Terms and conditions

Privacy Policy

TBT Recruitment Ltd is committed to protecting and respecting your privacy. For the purposes of the General Data Protection Regulations (GDPR) and any subsequent UK legislation covering data protection, the Data Controller, and in some instances the Data Processor, is TBT Recruitment Ltd.

This Policy sets out why we collect personal information about individuals and how we use that information. It explains the legal basis for this and the rights you have over the way your information is used.

This Policy covers TBT Recruitment Ltd in relation to the collection and use of the information you give us. We may change this Policy from time to time. If we make any significant changes we will advertise this on the website or contact you directly with the information. Please check this page occasionally to make sure you are happy with any changes.

If you have any questions about this Policy or concerning your personal information, please contact the Human Resources team at [email protected] or by post to Human Resources, TBT Recruitment, K1 The Courtyard, Jenson Avenue, Commerce Park, Frome, Somerset, BA11 2FG.

What type of personal information we collect

The type and amount of information we collect depends on why you are providing it.

The information we collect when you make an enquiry includes:-

•        First name

•        Last name

•        Job title

•        Gender

•        Preferred pronoun

•        Date of birth

•        Email address for marketing and contact purposes

•        Address (including billing address)

•        Postcode

•        Geo-location data (your geographical location based on your IP address)

•        Nature of enquiry

•        Feedback of services provided

•        Billing details (banking/credit card details, billing address, billing contact if appropriate)

If you are a job applicant, the information you are asked to provide is as set out in the application and necessary for the purposes of our considering the application.

How we collect information

We may collect information from you whenever you contact us or have any involvement with us for example when you:

Where we collect information from

We collect information:

How we use your information

We will use your personal information in a number of ways which reflect the legal basis applying to processing of your data. These may include:

Use of Aggregated Data

Where Data can be aggregated (and anonymised), we may use this for research purposes without restriction.

For example, we may monitor customer traffic patterns, Site and Services usage and related information in order to optimise users’ usage of the Site and Services and we may give aggregated statistics to a reputable third-party.

We are entitled to do this because the resulting data will not personally identify you and will therefore no longer constitute personal data for the purposes of data protection laws.

 Our legal basis for processing your information

The use of your information for the purposes set out above is lawful because one or more of the following applies:

If you want to contact us about your marketing preferences please contact [email protected] or call on 01373 469220.

How we keep your information safe

We understand the importance of keeping your personal information secure and take appropriate steps to safeguard it. It is listed below:

We always ensure only authorised persons have access to your information, which means only our employees, contractors and relevant suppliers, and that everyone who has access is appropriately trained to manage your information.

No data transmission over the internet can be guaranteed to be completely secure. So, whilst we strive to safeguard your information, we cannot guarantee the security of any information you provide online and you do this at your own risk.

Who has access to your information?

Owing to matters such as financial or technical considerations, the information you provide to us may be transferred to countries outside the European Economic Area (EEA), which are not subject to the same data protection regulations as apply in the UK. For example – a business event maybe planned to take place outside of the EEA region and we would use local suppliers to that area who store their data securely outside of the EEA. We meet our obligations under GDPR by ensuring that the information has equivalent protection as if it were being held within the EEA. We do this by ensuring that any third parties processing your data outside the EEA either benefits from an adequacy determination for GDPR purposes and/or, where appropriate, we have entered into a data processing agreement which contains model EU clauses.

We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.

Other than this, we will not share your information with other organisations without your consent.

Keeping your information up to date

Please would you let us know if your contact details change. You can do so by contacting us at [email protected].


In addition to the information which you supply to us, information and data may be automatically collected through the use of cookies. Cookies are small text files employed on the Site to recognise repeat users and allow us to observe behaviour and compile aggregate data in order to improve the Site for you. For example, cookies will tell us whether you viewed the Site with sound or with text on your last visit. Cookies also allow us to count the number of unique and return visitors to our Site.  Some of our associated companies may themselves use cookies on their own websites. We have no access to, or control of these cookies, should this occur.

Cookies may be either “persistent” cookies or “session” cookies. A persistent cookie consists of a text file sent by a web server to a web browser, which will be stored by the browser and will remain valid until its set expiry date (unless deleted by the user before the expiry date). A session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

The law states that we can store cookies on your machine if they are essential to the operation of the Site, but that for all others we need your permission to do so.

The list below explains the cookies we use and why:

Name Cookies description Retention Period
Cloudflare session cookie Name: __cfduid Used by Cloudflare to provide user-specific security settings. It doesn’t store any personally identifiable information. More info  One year 
Google Analytics Timout cookie   Name:_gat_UA-########-# Used by Google Analytics to limit the amount of requests made to the Doubleclick platform. Doesn’t store any personally identifiable information. More info    One minute
Accept website cookies cookie   Used to check if user has accepted cookies notice. Doesn’t store any personally identifiable information.   One year

Opting out of cookies

If you do not wish to receive cookies from us or any other website, you should be able to turn cookies off on your web browser: please follow your browser provider’s instruction in order to do so.  Unfortunately, we cannot accept liability for any malfunctioning of your PC or its installed web browser as a result of any attempt to turn off cookies.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.

