We fully comply with GDPR.

The EU privacy directive known as the General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

By using our services, you agree to these changes and our Terms and policies:

  • All Online Systems
    All of our systems have been updated as part of GDPR compliance. We have added new security features, updated processes and provided more support for candidates and customers etc.
  • Business Terms and Conditions
    Our Terms of Use, the Business Terms and Conditions  has improved the explanation of ownership, administration and your responsibilities. We ask you to please read the documentation carefully to make yourself familiar with the content.
  • Privacy Policy
    Updates have been made to further clarify our processing and non-processing of data in accordance with the GDPR.
  • Data Processing Agreement


What is the GDPR?

The General Data Protection Regulation is a European-wide law that places greater obligations on how organisations handle personal data. It came into effect on 25 May 2018. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).


Staffvetting and GDPR?

Staffvetting has always taken data privacy and security practices very seriously. With the introduction of GDPR we have reviewed our systems – and continue to do so – processes and procedures to ensure we’re fully compliant  For example we are:

  • we have updated all of our electronic systems increasing data integrity, confidentiality and availability.
  • a new Data Processing Agreement which we and you agree to undertake from May 25, 2018 onwards.
  • updating our Privacy Policy to ensure our compliance in respect of the data we hold about you.
  • reviewing Staffvetting’s functionality to make Staffvetting is more effective and efficient for users who are subject to the GDPR.
  • making all our consents clearer and understandable.


What information does the GDPR apply to?

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.


Who does GDPR affect?

It affects every business within all EU member states.

GDPR also affects businesses outside the EU who process the personal data of EU residents and offer them goods and services, irrespective of whether payment is required; or where the processing by a business relates to the monitoring of the behaviour of EU residents in so far as their behaviour takes place within the EU.


How does the GDPR relate to the Data Protection Act?

The Data Protection Act 2018 is a UK law. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).  Sometimes referred too however UK GDPR .


How long do you keep data?

Only as long as necessary. The UK GDPR doesn’t prescribe a set period of time we should or shouldn’t keep data. The retention period is determined by necessity. In our case, for example, we judge how long to keep data based on the nature of the work needed to be carried out, the contracts with our clients and our legal, compliance and audit requirements. Once we no longer need it, data will be deleted and/or anonymised which typically means we will remove all but the core data e.g. name, consent, customer name and submittal date.


What data will you keep relating to me?

We only ask for data that relates to your screening, and we only keep the data you provide to us with your consent as part of your screening application e.g. your name, address and data of birth. The amount and type of data we request and keep varies per applicant depending on the type of screening we are doing and the nature of the contract we have in place with the Sponsor (the organisation paying for the screening).


What is a Subject Access Request (SAR)?

Individuals (e.g. employees) have a right to request and be informed by an organisation (e.g. their employer) whether or not it is processing personal data that relates to them and, if so, to be told:

  • What personal data it is being processed.
  • The purposes for which the personal data is being processed.
  • Who, if anyone, the personal data is disclosed to.
  • The extent to which it is using the personal data for the purpose of making automated decisions relating to the data subject and, if so, what logic is being used for that purpose.

Employers are also required to provide, in an intelligible form, copies of the personal data if the Subject requests this.  There is currently a 30 calendar day time limit to respond to the request (unless exceptional circumstances apply which can reasonably justify an extension to 3 months).

Applicants can make a Subject Access Request by phoning or emailing us directly. We will verify all SARs to confirm they are legitimate. This means we will contact the applicant using the contact details we hold on record for them and not by any other means. If the request originates from different contact details compared to the details we hold on record, we may seek an extension to the response time while the applicant’s identity can be verified. See our list of Subprocessors.


Do you have a nominated Data Protection Officer?

Yes, our Data Protection Officer is contactable at


Are you a Data Controller or Data Processor?

It depends on the nature of the contract we have with a client, but usually we are the Data Processor because we usually only request and process applicant data on behalf of a client. We never collect data for our own purposes. The client in this scenario is the Data Controller, because they are the ones contracting us to request and process the data on their behalf.


What about data breaches?

If an applicant or their sponsor (the organisation paying for the screening) thinks their data may have been breached, please contact our Data Protection Officer at, or call us on 0191 5887980. We will investigate and report back to you as soon as possible. It may also be worth using the Protective Registration service available from CIFAS. This won’t affect your credit score. It’s an identity fraud prevention measure and not a form of insurance against losses caused by fraud.