PRIVACY POLICY
This policy applies to all parties whether independent company, employed or contracted staff with responsibility for the processing of personal data on or on behalf of the Facilitas Management Group.
The independent Groups and companies listed below are henceforth, in this document collectively referred to as “the company” or “Facilitas”
- Facilitas Management
- Noel Group
- Strategic Placement Group
- Training Force
- Skillsteam Training
- Ascension Recruitment
- Orange Recruitment
- Southside Personnel
- Allied Health Careers
- Flexistaff
- Connections Group
- MatchMedics
- Match Recruitment Group
- Driving Force
- Airport Staff
- Total Talent Solutions
- CareerSpace
- Labour Force
- Elevation Recruitment
- Validus Talent
Status of this notice
This is the Candidate Privacy Notice of the Facilitas Group. It explains how each Group/brand company collects and uses personal data about candidates, applicants and other persons who engage with the Group in the course of its recruitment activities. It is issued in compliance with Articles 13 and 14 of Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and the Data Protection Act 2018.
Where the Group uses artificial intelligence (“AI”) tools in the course of its recruitment activities, this notice records what tools are used, on what basis, and what limits the Group has placed on that use. The Group AI Use Policy is the internal counterpart to this notice and is available on request.
1. Who we are
1.1 In this notice, “the Group” means Facilitas Management Ltd and each brand company within the Group (each a “Group company”). The current list of brand companies is published above and is updated from time to time.
1.2 Each Group company is the controller of the personal data it processes about you for its own recruitment activity. Where two or more Group companies process your personal data jointly, they act as joint controllers and remain jointly and severally accountable to you under the GDPR.
1.3 Our registered office and principal place of business is at Unit 10B Santry Business Park, Swords Road, Dublin 9, D09 PF99.
1.4 Our Data Protection Officer is David Kearney. You can contact the Data Protection Officer at dpo@facilitas.ie or by post at the address in clause 1.3, marked “FAO: Data Protection Officer”.
2. About this notice
2.1 This notice applies to you if you are a candidate, applicant, registered jobseeker, or any other natural person whose personal data the Group processes in connection with its recruitment activities. It applies whether you have approached the Group directly, been sourced by us from a third-party platform, or been referred to us by a referee or by another candidate.
2.2 This notice does not apply to:
- Group employees, contractors or interns in their capacity as staff
- hirer clients of the Group (the Group’s commercial terms govern those relationships); or
- visitors to our websites in their general browsing capacity (the Group’s Cookie Notice applies, and is available on each website).
2.3 We may update this notice from time to time. When we do, we will publish the updated notice on our websites and, where the change is material, we will draw it to your attention by email or another appropriate means.
3. Personal data we collect about you
3.1 Depending on the role for which we are considering you and the stage of our engagement with you, we may collect and process the following categories of personal data:
- Identity and contact data: your name, address, telephone number, email address, date of birth, nationality and (where relevant to eligibility to work) work-permit number.
- Application and CV data: your curriculum vitae, cover letter, work history, education and qualifications, professional memberships, languages, skills, work preferences and salary expectations.
- Eligibility and vetting data: copies of identification documents, eligibility-to-work documentation, references, professional registrations relevant to the role, and the results of background or pre-employment checks where the role requires them.
- Assessment and interview data: notes of telephone or video calls, interview notes, assessment results, candidate profiles prepared for hirer clients, and feedback from those clients.
- Communications data: the content and metadata of correspondence between you and us, including emails, SMS, instant messages and call notes.
- Engagement data: your interactions with us through our websites, candidate portals, job boards and applicant-tracking systems, including Internet Protocol (IP) addresses and analogous identifiers.
- Equality monitoring data (where you choose to provide it): information about the protected characteristics listed in the Employment Equality Acts 1998–2015. The provision of this data is voluntary and you may decline without consequence to your application.
- Information about your placement: where we place you with a hirer client, the terms of your placement and information about the assignment.
4. Where we obtain your personal data
4.1 Most of the personal data we hold about you comes directly from you, when you apply for a role, register with us, attend an interview, or otherwise communicate with us.
