of entering into a contract of employment with you or because we have a legitimate interest in ensuring that you are suitable for a particular role.

If you fail to provide personal data when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully.

Retention of applicant information

We normally retain personal data about unsuccessful candidates for between 3 and 6 months from the time we inform them of our hiring decision. We retain personal data for this period so that we can demonstrate, in the event of a legal claim, we have not discriminated against an applicant and that the recruitment process was fair and transparent. After this period, we will securely destroy this applicant’s personal data. If we wish to retain personal data on file, in case future opportunities arise, we will contact the applicant and ask for his or her consent to do so.

If you are successful, the personal data your provided in the application process will be stored as part of your personnel file.

Partners

If we explore or enter into a partnership with you we will collect information as necessary to evaluate the potential partnership and where applicable to work with you. Apart from as described above, we will not share your data with third parties without your explicit consent.

International Transfer of Data

We normally only store personal data within the European Economic Area (EEA). However, some of the technology and support services we use are provided by international organisations and/or companies which are based outside the EEA. Before using such service providers, we take steps to make sure that any personal data they process is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:

• ensuring the recipient is in a country which the EU Commission has deemed provides adequate protection for personal data;
• implementing appropriate safeguards such as requiring the recipient to enter into Standard Contractual Clauses approved by the appropriate data protection supervisory authorities; or
• (if the recipient is based in the USA) transferring personal data to recipients who are certified under the EU-US Privacy Shield scheme. For example, we use software services provided by the Google LLC, which is registered under the Privacy Shield scheme.

The only other time we’ll transfer data outside the EEA is if a derogation (i.e. an exception) under Data Protection Laws, and the transfer is either necessary and made for the purposes of that exception or with your explicit consent.

Your rights as a data subject

Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:

• The right to access your personal data. This enables you to receive a copy of the personal data we hold about you.
• The right to request correction or completion of personal data. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data (though this may not apply where we have a good, lawful reason to continue using the information in question). You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• The right to object to processing of your personal data. You can object to us processing personal data for legitimate interests purposes or for direct marketing.
• The right to restrict how your personal data is used. You can limit how we use your information (primarily to storage or for use in legal claims).
• The right to have a portable copy or transfer your personal data. We will provide you, or (where technically feasible) a third party, with a copy of your personal data in a structured, commonly used, machine-readable format. Note this only applies to automated information we process on the basis of your consent or in order to perform a contract.
• The right to withdraw consent. If we are relying on consent to process your personal data you have the right to withdraw that consent at any time.

Responding

We try to respond to all personal data requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.

We may need to request additional information from you to help us confirm your identity.

This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.

Fees for making a request

You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

How to make a request

If you want to exercise any of the rights described above, please email help@nested.com or write to:

Data Protection Requests,
5-9, Nested,
Hatton Wall,
London,
EC1N 8HX

Your right to complain to a supervisory authority

You have the right to complain to a data protection supervisory authority (which, in the UK, is the ICO) if you are not satisfied with our response to a data protection request or if you think your personal data has been mishandled. For further information on how to make a complaint, please visit https://ico.org.uk.