Candidate Privacy Policy

Candidate Privacy Policy

Policy Statement

AiM Ltd, its subsidiaries and trading divisions respect your privacy.

We are registered as a company in England and Wales under company number 03997992.  We are the data controller of the data which we collect from you, and as such we control the ways your personal data is collected and the purposes for which your personal data is used.

We, AiM, use your personal data prior to, and during, your employment.  When we talk about data and personal data in this policy, we mean personal data which identifies you or which could be used to identify you, such as your name and contact details.  It may also include information about how you use our website.

AiM is committed to being transparent about how it collects and uses the personal data of its employees and to meeting its data protection obligations. This policy sets out our commitment to data protection, and individual rights and obligations in relation to personal data, and as a data controller, the steps we take to ensure that any personal data you provide to us is kept secure and confidential and is used only for the purposes for which it is provided.

AiM has appointed a Data Protection Officer who has responsibility for data protection compliance within the organisation. The Data Protection Officer can be contacted at Questions about this policy, or requests for further information, should be directed there.

We process data in compliance with the General Data Protection Regulation (GDPR).


Policy Arrangements

Definitions (“Our Site”)

“Personal data” is any information that relates to an individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

“Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

“Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

“Cookie” means a small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site. Details of the Cookies used by Our Site are set out in the Cookie Policy below.

“Cookie Law” means the relevant parts of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Data protection principles

AIM processes HR-related personal data in accordance with the following data protection principles:

  • We process personal data lawfully, fairly and in a transparent manner
  • We collect personal data only for specified, explicit and legitimate purposes
  • We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing
  • We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay
  • We keep personal data only for the period necessary for processing
  • We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage

We tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing in this policy. We will not process personal data of individuals for other reasons.

Where the organisation processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with the section on Special Categories of Personal Data below.

We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.

Personal data gathered during the recruitment process is held in a secure repository on AiM servers.

Personal data gathered during the employment, worker, contractor or volunteer relationship, or apprenticeship or internship is held in the individual’s personnel file (in hard copy or electronic format, or both), and on HR systems.

Personal data voluntarily provided to us, including communication via email or other channels, or received by us when providing a service is held in an employee file in hard copy or electronic format, or both.

In addition, we may collect information about you from other sources, including third parties that help us: update, expand, and analyse our records; or prevent or detect fraud.

The periods for which the organisation holds HR-related personal data is contained in its Information Classification and Data Retention Policy.

The organisation keeps a record of its processing activities in respect of personal data in accordance with the requirements of GDPR.


Information we collect from you

During the application process, we might collect the following kinds of information from you:


Information collectedWhen the information is collected
Your name and contact details
(email address, telephone number, address, work history, next of kin, bank details, workplace related health information, passport number, national insurance number, DoB)
When you make an enquiry via our website or via email
When you submit a career opportunity query
When you provide us with your curriculum vitae
When you join as a new employee
Work history
(previous employers, dates of employment, education, interests)
When you submit a curriculum vitae
When you make an application for a role with us
Online communication
(name, email address)
When you interact with us via Google+, Google My Business, EventBrite or YouTube

Special categories of data

Certain kinds of personal data, such as data about your racial or ethnic origin, your physical or mental health, your religious beliefs or alleged commission or conviction of criminal offences, are special categories of personal data which by law require additional protection. We try to limit the circumstances in which we collect sensitive personal data of this kind, but we do collect and process it when for example:

  • You have a work-related accident
  • To assess your needs in relation to the workplace environment
  • To provide suitable food and drink at corporate events

By providing any sensitive personal data, you explicitly agree that we may collect it and use it to provide services to you.


Information we collect from other sources

Information collectedWhen the information is collected
Personal details
(References, security checks)
When you join AiM
To allow you to work for Government agencies


We may receive information about you from other sources, including third parties that help us: update, expand, and analyse our records; or prevent or detect fraud.  Information collected in this way will include:


Information we may collect automatically

We may receive information about you from social media platforms including but not limited to when you interact with us on those platforms or access our social media content.


Information collectedWhen the information is collected
Social media platforms
(Facebook, Twitter, LinkedIn, Google+, YouTube)
When you interact with us on these platforms
When you access our social media content
AiM website
(Google Analytics)
When you access our site
When you navigate pages on our site

We analyse statistics, sales, traffic patterns and related site information. However, we will not pass any personal information on to third parties without your consent.

The information we may receive is governed by the privacy settings, policies, and/or procedures of the applicable social media platform, and we encourage you to review them.


We may use the information we collect

We can only use your personal data if we have a legal reason for doing so. According to the law, we can only use your data for one or more of these reasons:

  • When you consent to it, or
  • To fulfil a contract we have with you, or
  • If we have a legal duty to use your data for a particular reason, or
  • When it is in our legitimate interests.

Legitimate interests are our business or commercial reasons for using your data.  When we use legitimate interests, we conduct a three-step test to determine if it is reasonable and does not put our interests above what is best for you.  The test considers i) the purpose of processing; ii) the necessity of the processing; and iii) the balance between AiM’s interest and your rights and freedoms.

In the table below, we have set out the different ways in which we use your personal data and the reasons we rely on for using that data.

If we rely on our legitimate interests for using your personal data, we will explain that to you.


What we use personal data forLegal grounds for using itOur legitimate interest
To respond to your enquiriesFulfilling contracts
To evaluate, recruit and hire personnelFulfilling contracts
As we believe reasonably necessary or appropriate to: comply with our legal obligations; respond to legal process or requests for information issued by government authorities or other third parties; or to protect your, our or others’ rightsLegitimate interestsBeing efficient about how we fulfil our contracts, provide our services and fulfil our legal duties

How long do we keep your data

We keep your data only for as long as we need it.  How long we need data depends on what we are using it for, whether that is for recruitment purposes, for our own legitimate interests (described above) or so that we can comply with the law.

