1. Introduction
We are committed to protecting the privacy and security of personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws.
This Privacy Notice explains how Acacium Group and its affiliates collect, use, store, and share personal data when we act as:
- A Data Controller – when we determine the purpose and means of processing personal data, such as when we provide direct services to individuals.
- A Data Processor – when we process personal data on behalf of and under the instructions of another organisation (such as the NHS, local authorities, Care Commissioning Groups or other clients).
2. What Personal Data We Collect and Process
Depending on our role as a data controller or processor, we may process the following types of personal data:
a) When Acting as a Data Controller
We may process the following categories of personal data:
- Personal Identifiers: Name, email address, phone number, location (city, region)
- Professional Information: Job titles, work history, skills, certifications, industry experience, achievements, employment preferences
- Educational Background: Degrees, diplomas, institutions attended, grades, certifications
- Job Preferences: Desired salary, preferred roles or sectors, location preferences, availability
- Uploaded Documents: CVs, resumes, cover letters, and any additional documents you provide
- Metadata from CVs: Extracted keywords, formatting attributes, structure of experience and qualifications
- Occupational Health Data
b) When Acting as a Data Processor
In some cases, we act as a data processor on behalf of third-party organisations such as NHS Trusts, local authorities, or care providers who are the data controllers. This means that we process your personal data strictly under their instructions and in line with a formal data processing agreement.
What This Means for You:
- We Do Not Decide How Your Data Is Used:
The third-party organisation (the data controller) decides why and how your personal data is collected and processed. We only carry out processing activities as directed by them. - What Data Is Involved:
The types of personal data we process may include your CV, qualifications, employment history, references, and diversity information, depending on the instructions of the data controller. - Why We Process Your Data:
We process your data to support recruitment and placement activities on behalf of the organisation you are applying to, or being considered by. We do not use your data for our own independent purposes. - How Your Data Is Shared:
We only share your personal data with the data controller and, where necessary, their authorised third parties. We do not share your data for marketing or any unrelated purposes. - Data Retention:
We retain your personal data only for as long as instructed by the data controller. Once the processing is complete or our agreement with the controller ends, we will either return or delete your data as directed—unless we are legally required to keep it for a specific period.
For information on who your data controller is, please contact dpo@acaciumgroup.com.
3. Lawful Basis for Processing
We process personal data under one or more of the following lawful bases, depending on our role:
a) When Acting as a Data Controller
We process personal data in connection with our AI recruitment tools under the following lawful bases:
- Article 6(1)(b) – Contractual Obligation: When processing is necessary for taking steps prior to entering into a contract with you (e.g. submitting your application to a client).
- Article 6(1)(f) – Legitimate Interests: To improve the recruitment experience through efficiency and accuracy, provided such interests are not overridden by your rights and freedoms.
- Article 6(1)(a) – Consent: In specific cases, particularly for the use of automated formatting or enhancements, we may seek your consent.
- Article 9(2)(b) – Employment: which allows processing necessary for employment, social security, and social protection purposes, as authorised by law.
b) When Acting as a Data Processor
We process data based on the lawful basis provided by the data controller and under their instructions. We do not determine the purpose or legal basis for processing in this capacity, this information can be found on the data controller’s privacy notice, if you need help to locate this please contact dpo@acaciumgroup.com.
4. How We Use Personal Data
As part of our recruitment and placement services, we utilise Artificial Intelligence (AI) technologies to support candidate-job matching and CV reformatting. These tools are used to enhance efficiency, fairness, and quality in how we assess applications and present candidate profiles to potential employers.
Purpose of Processing Using AI
- AI-Powered Job Matching – To match candidates with appropriate roles based on qualifications, experience, job preferences, and employer criteria.
- CV Reformatter – To restructure CVs for clarity, consistency, and presentation in line with industry standards, improving the likelihood of successful job placement.
Safeguards and Human Oversight
- No Solely Automated Decision-Making: AI decisions are reviewed by recruitment professionals; no final decisions are made by the system alone.
- Fairness and Non-Discrimination: AI tools are evaluated regularly to ensure they operate fairly and are not biased or discriminatory.
- Transparency: You may request an explanation of how the AI system works or ask for human review of a decision made using AI.
- Security Measures: Data processed through AI tools is protected by access controls, encryption, and secure infrastructure.
5. How We Keep Data Secure
We take appropriate technical and organisational measures to protect personal data, including:
- Access Controls: Limiting access to authorised personnel only.
- Encryption: Protecting data in storage and transmission.
- Regular Security Audits: Monitoring and improving data protection measures.
- Data Minimisation: Collecting only the necessary information for specific purposes.
- Secure Disposal: Ensuring data is safely destroyed when no longer needed.