4.2 We also obtain personal data about you from third parties, including:
- professional and recruitment platforms (for example, LinkedIn, Indeed, job boards on which you have placed your CV, and professional registers that are open to inspection);
- referees you have nominated;
- hirer clients of the Group, in respect of any feedback on your candidacy or placement;
- background-check, vetting and identity-verification providers we instruct in connection with a specific role; and
- publicly available sources where they are relevant to your candidacy.
4.3 Where we obtain personal data about you from a source other than you, we will, in accordance with Article 14 GDPR, inform you of the source within a reasonable period after obtaining the data and, in any event, at the latest within one month, or earlier if we first communicate with you or first disclose the data to another recipient.
5. Lawful bases for processing your personal data
5.1 We process your personal data on the following lawful bases under Article 6 GDPR. In any given case, we may rely on more than one basis depending on the activity:
- Performance of a contract or steps prior to entering into a contract (Article 6(1)(b)): to act as your recruitment agent in connection with the assignment, role or placement you are seeking; to communicate with you about opportunities; to present your candidacy to hirer clients; and to operate any placement we secure on your behalf.
- Legitimate interests (Article 6(1)(f)): to maintain the Group’s candidate database, to source and shortlist candidates for hirer clients, to manage and develop the Group’s recruitment business, to conduct ordinary business administration, to monitor and improve the quality of our service, to keep audit records, and to protect the security of our systems and information. Where we rely on this basis, we have carried out a legitimate-interests assessment and have concluded that the processing does not override your interests, rights and freedoms.
- Compliance with a legal obligation (Article 6(1)(c)): to comply with our obligations under tax law, employment law, the Employment Agency Act 1971 and S.I. No. 277/2010, the Companies Act 2014, anti-money-laundering legislation where applicable, and other statutory obligations to which we are subject.
- Consent (Article 6(1)(a)): for specific optional processing activities for which we ask your consent (for example, retaining your data beyond the standard retention period for future opportunities, or sending you marketing about training courses). You may withdraw any consent you give us at any time, by contacting the Data Protection Officer, without affecting the lawfulness of any processing carried out before you withdrew it.
- Vital interests (Article 6(1)(d)) and public interest (Article 6(1)(e)): in the rare cases where these bases apply, for example in a medical emergency on a Group premises.
6. Special categories of personal data
6.1 We do not, as a rule, ask you to provide special categories of personal data under Article 9 GDPR (which include data revealing health, racial or ethnic origin, religious or philosophical beliefs, political opinions, trade-union membership, sex life or sexual orientation, and genetic and biometric data).
6.2 Where such data is necessary for the role, we will process it on the basis set out in Article 9(2)(b) GDPR (employment and social-security obligations), Article 9(2)(h) GDPR (occupational medicine) or Article 9(2)(a) GDPR (your explicit consent), as the circumstances require. We will explain the basis to you at the point of collection. Special category data is not entered into a generative AI tool in any circumstances; see clause 7 below.
6.3 Where you choose to provide equality monitoring data, we process it for the purpose of monitoring equal opportunity, on the basis of Article 9(2)(b) GDPR read with the Employment Equality Acts 1998–2015 and the Equal Status Acts 2000–2018.
7. Use of AI tools in our recruitment activities
7.1 The Group uses a limited and controlled set of AI tools to support the work of its consultants. The tools currently approved for use are Microsoft 365 Copilot Basic and a licensed business account with ChatGPT, accessed and configured through Group Support. All other AI services are blocked on the Group’s systems. The Group AI Use Policy sets out the operative rules and is available on request.
7.2 We use these tools to:
- draft, summarise or refine internal documents, such as job advertisements, interview question sets, candidate profiles and correspondence;
- summarise long documents, such as detailed role specifications received from a hirer client;
- translate or rephrase text;
- check and improve the quality of our written work product before it is sent to you or to a hirer client.
7.3 We have placed the following limits on our use of these tools in respect of your personal data:
- we do not enter identity documents, work-permit documents, eligibility-to-work documents or comparable verification material into a generative AI tool;
- we do not enter special categories of personal data into a generative AI tool in any circumstances;
- we minimise the personal data we input, removing identifiers where they are not necessary for the task; and
- we configure the approved tools so that the Group’s inputs are not used to train the provider’s underlying model.
7.4 No final decision about your candidacy, including a decision to reject you, to shortlist you, to present you to a hirer client, or to place you in an assignment, is taken by an AI tool alone. A competent member of staff is responsible for every such decision in accordance with clause 8 below.
