Needle in a Haystack

Needle in a Haystack Ltd General Data Protection Regulation

Data protection policy

Context and overview

Key details

Policy prepared by:Needle in a Haystack Ltd
Approved by board / management on:12/02/2024
Policy became operational on:12/02/2024
Next review date:12/02/2025


This Privacy Policy is here to explain what we do with your personal data and will describe how we collect and process your personal data in order to help you find a job. In doing so we will comply with the legal obligations that apply to you.

We put your privacy first and have a responsibility in protecting all your data privacy rights.

Please note that we may adjust this policy at any time in order to stay compliant under this new regulation.

Why this policy exists

This data protection policy ensures Needle in a Haystack Ltd:

  • Complies with data protection law and follows good practice
  • Protects the rights of staff, clients, candidates and partners
  • Is open about how it stores and processes individuals’ data
  • Protects itself from the risks of a data breach

Data protection law

The General Data Protection Regulation describes how organisations — including Needle in a Haystack Ltd— must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or any other method.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

This new regulation is underpinned by eight important principles. These say that personal data must:

  1. Be processed fairly and lawfully
  2. Be obtained only for specific, lawful purposes
  3. Be adequate, relevant and not excessive
  4. Be accurate and kept up to date
  5. Not be held for any longer than necessary
  6. Processed in accordance with the rights of data subjects
  7. Be protected in appropriate ways
  8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

People, risks and responsibilities

Policy scope

This policy applies to:

  • The head office of Needle in a Haystack Ltd
  • All branches of Needle in a Haystack Ltd
  • All staff and volunteers of Needle in a Haystack Ltd
  • All contractors, suppliers and other people working on behalf of Needle in a Haystack Ltd

What data we will collect

For our legitimate business means, we may need to collect all and/or some of the following data listed below:

  • Name
  • Age/Date of birth
  • Address
  • Telephone numbers
  • Email address
  • Sex/Gender
  • Education details
  • Employment History
  • Referee details
  • Information on your interests regarding any future employment
  • Any extra information that you are willing to give us regarding finding you suitable employment

How we will collect your data

At Needle in a Haystack Ltd, there are two primary ways in which we will collect your data:

1) The personal data that you, the candidate, have given to us;

We will need to have certain information in order to provide you a tailored service that will enable us to provide you with the best opportunities.

It is up to you how you would like to provide us your personal data, however best suits you. These may include:

  • Filling out your details on our website via the application form as part of the registration process
  • Giving us a hard copy of your CV
  • Applying through a job aggregator that redirects you to our website
  • Emailing over your CV to us

2) The personal data that we receive from other sources;

These may include:

  • Your referees
  • Our clients
  • Third party sources e.g. job sites
  • Through our referral scheme

Please note that any personal data that you give will not be given/sold to any unauthorised third parties.

How we will use your data

As Needle in a Haystack Ltd is a recruitment agency, we will use your information only for the necessary requirements – fusing the right candidates with the right jobs with our clients. As stated in the EU Directive 95/46/EC (General Data Protection Regulation), Article 6(1)(f), we can process your data when it ‘is necessary for the purposes of the legitimate interests pursued by [Needle in a Haystack Ltd] or by a third party, except where such interests are overridden by the interest or fundamental rights or freedom of [you] which require protection of personal data’. All processes carried out by Needle in a Haystack Ltd have legitimate interests behind them.

Listed below are the various ways in which we will use and process your data:

  • Obtaining your data from other sources e.g. public profile
  • Storing your details and updating them when necessary on our databases so that we can only contact you in relation to recruitment purposes
  • Providing you with our recruitment services
  • Qualifying your data against the job vacancies that we think may be ideal for you
  • Sending your information to our clients to assess you eligibility
  • Enabling you to submit your CV
  • Verifying your details that you have provided us

We will use your personal data for the above means if we deem it necessary for our legitimate business interests.

All our recruitment activities involve solely human decision making end to end. Where appropriate to do so, we will seek your consent to carry out such activities and we will continue to manually review opportunities. Your profile will not be automatically considered for alternative roles without your consent.


We are required to obtain your consent for the processing of your data in relation to any recruitment activity that takes place. Article 4(11) of the legislation states that ‘opt-in’ consent is ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. In other words, you have to give the consent freely and know what you are consenting to (we will make sure we will give you enough information) without feeling any pressure to do so.

There will be a tick box for you to check if you agree to us having your consent. This said action is thereby giving us your consent in a clear and unambiguous fashion - We will keep all records of consent.

At any point during any of the processes, you have the right to withdraw consent whereby we have to erase all your personal data (also known as Right to Erasure). This therefore means that we have to remove all the personal data that you have provided us from our database.

