1 Introduction
This privacy notice is from Grafton Group plc, or the company that posted the job as part of the Grafton Group. When we say "we", "us", or "our", we mean the company named in the job advert.
This notice explains how we handle and protect the personal data of people applying for jobs with us. This includes future colleagues, temporary workers, and contractors, who we call "Applicants". We follow data protection laws in both the UK and the EU.
If you already work for us, please read the Colleague Privacy Notice instead. You can find it on our HR system or ask your manager for a copy.
We take your privacy seriously and want to be clear about how we use your personal data. This notice, last updated in September 2025, covers:
Who is responsible for your data
How to contact our Data Protection Officer
Where we get your personal data from
What types of personal data we use, why we use it, and the legal reasons for doing so
How long we keep your data
Who we share your data with inside and outside the company
If we send your data to other countries
Your rights over your personal data
2 Identification of the Data Controller
Grafton Group plc is responsible for your personal data. The company’s address is The Hive, Carmanhall Road, Sandyford Business Park, Dublin, D18 Y2C9. Grafton Group plc includes several companies. You can find a list of current group members here.
Sometimes, we work together with other companies in the Group to manage certain parts of your personal data. This means we act as joint controllers. For example, we may do this when handling requests from you to use your rights under data protection law, as explained in the ‘Your Data Rights’ Section.
3 Contact details of our Data Protection Officer
The Group has a Data Protection Officer (DPO) who helps all companies in the Group follow data protection rules for applicants, colleagues, customers, and suppliers.
You can contact our DPO in these ways:
· By email, dpo@graftonplc.com
· By post, to either
o The Data Protection Officer, Grafton Group PLC, Boundary House, 2 Wythall Green Way, Wythall, Birmingham, B47 6LW, United Kingdom; or
o The Data Protection Officer, Grafton Group PLC, The Hive, Carmanhall Road, Sandyford Business Park, Dublin, D18 Y2C9, Ireland
4 Sources of Personal Data
We mainly use an online recruitment platform to collect and manage job applications. This platform helps us keep your personal data safe and lets us share it with the right people in the company, following data protection laws. The platform is used to organise, store, and share the personal data you give us.
Right now, we do not make decisions about you using fully automated systems.
In the future, we will only use automated systems to make important decisions about you if the law allows it and we have already informed you.
Sometimes, applications may come in by email or from job boards, but this only happens when needed and if the recruitment platform cannot be used. Email may also be used to arrange interviews or collect feedback.
We usually get personal data about applicants from three main sources, which are explained below.
Personal Data provided by You
We usually collect your personal data directly from you. This can be done online, in writing, by speaking with you, or through a recruitment agency. We use the recruitment platform and email to collect this information. We may ask for your contact details, work experience, qualifications, and other information needed for the job you are applying for.
When you use our recruitment website, we automatically collect some information, such as your IP address, device details, cookies about how you use the site, your mobile carrier (if relevant), time zone, operating system, and information about how you use the site.
If you give us personal data that we did not ask for or that is not allowed, we will not keep it. For example, if you send us special types of personal data that are not needed for the job, we will delete it from our system.
Personal Data generated by Us
We create some personal data during the recruitment process. This includes notes and feedback from interviews you take part in, whether these are online, by phone, face to face, or recorded.
Personal Data from Third Parties
We may also get personal data about you from other companies that provide services to us or to you, such as recruitment agencies. For example, if you apply through a recruitment firm, we may receive information about your experience and qualifications from them. We might also use digital platforms run by other companies for video interviews, written questions, or skills tests.
We may get information from people you have named as referees, if you have given us permission to contact them. Where allowed by law, we may also receive background check results or references from third parties.
Finally, we may collect information about you from public parts of professional websites, such as LinkedIn or professional directories.
5 Categories of personal data we process, why we use it, and our legal reasons
We use different types of personal data for recruitment, as explained above and in this section. The legal reasons for using your data depend on what we are doing, and usually include:
When we need to do something before offering you a job, or to carry out our responsibilities under an employment contract we are discussing with you.