How long we keep your information for

We will hold your personal information for as long as it is necessary for the relevant activity. Please see our Records Retention Policy HERE.

Where we rely on your consent to contact you for direct marketing purposes, we will treat your consent as lasting only for as long as it is reasonable to do so. This will usually be for two years. We may periodically ask you to renew your consent.

If you ask us to stop contacting you with marketing materials, we will keep a record of your contact details and limited information needed to ensure we comply with your request.

Your rights

You have the right to request details of the processing activities that we carry out with your personal information through making a subject access request.  Such requests have to be made in writing. More details about how to make a request, and the procedure to be followed, can be found in our Data Protection Policy. To make a request, please contact us at [email protected].

You also have the following rights:

All of these rights are subject to certain safeguards and limits or exemptions, further details of which can be found in our Data Protection Policy.  To exercise any of these rights, you should contact Human Resources at the above address.

If you are not happy with the way in which we have processed or dealt with your information, you can complain to the Information Commissioner’s Office.  Further details about how to complain can be found HERE.

Surveys and user groups

We always aim to improve the services we offer. As a result, we occasionally canvass our customers using surveys (where the customer has opted in for this). Participation in surveys is voluntary, and you are under no obligation to reply to any survey you might receive from us. Should you choose to do so, we will treat the information you provide with the same high standard of care as all other customer information.


Your participation on our Site may mean that we occasionally contact you with the opportunity to enter competitions (where you have opted in to receive information about competitions). Entry to competitions is voluntary, and you are under no obligation to take up an invitation from us to enter. Should you choose to enter a competition, we will treat the information you provide with the same high standard of care as all other customer information, and use the information provided strictly within the entry terms of the competition and this Privacy Policy.

Changes to this Privacy Policy

This Policy may be changed from time to time. If we make any significant changes we will advertise this on our website or contact you directly with the information.  We recommend that you read this Privacy Policy each time you consider giving your personal information to us.

Retention Policy

  1. Introduction
  1. The main aim of this policy is to enable us to manage our records effectively and in compliance with data protection and other regulation. As an organisation we collect, hold, store and create significant amounts of data and information and this policy provides a framework of retention and disposal of categories of information and documents.
  1. We are committed to the principles of data protection including the principle that information is only to be retained for as long as necessary for the purpose concerned.
  1. The table below sets out the main categories of information that we hold, the length of time that we intend to hold them, and the reason for this. 
  1. Please note that the Appendix sets out the legal requirements for certain categories of document.  Where we have decided to keep information longer than the statutory requirement, this has been explained in the table at Section 2.
  1. Section 3 of this policy sets out the destruction procedure for documents at the end of their retention period.  Human Resources shall be responsible for ensuring that this is carried out appropriately, and any questions regarding this policy should be referred to them.
  1. If a document or information is reaching the end of its stated retention period, but you are of the view that it should be kept longer, please refer to Human Resources, who will make a decision as to whether it should be kept, for how long, and note the new time limit and reasons for extension. 

Document Retention Period

Document type Legislation/reasons for retention Requirement
Corporate/constitutional records    
Company Articles of Association, Rules/bylaws Companies Act 2006   Permanent
Director minutes of meetings and written resolutions, Dividend certificates Companies Act 2006   Recommended at least ten years
Shareholders’ meetings etc. Minutes/resolutions Companies Act 2006   Recommended at least ten years
Documents of clear historical/archival significance General Data Protection Regulation (GDPR) Permanent if relevant GDPR provisions are met
Contracts e.g. service, agreements, confidentiality and non-disclosure agreements Limitation Act 1980 Length of contract term plus six years
Contracts executed as deeds Limitation Act 1980 Length of contract term plus twelve years
Intellectual property records and legal files re provision of service Limitation Act 1980 Recommended: Life of service provision or IP plus six years
Tax and Finance    
Annual accounts and review (including transferred records on amalgamation) Companies Act 2006   Minimum six years Recommended: permanent record
Tax and accounting records Finance Act 1998 Taxes Management Act 1970 Six years from end of relevant tax year
Information relevant for VAT purposes Finance Act 1998 and HMRC Notice 700/21 Minimum six years from end of relevant period
Banking records/receipts book/sales ledger/purchase ledger Companies Act 2006   Six years from transaction
Payroll/Employee/Income Tax and NI records: P45; P6; PIID; P60 etc Taxes Management Act 1970 /IT (PAYE) Regulations Six years from end of current year
Maternity pay Statutory Maternity Pay Regulations Three years after the end of the tax year
Sick pay Statutory Sick Pay (General) Regulations Three years after the end of the tax year
National Minimum wage records National Minimum Wage Act Three years after the end of the tax year
Foreign national ID documents Immigration (Restrictions on Employment) Order 2007 Minimum two years from end of employment
HR files and training records Limitation Act 1970 and Data Protection regulation Maximum six years from end of employment
Records re working time Working Time Regulations 1998 as amended Two years
Job applications (CVs and related materials re unsuccessful applicants) ICO Employment Practices Code Twelve months from your notification of outcome of application
Employer’s Liability Insurance Employers’ Liability (Compulsory Insurance Regulation) 1998 Forty years
Group Life Assurance Commercial Three years after lapse
Policies Commercial Three years after lapse
Claims correspondence Commercial Three years after settlement
Health & Safety/Medical    
General records Limitation Act 1970 Minimum three years
Records re work with hazardous substances Control of Hazardous Substances to Health Regulations 2002 Up to forty years. Recommended: permanent
Accident books/records and reports Reporting of Injuries Diseases and Dangerous Occurrences Regulations 1995 Three years after last entry or end of investigation
Original title deeds   Permanent/to disposal of property
Leases Limitation Act 1980 Twelve years after lease has expired
Building records, plans, consents and certification and warranties etc Limitation Act 1980 Six years after disposal or permanent if of historical/archival interest. Carry out review re longer retention e.g. if possible actions against contractors
Pension Records For all categories see:   Detailed Guidance for Employers: (April 2017)   http://www.thepensionsregulator.gov.uk    
Records about employees and workers  
Records re the Scheme  
Records re active members and opt in/opt out  
Trust Deed/Rules and HMRC approvals  
Trustees’ Minutes and annual accounts  
Policies including investment policies  
Client Related Documents    
Documentation & emails related to work completed on the behalf of client For future reference  Company policy is 2-years

