When someone visits www.epm.co.uk we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
E-newsletter and Events We use a third-party software provider, HubSpot, to deliver our advice notes and invitations for events. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our service. For more information, please see HubSpot’s privacy notice.
Security and Performance EPM uses a third-party service, Chameleon, to help maintain the security and performance of the EPM website. To deliver this service it processes the IP addresses of visitors to the EPM website.
Website We use a third-party service, Chameleon, to publish our website. We use a standard service to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it.
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with the General Data Protection Regulation (GDPR). If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
All calls made to EPM may be recorded for training and quality purposes. Information collected during a call placed to EPM will be used to answer queries or address issues raised. Return calls may also be recorded for training and quality purposes.
EPM offers various online services and resources relating to human resources, payroll and pensions. We may use third-parties to deal with some direct marketing campaigns, but they are only allowed to use the information to send out the publications.
We have to hold the details of the people who have requested our services in order to provide them. However, we only use these details to provide the service a person or organisation has requested and for other closely related purposes. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this.
Where the personal information is not processed on behalf of a customer, the data controller of your personal information shall be EPM Limited which is registered with the Information Commissioner’s Office with registration number Z4871398.
Our online services portals (EPM Portal and EPM ePayslips Portal) record data relating to human resources, payroll and pensions for and on behalf of our customers and their staff. In these cases, EPM is acting as a Data Processor on behalf of our customers. For more information, please speak to your employer/the relevant Data Controller.
Personal information we collect from you, or from a customer relating to you, will be retained where we have ongoing legitimate business needs to do so (for example, to provide you or our customers with a service or to comply with applicable legal, tax or accounting requirements).
EPM is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information, please contact us on the details at the bottom of the page.
What will we do with the information you provide to us? All information you provide during the application process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during EPM’s internal recruitment process with any third parties for marketing purposes. Data sent electronically or processed beyond the initial application will be stored within the European Economic Area by our third-party processors – all processors have appropriate levels of security and organisational controls to meet data protection requirements. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for, but it might affect your application if you don’t.
Applications may be received by email, physically by post or through a third-party recruitment agency. We may ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.
You will also be asked to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you do provide will be used only to produce and monitor equal opportunities statistics.
Shortlisting Our hiring managers’ shortlist applications for interview. They will not be provided with your name or contact details or with your equal opportunities information, if you have provided it.
We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test, or we might take interview notes. This information is held by the EPM.
If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.
Conditional offer If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.
You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by contacting the Data Protection Officer on the details at the bottom of this page.
Under data protection legislation, you have rights as an individual, which you can exercise in relation to the information we hold about you.
You can read more about these rights here: https://ico.org.uk/for-the-public/is-my-informationbeing-handled-correctly/
EPM tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of EPM’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law: www.ico.org.uk/concerns.
Where EPM acts as the data controller, EPM tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘data subject access request.
If we do hold information about you we will:
To make a request to the EPM for any personal information we may hold you need to put the request in writing to the address provided below.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Data Protection Officer.
In many circumstances we will not disclose personal data without consent, unless legally obliged to do or as part of contractual obligations with our customers (where you are a party to the agreement or service).
We may disclose your personal information to the following categories of recipients:
If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with/involving you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
If we ask you to provide personal information to comply with a legal requirement or to perform a contact with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below.
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
We keep our privacy notice under regular review.
If you want to request information about our privacy notice, you can email us at DPO@epm.co.uk or write to:
Data Protection Officer
St John’s House
Ermine Business Park