We will also remove any of our personal data from our database if we no longer have any necessary purpose for which it was originally collected/processed for. In addition to this, if we can no longer get hold of you from the data we have, i.e. showing silence or inactivity, this would also mean that we would have to remove your personal data from our database.

Data protection risks

This policy helps to protect you as an individual and Needle in a Haystack Ltd from data security risks, including:

  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
  • Reputational damage.


Everyone who works for or with Needle in a Haystack Ltd has a responsibility for ensuring data is collected, stored and handled appropriately.

Each member of our team that handles personal data will ensure all personal data is handled and processed in line with this policy and data protection principles.

Below are the key areas of responsibility:

  • Everyone in the company, either working directly or indirectly, is ultimately responsible for ensuring that Needle in a Haystack Ltd meets its legal obligations.
    • Everyone will be updated about data protection responsibilities, risks and issues.
    • Reviews of all data protection procedures and related policies will be carried out regularly.
    • Personal data protection training and advice will be carried out in order to make sure everyone has knowledge on how to handle personal data.
    • Dealing with requests from individuals to see the data Needle in a Haystack Ltd holds about them (also called ‘subject access requests’).
    • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
    • Ensuring all systems, services and equipment used for storing data meet the regulation guidelines.
    • Performing regular checks and scans to ensure security hardware and software is functioning properly.
    • Evaluating any third-party services us as a company are considering to use to store or process data.
    • Approving any data protection statements attached to communications such as emails and letters.
    • Addressing any data protection queries from any media outlets.
    • Where necessary, working with other staff to ensure marketing initiatives abide by GDPR principles.

General staff guidelines

  • Only authorised members of staff will be able to have access to personal data and those who need it for their work.
  • Data will not be shared informally. Access to confidential information is required as and when is needed.
  • All employees will have thorough training to help them understand their responsibilities for handling such data.
  • Employees must therefore request help if they are unsure about any aspect of data protection.
  • Our employees will keep all data secure by taking sensible precautions and following the legal guidelines.
  • Every piece of personal data that we store will be kept under strong password security that will never be shared with anyone internally or externally.
  • Data will be regularly reviewed and updated if it is found to be out of date. If no longer required, it will be deleted and disposed of if necessary to do so.

Data storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.

When data is stored electronically, it will be protected at all times from unauthorised access, accidental deletion and malicious hacking attempts:

  • Data will be protected by strong passwords that are changed regularly and never shared between employees.
  • The data that is needed will only be stored on designated drives and servers, and should only be uploaded to an approved service.
  • Servers containing personal data should be sited in a secure location, away from general office space.
  • Personal data kept will be updated regularly.
  • Personal data will never be saved directly to devices that have unauthorised access.
  • All servers and computers containing personal data will be protected by approved security software and a firewall.

Data use

When personal data has been given to Needle in a Haystack Ltd, it is our responsibility to safeguard this information when using it for legitimate business interests.

  • Personal data will not be shared informally or without consent.
  • Data is to be encrypted before being transferred electronically.
  • The personal data that we hold will never be transferred outside of the European Economic Area.
  • Employees should not save copies of personal data to their own computers. Personal data will only be accessible and updated through our centralised data storage.
  • Personal data will not be shared with third parties.

Data accuracy

The law requires Needle in a Haystack Ltd to take reasonable steps to ensure data is kept up to date.

The more important it is that the personal data is accurate, the greater the effort Needle in a Haystack Ltd should put into ensuring its accuracy.

It is the responsibility of all employees who work with personal data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

  • Data will be held in as few places as necessary.
  • Staff will not create any unnecessary additional data sets as all data held will be stored centrally in a database.
  • Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
  • Needle in a Haystack Ltd will make it easy for data subjects to update the information Needle in a Haystack Ltd holds about them.
  • Data should be updated as inaccuracies are discovered. For instance, when a candidate can no longer be reached on their stored telephone number, it will be removed from the database.

Subject access requests

All individuals who are the subject of personal data held by Needle in a Haystack Ltd are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the company is meeting its data protection obligations.

If any individual contacts the company requesting this information, this is called a subject access request. Under the new regulation, we are then obliged to tell you all the personal data that we have for you on our database.

Subject access requests from individuals should be made by email, addressed to the data controller at You will then be given a standard request form, although individuals do not have to use this.

We will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing data for other reasons

In certain circumstances, the GDPR guidelines allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Needle in a Haystack Ltd will disclose the requested data. However, we will ensure the request is legitimate, seeking assistance from the company’s legal advisers where necessary.

Providing information

Needle in a Haystack Ltd aims to ensure that individuals are aware that their data is being processed, and that they understand:

  • How the data is being used
  • How to exercise their rights

Please contact us for any further enquiries about our privacy policy. Needle in a Haystack Ltd will be able to provide you with more information by contacting us at - all enquiries will receive a reply within 72 hours.