7.5 Where AI is used to generate or substantially shape content sent to you, and the recipient would consider it material to know that AI was involved, we will disclose that AI was used in the preparation of the content.
8. Automated decision-making and profiling
8.1 The Group does not take decisions about candidates by solely automated means within the meaning of Article 22(1) GDPR. Every candidate-affecting decision (whether to reject, shortlist, present or place you, and the terms on which we do so) involves the meaningful judgement of a recruitment consultant.
8.2 Where a hirer client requires the use of an AI system as part of its own assessment of you, that use is governed by the hirer client’s privacy notice rather than this notice. Where we become aware of any such use, we will tell you and we will satisfy ourselves that the client’s use is lawful before we present your candidacy.
8.3 Where the EU AI Act (Regulation (EU) 2024/1689) imposes additional obligations on the Group as a deployer of high-risk AI systems used in recruitment under Annex III(4), the Group will comply with those obligations from their date of application. Subject to formal adoption of the Digital Omnibus package (provisional trilogue agreement of 7 May 2026), the principal deployer obligations applicable to high-risk AI systems under Annex III are deferred to 2 December 2027.
9. Recipients of your personal data
9.1 We share your personal data, on a need-to-know basis and subject to appropriate safeguards, with the following categories of recipient:
- hirer clients to whom we present you, or with whom we place you, including any third party engaged by the hirer client to manage the recruitment or onboarding process;
- other Group companies, where this is necessary to maintain a single candidate record across the Group or to consider you for opportunities outside the brand company with which you first engaged;
- our service providers acting as processors on our behalf, including providers of applicant-tracking and customer-relationship-management systems, secure document storage, communications platforms, background-check and vetting services, identity-verification services, payroll providers (in respect of temporary placements), and IT and cybersecurity services (including Netskope, our network-security platform);
- providers of the AI tools listed in clause 7, acting as processors on our behalf to the extent that personal data is processed in those tools;
- professional advisers (lawyers, auditors, insurers) where they need the data in the course of their work for the Group;
- regulators, courts and other public authorities where we are required by law to disclose, or where disclosure is necessary for the establishment, exercise or defence of legal claims; and
- the purchaser or successor of any part of the Group’s business, in connection with the sale or transfer of that part of the business.
9.2 We do not sell your personal data and we do not broker it for marketing or any other commercial purpose unconnected with the recruitment service.
9.3 Where a recipient acts as a processor on our behalf, we put in place a written processor agreement that meets the requirements of Article 28 GDPR.
10. International transfers
10.1 The Group is based in Ireland and the great majority of personal data we hold about you is processed in the European Economic Area (“EEA”).
10.2 However, certain of our processors, including the providers of the AI tools listed in clause 7, may process your personal data outside the EEA, for example in the United States or the United Kingdom. Where this is the case, we ensure that the transfer is protected by an appropriate transfer mechanism under Chapter V GDPR, including:
- a decision of the European Commission that the country in question provides an adequate level of protection (for example, in respect of the United Kingdom);
- the Standard Contractual Clauses adopted by the European Commission, supplemented where necessary by additional contractual, technical and organisational safeguards; or
- certification under the EU–US Data Privacy Framework, where the recipient is so certified.
10.3 You may request further information about the transfer mechanism applicable to any particular processor by contacting the Data Protection Officer.
11. How long we keep your personal data
11.1 We retain your personal data for no longer than is necessary for the purposes for which it was collected and processed. We apply the retention periods set out in Schedule 1 to this notice.
11.2 Where we hold your data because you wish to be considered for future opportunities (an extended retention beyond the standard candidate retention period in Schedule 1), we will ask for and rely on your consent, and you may withdraw that consent at any time.
12. Your rights
12.1 You have the following rights in respect of your personal data:
- Right of access (Article 15 GDPR): to obtain confirmation that we are processing your personal data and a copy of the data, together with the information set out in Article 15.
- Right to rectification (Article 16 GDPR): to have inaccurate personal data corrected and incomplete personal data completed.
- Right to erasure (Article 17 GDPR): to have your personal data erased in the circumstances set out in Article 17.
- Right to restriction of processing (Article 18 GDPR): to have the processing of your personal data restricted in the circumstances set out in Article 18.