Confidential waste

Other documentation

Automatic deletion

Individual responsibility

Data Protection

    1. TBT Recruitment Ltd, (“we/us”) is the Data Controller, and in some instances, we are the Data Processor, for the purposes of the EU General Data Protection Regulation and the Data Protection Act 2018.
    2. We collect and use certain types of personal information about the following categories of individuals:
      1. employees;
      2. shareholders;
      3. service users;
      4. clients;
      5. client’s business partners & distributors
      6. directors and other officers;
      7. suppliers;

and other individuals who come into contact with us.

  1. We will process this personal information in the following ways:
    1. Refer to Appendix 1
    2. to comply with statutory and contractual obligations relating to employment;
    3. to comply with statutory and other legal obligations relating to safeguarding, of any individual at TBT Recruitment Limited that comes into contact with children as part of his or her duties.
    4. This policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the EU General Data Protection Regulation (GDPR) and other related legislation. It will apply to information regardless of the way it is used or recorded and applies for as long as the information is held.

Exemptions to Access by Data Subjects

Where a claim to legal professional privilege could be maintained in legal proceedings, the information is likely to be exempt from disclosure unless the privilege is waived.

     Right to object to processing

Right to rectification

Right to erasure

Right to restrict processing

     Right to portability

If an individual wants to send his or her personal data to another organisation, he or she has a right to request that you provide his/her information in a structured, commonly used, and machine-readable format.  If a request for this is made, it should be forwarded to Human Resources within two working days of receipt, and Human Resources will review and revert as necessary.

If anyone has any concerns or questions in relation to this policy they should contact Human Resources.


What personal information we might need and why

We may use/process this information to:


Data Breach Incident Response Plan

The flow of actions following a Data Breach is classified in four main phases, following the guidelines of the Information Commissioner’s Office (ICO):

  1. Containment and recovery
  2. Assessment of ongoing risk
  3. Notification of breach
  4. Evaluation and response

1. Containment and recovery

2. Assessing the risks

3. Notification of breaches

4. Evaluation and response


Outline Procedure for Data Breach Incidents

1. Investigation

Once a breach has been reported the following actions must be followed by Human Resources, as soon as possible:

  1. Create an entry in the Incident Log using the information provided by the Reporter
  2. Create a folder under Data Breaches in the T-Drive
  3. Start an investigation report and save it in this folder together with any emails/documents relating to the breach
  4. Prepare report for Breach Review meeting if required
  5. If required, notification to the ICO must take place
  6. An initial report for the ICO should also be prepared
  7. Consideration must be given to notifying the individual(s) affected by the breach.  Factors to be considered include:
  8. Sensitivity of Information
  9. Volume of Information
  10. Likelihood of unauthorised use
  11. Impact on individual(s)
  12. Feasibility of contacting individual(s)
  13. Any notification must be agreed by stakeholders connected with the breach, including Legal TBT Recruitment Directors
  14. Begin investigation and complete report as soon as possible

2. Recommendations

Regardless of the type and severity of incidents, there will always be recommendations to be made even if it is only to reinforce existing procedures.  There are two categories of recommendation that can be made:

All recommendations will be assigned an owner and have a timescale by when they should be implemented which has a dual purpose.  The first is to ensure that the organisation puts in place whatever measures have been identified and that there is an individual that can report back on progress.  The second is that where incidents are reported to the ICO, TBT Recruitment can demonstrate that the measures have either put in place or that there is a documented plan to do so.

This is a recurrent theme of ICO enforcement and it’s important that the organisation’s procedures reflect this.  Identifying recommendations is more than just damage control – the knowledge of what has happened together with the impact is a fundamental part of learning which can then be disseminated throughout the organisation.

Accreditation logos Accreditation logos Accreditation logos Accreditation logos Accreditation logos Accreditation logos