When we need to use your data for our own legitimate interests, as long as these do not override your rights or freedoms.
When we need to follow the law.
When you have given us your clear consent.
If there is anything not covered here, we will tell you at the time we collect your data. We will let you know if giving us your data is required by law or contract, and what might happen if you do not provide it. If we need your consent, we will ask for it when we collect your data.
We process your personal data to help us find and hire new people for the company, including permanent staff, temporary workers, contractors, and consultants.
The types of personal data we process for recruitment include the following:
Initial Screening of Applications
Categories of personal data: | We may use your personal data to: | Our lawful basis for doing so is: | Our legitimate interests in doing so are to: |
Identification data (i.e. name, mobile telephone number, email address) | Contact you about your application | Performance of contract / take step at your request, before entering a contract | Assess applications and select suitable applicants; communicate about recruitment; keep records; create contract/personnel file if successful |
CV/Résumé (or profile on professional sites), qualifications, experience, employment history, interests, academic history, right to work status | Consider your qualifications, skills and experience to ensure they are suitable for the position | Performance of contract / take step at your request, before entering a contract | Assess applications and select suitable applicants; keep records; create personnel file if successful |
Special Category personal data (gender identity, sexual orientation, ethnic origin, nationality, citizenship, disability status, civil status, religion or belief) | This data is only used in aggregated form. | Legal Obligation | Monitor and measure equal opportunities and diversity as part of our group’s diversity and inclusion strategy |
Further Data Which May Be Required During Applicant Assessment and Selection
Categories of personal data: | We may use your personal data to: | Our lawful basis for doing so is: | Our legitimate interests in doing so are to: |
Details about your skills, previous experience, and career choices (usually discussed in an interview, either in person or by phone) | To see if you are right for the job | To take steps before making a contract with you | To help us choose the right people for our jobs; if you are successful, to create your personnel record |
Video recording of your answers to interview questions on our digital assessment platform | To see if you are right for the job | Our legitimate Interests | To see if you are right for the job |
Compliance with Legal and Regulatory Obligations Relating to Employment (UK Business Units)
We sometimes ask for special personal data and other information about diversity from applicants and colleagues. Giving us this information is your choice and will not affect your application. If you do give us this data, we only use it for statistics, as required by UK law.
We also collect health information when it is needed to follow health and safety rules and equality laws at work.
The types of personal data we may use for these reasons include:
Categories of personal data: | We may use your personal data to: | Our lawful bases for doing so are: | | |
|
| GDPR Article 6 | UK Data Protection Act 2018 | Relevant legislation or our legitimate interests:
|
Special personal data about diversity and equality (such as gender identity, sexual orientation, ethnic origin, nationality, citizenship, disability status, civil status, religion or belief) | To check how we are doing with diversity and inclusion. To meet reporting rules. For disability status, to see if we need to make adjustments for you during recruitment (like for tests or interviews). | Legal obligation | To follow employment, social security, and protection laws. UK Data Protection Act 2018 Schedule 1, Part 1, Para 1. | Equality Act 2010; Employment Rights Act 1996 |
Health information | To know about any medical conditions for health and safety reasons. To make changes at work if you have a disability. | Legal obligation | To follow employment, social security, and protection laws. UK Data Protection Act 2018 Schedule 1, Part 1, Para 1. | Health and Safety at Work Act 1974; Equality Act 2010; Employment Rights Act 1996 |
6 Retention of Data
We keep your personal data only as long as we need it for the reasons explained in this notice, or as required by law, or if we need it for legal reasons.
Usually, we keep your information until the end of the recruitment process for the job you applied for, plus any extra time required by law or for any legal matters.
If you gave us your personal data yourself and you are not offered the job, we will delete your data 12 months after the recruitment process for that job ends.