- Right to data portability (Article 20 GDPR): to receive a copy of your personal data in a structured, commonly used and machine-readable format, and to transmit that data to another controller, where the processing is based on consent or on a contract and is carried out by automated means.
- Right to object (Article 21 GDPR): to object to processing that is based on legitimate interests, and to object to processing for direct marketing purposes, in either case in accordance with Article 21.
- Rights in respect of automated decision-making (Article 22 GDPR): not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you, subject to the exceptions in Article 22. As stated in clause 8, the Group does not take such decisions about candidates.
- Right to withdraw consent: where we rely on your consent, to withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint: with a supervisory authority, in particular the Data Protection Commission in Ireland (see clause 14).
12.2 To exercise any of these rights, please contact the Data Protection Officer at dpo@facilitas.ie. We will respond to your request within one month, unless the request is complex or we have received a number of requests, in which case we may extend that period by a further two months and tell you why.
12.3 Before we respond to a request, we may need to verify your identity. We will ask for proof of identity proportionate to the request. Where the request is made by post, two forms of identification, at least one of which is photographic, will normally be required.
13. Cookies and our websites
13.1 When you visit one of the Group’s websites, we and our service providers may place cookies and similar technologies on your device. The categories of cookies we use, the purposes for which they are used, and your choices in respect of cookies, are set out in the Cookie Notice on the relevant website.
13.2 You may set your browser to refuse cookies or to alert you when a cookie is being set. Some parts of our websites may not function properly if cookies are disabled.
14. How to contact us and how to complain
14.1 If you have any question, concern or complaint about how the Group processes your personal data, please contact the Data Protection Officer at dpo@facilitas.ie or by post at Unit 10B Santry Business Park, Swords Road, Dublin 9, D09 PF99, marked “FAO: Data Protection Officer”.
14.2 You also have the right to lodge a complaint with the Data Protection Commission, the supervisory authority in Ireland for data protection matters. The contact details are:
- Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28;
- telephone: +353 (0)761 104 800;
- website: www.dataprotection.ie.
14.3 Where you are located in another EU/EEA Member State, you may also lodge a complaint with the supervisory authority of that Member State.
15. Changes to this notice
15.1 This notice may be updated from time to time to reflect changes in the law, in our practices, in the tools we use or in the structure of the Group. The current version is identified in the metadata table at the start of this notice. We will draw any material change to your attention.
Schedule 1: Retention periods
We retain your personal data for the periods set out below. Where more than one period could apply to the same data, the longer period prevails.
|
Category of record |
Retention period |
|
Candidate registration and interaction (where no placement results) |
One year from the date of your last meaningful interaction with the Group, unless you ask us to retain your data for longer or to delete it sooner. |
|
Records of an application for a particular role, including interview notes and assessment results |
One year from the date the role is filled, or one year from the date of your last meaningful interaction with the Group in respect of that role, whichever is later. |
|
Records of equality-monitoring data and Employment Equality Acts 1998–2015 compliance |
One year from the relevant recruitment activity, in accordance with the Employment Equality Acts 1998–2015. |
|
Personal injuries-related records |
Three years from the date of the cause of action, save that, where the cause of action involves a minor, the retention period extends to three years after the minor reaches the age of 18. |
|
Breach of contract-related records |
Six years from the date of the breach. |
|
Records of placements (temporary and permanent), including assignment terms |
For the duration of the placement and for six years following its end, in accordance with Revenue requirements and the Companies Act 2014. |
|
Working time records, national minimum wage records, and records under the Protection of Employees (Temporary Agency Work) Act 2012 and the Protection of Employees (Part-Time Work) Act 2001 |
Three years from the termination of the relevant assignment. |
|
Parental leave and force majeure leave records |
Eight years. |
|
Health and safety records |
Ten years. |
|
Records of compliance with data protection law (including DPIAs, processor agreements, breach records and consent records) |
Five years from the relevant compliance event. |
|
Tax records and records required under the Companies Act 2014 |
Six years on a rolling basis. |
We may retain personal data for shorter periods where we are not required to retain it for the purposes set out above. We may retain personal data for longer periods in the limited circumstances where this is required by law or is necessary for the establishment, exercise or defence of legal claims.