We will actively review the information we hold and when there is no longer a customer, legal or business need for us to hold it, we will either delete it securely or in some cases anonymise it.


How we may share the information we collect

Our offices will share information with each other for recruitment purposes.

We do not sell, rent, or otherwise share information that reasonably identifies you with unaffiliated entities for their independent use except as expressly described in this Privacy Policy or with your prior permission. We may share information that does not reasonably identify you as permitted by applicable law.


We may also disclose information we collect

To our third-party service providers that perform services on our behalf; and

To law enforcement, other government authorities, or third parties as required by the laws that may apply to us; as provided for under contract; or as we deem reasonably necessary to provide our services.  In these circumstances, we take reasonable efforts to notify you before we disclose information that may reasonably identify you, unless prior notice is prohibited by applicable law or is not possible or reasonable in the circumstances.


Individual rights

As a data subject, individuals have a number of rights in relation to their personal data.



The right to be properly informed about AiM’s activities in relation to personal data, and for this information to be provided in a clear, concise, transparent, intelligible and easily accessible form.


Subject access requests

Individuals have the right to make a subject access request, i.e. a request for the data AiM holds about that individual. If an individual makes a subject access request, the organisation will tell him/her:

  • Whether or not his/her data is processed and if so why, plus the categories of personal data concerned, and the source of the data if it is not collected from the individual
  • To whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers
  • For how long his/her personal data is stored (or how that period is decided)
  • His/her rights to rectification or erasure of data, or to restrict or object to processing
  • His/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights
  • Whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making.

We will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless the applicant agrees otherwise.

If the individual wants additional copies, the organisation will charge a fee, which will be based on the administrative cost to the organisation of providing the additional copies.

To make a subject access request, the individual should send the request to In some cases, the organisation may need to ask for proof of identification before the request can be processed. The organisation will inform the individual if it needs to verify his/her identity and the documents it requires.

We will normally respond to a request within a period of one month from the date it is received. The organisation will write to the individual within one month of receiving the original request to tell him/her if this is the case.

If a subject access request is manifestly unfounded or excessive, the organisation is not obliged to comply with it. Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify him/her that this is the case and whether or not it will respond to it.

Other rights

Individuals have a number of other rights in relation to their personal data. They can require us to:

  • Rectify inaccurate data
  • Stop processing or erase data that is no longer necessary for the purposes of processing
  • Stop processing or erase data if the individual’s interests override the organisation’s legitimate grounds for processing data (where the organisation relies on its legitimate interests as a reason for processing data)
  • Stop processing or erase data if processing is unlawful
  • Stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override the organisation’s legitimate grounds for processing data
  • Provide data to a data subject in a structured, commonly used, machine readable format, or to have that data transmitted to another controller where that data was provided to the data controller, and the lawful basis for processing is consent or the performance of a contract
  • The right to not be subject to automated decision making. In this case the individual has the right to request manual intervention in the decision-making process

To ask us to take any of these steps, the individual should send the request to


Data Security

We take the security of personal data seriously. The organisation has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.


Please refer to Information Security Policy and ISO 27001:2013.

Where the organisation engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Cookie Policy

By using Our Site you may also receive certain third-party Cookies on your computer or device.  Third party Cookies are those placed by websites, services, and/or parties other than Us. Third party Cookies are used on Our Site to better provide a targeted experience for the user. For more details, please refer to the section detailing how we use your data, above, and to the table below. These Cookies are not integral to the functioning of Our Site and your use and experience of Our Site will not be impaired by refusing consent to them.

All Cookies used by and on Our Site are used in accordance with current Cookie Law.


The following first party Cookies may be placed on your computer or device:


Name of CookiePurposeStrictly Necessary
_GAGoogle Analytics uses the Cookie to identify users. It has an expiration time of 2 yearsNo
_GIDGoogle Analytics uses the Cookie to identify users. It has an expiration time of 24 hoursNo
_GATGoogle Analytics uses the Cookie to throttle the request rate. It has an expiration of 1 minute No

In addition to the controls that we provide, you can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all cookies or only third-party Cookies. By default, most internet browsers accept Cookies, but this can be changed. For further details, please consult the help menu in your internet browser or the documentation that came with your device.

You can choose to delete Cookies on your computer or device at any time, however you may lose any information that enables you to access Our Site more quickly and efficiently including, but not limited to, login and personalisation settings.

It is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.

Data breaches

If the organisation discovers that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The organisation will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.


Individual responsibilities

Individuals are responsible for helping us keep their personal data up to date. Individuals should let the organisation know if data provided changes, for example if details relating to a job application have changed.

Individuals may have access to the personal data of other individuals in the course of their employment, for example curriculum vitae’s and interview notes. Where this is the case, AiM relies on individuals to help meet its data protection obligations to employees and to customers and clients.

Individuals who have access to personal data are required:

  • To access only data that they have authority to access and only for authorised purposes
  • Not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation
  • To keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction)
  • Not to remove personal data, or devices containing or that can be used to access personal data, from our premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device
  • Not to store personal data on local drives or on personal devices that are used for work purposes

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under AiM’s disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.


The organisation will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.

Changes to our Privacy Policy

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Privacy Policy.


If you have any complaints concerning AiM’s processing of your personal data please email us at or write to us at Data Protection, AiM Limited, Unit 38, The Base, Dartford Business Park, Dartford, Kent, DA1 5FS.

Please note that you have the right to lodge a complaint with the Information Commissioner’s Office by telephone on 0303 123 1113, or by using the live chat service which is available through the Information Commissioner’s website

Contact Us

You can email us at