If you applied through a recruitment agency and you are not offered the job, we will also delete your data 12 months after the recruitment process for that job ends.
If we have had any first conversations with you on social media (like LinkedIn), we will delete those messages within one month after our chat ends.
7 How we share your Personal Data within the Company and Third Parties
We sometimes share your personal data with other companies in our Group and with trusted third parties.
Within our Group, your personal data may be shared with staff who are allowed to see it, such as interviewers or other authorised people in the UK or EU. This helps us manage hiring fairly and smoothly across all our companies.
For all hires, we use:
Our recruitment platform, which stores the personal data you or your recruitment agency give us. This platform is hosted in the EU and keeps your information safe.
Sometimes, applications come in by email or from job boards. These are also hosted in the EU.
Our HR management platform, which helps us get approval to hire people and stores names, education, work background, and proposed salary details. This is hosted in the EU.
Other systems, like email, finance, and management systems, which are used for communication and business management. These are hosted in the UK and EU.
For some jobs, in certain places, we may use digital assessment tools and computer programmes to help us review lots of applications. These tools help us sort applications based on skills and experience needed for the job. The results from these tools are always checked by people, not just computers. We look at each applicant individually. Some jobs may need special qualifications or experience, and applications that do not meet these requirements may be automatically rejected.
We also share your personal data with trusted service providers, like IT companies or lawyers, who help us with our work. We have agreements with these companies to make sure your data is protected.
8 International Transfers of Personal Data
Sometimes, we need to share your personal data with other companies in our Group, including those in the UK and EU. This means your data might be sent to and used by authorised staff in different countries where we have offices.
We may also share your personal data with trusted companies outside the UK or EU. If these companies are in countries that do not have the same data protection rules as the UK or EU, we will make sure your data is still protected. We do this by using special agreements or rules, like Standard Contractual Clauses or other approved ways to keep your data safe. In rare cases, we may use other legal reasons to transfer your data if needed.
9 Your data rights
You have certain rights over your personal data under data protection laws. These include the right to:
Ask what personal data we have about you and get a copy of it.
Ask us to correct or update your personal data if it is wrong or out of date.
Ask us to send your personal data (that you gave us) to another organisation in a format that can be read by a computer.
Ask us to delete your personal data.
Ask us to stop or limit how we use your personal data.
Object to us using your data if you think your situation means we should not use it, or if we are using your data for direct marketing.
Say no to giving consent, or withdraw your consent, if we are using your data based on your consent.
Sometimes, if you use these rights (like asking us to delete your data or stop using it), we may not be able to continue with your job application or possible employment.
To help us keep your data accurate, please let us know if your details change. You can update your information using the recruitment platform or by contacting the HR team. If you tell us your data is wrong, we will fix it.
If you want to use any of these rights, please email dpo@graftonplc.com.
You can also make a complaint to the data protection authority at any time. However, we would like the chance to help you first, so please contact us at dpo@graftonplc.com if you have any concerns.
If you’re in the UK, we must confirm we’ve received your complaint within 30 days. We’ll then look into it and reply within a reasonable time.
Definitions
Applicable Data Protection Law | The rules and laws that protect personal data, like the GDPR, UK GDPR, and UK Data Protection Act 2018. |
Applicant | A person applying for a job. |
Colleagues | People who work for the company, including full-time, part-time, temporary, former, or retired employees. |
Data Controller or Controller | The person or company that decides why and how personal data is used. |
GDPR | A law from the European Union that protects people’s personal data and how it is used. |
Personal Data | Any information about a person that can identify them, like their name, number, or anything unique to them. |
Processing | Any action done with personal data, like collecting, organising, storing, changing, using, sharing, or deleting it. |
Special Categories of Personal Data | Sensitive personal data, like information about your race, beliefs, health, genetics, or sexual orientation. |
UK GDPR | The UK’s version of the GDPR, which is the law that protects personal data in the United Kingdom. |