6. Who We Share Data With
In the course of providing recruitment and placement services, we may share your personal data with third parties where it is necessary for progressing your application, securing employment, or meeting legal obligations. These include:
- Clients and Prospective Employers: We may share your CV, professional history, and relevant details with organisations that are seeking to fill positions that match your profile.
- Recruitment Platforms and Job Boards: Where appropriate and with your consent, we may upload anonymised or reformatted versions of your CV to recruitment platforms or job boards to increase your visibility and access to opportunities.
- Technology Partners: Providers of applicant tracking systems (ATS), CV parsing tools, and AI-based job matching services that support our recruitment operations.
- Employment Screening Providers: Third parties who assist with background checks, reference checks, right-to-work verification, or credential validation.
- Payroll and Umbrella Companies: Where applicable, your information may be shared with trusted partners for payroll administration or contractor engagement purposes.
- Group Companies: Other entities within our corporate group for the purpose of providing you with alternative or extended career opportunities, operational efficiency, or to meet compliance requirements.
- Legal, Regulatory and Compliance Bodies: Such as the HMRC, or other authorities when required by law, or in response to legal processes, safeguarding investigations, etc.
We may also share personal data between entities within our corporate group for several legitimate reasons, including:
- Service Delivery & Operational Efficiency – Ensuring smooth operations by sharing data for administrative, HR, IT, finance or customer service purposes.
- Regulatory Compliance & Risk Management – Meeting legal obligations, conducting internal audits, and managing risks across the organisation.
- Security & Fraud Prevention – Protecting against security threats, cyber risks, and fraud by implementing centralised monitoring and threat detection.
- Research & Analytics – Using aggregated or pseudonymised data to improve products, services, and customer experiences.
To ensure that intra-group data sharing is lawful, transparent, and secure, we implement the following safeguards:
- Data Sharing Agreements (DSAs) – We establish formal agreements between group entities that define the purpose, scope, and legal basis for data sharing.
- Lawful Basis for Processing – Data is shared only where there is a valid legal basis.
- Purpose Limitation – Personal data is only used for the intended and disclosed purposes, preventing unauthorised or excessive use.
- Access Controls – Only authorised personnel with a legitimate need can access shared data, following strict role-based access policies.
- Cross-Border Transfers – If data is transferred between group entities in different countries, we ensure compliance with international data protection laws through mechanisms such as International Data Transfer Agreement (IDTA).
Any third parties that process data on our behalf must comply with strict data protection requirements.
7. International Data Transfers
We may share personal information to third parties outside of the United Kingdom (UK). Any personal information transferred will only be processed on our instruction and we ensure that information security at the highest standard would be used to protect any personal information as required by the Data Protection laws.
Where personal data is transferred outside of the UK to a country without an adequacy decision, we will ensure appropriate safeguards are in place prior to the transfer. These could include:
- Standard Contractual Clauses plus International Data Transfer Addendum
- International Data Transfer Agreement
- An exception as defined in Article 49 of the UK GDPR
8. How Long We Keep Personal Data
We retain personal data in accordance with our data retention schedule and other relevant guidelines. Retention periods vary depending on the type of record and legal requirements. Once retention periods expire, data is securely deleted or anonymised.
9. Your Data Protection Rights
Under data protection laws, you have rights regarding your personal data, including:
- Right to Access: You can request a copy of your personal data.
- Right to Rectification: You can ask us to correct inaccurate or incomplete data.
- Right to Erasure: You can request deletion of your data where appropriate.
- Right to Restrict Processing: You can ask us to limit processing in certain circumstances.
- Right to Data Portability: You can request a transfer of your data to another provider.
- Right to Object: You can object to processing based on legitimate interests.
If we are acting as a data processor, you should contact the data controller (e.g., NHS Trust, local authority) to exercise these rights.
10. Data Breaches and Incident Reporting
We have procedures in place to manage data breaches. If a data breach occurs:
- We will assess the impact and take action to contain the breach.
- If acting as a data processor, we will notify the data controller without undue delay.
- If required, we will report the breach to the Information Commissioner’s Office (ICO) and affected individuals.
11. How to Complain
If you have any concerns about our use of your personal data, you can make a complaint to us using our contact details below.
If you remain unhappy with how we have used your data after raising a complaint with us, you can also complain to the ICO here.
12. Contact Information
If you have questions about this Privacy Notice or wish to exercise your data rights, please contact:
Data Protection Officer (DPO)
Acacium Group
9 Appold Street
London
EC2A 2AP
Email: dpo@acaciumgroup.com
13. Policy Review and Amendments
We keep this Policy under regular review. This Policy was last updated on 31/07/25
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
