Cielo Costa are fully committed to comply with the requirements of the General Data Protection Regulation (GDPR), which is effective in the UK from 25 May 2018. The wording in this policy reflects the requirements under this legislation and sets out our commitment to data protection, individual rights and obligations in relation to personal data.  We commit to being transparent with how we collect and use the personal data of the workforce and candidates (job applicants), and to meeting our data protection obligations.

This policy applies to the personal data of job applicants, employees, contractors, Interns voluntary and allowance paid, apprentices, volunteers and former employees.  The data is referred to as HR-related personal data. This policy does not apply to the personal data of clients or other personal data processed for business purposes.

We have appointed Sophie Anthony, as the person responsible for data protection compliance within Cielo Costa.  Sophie can be contacted at Sophie.anthony@call-hr.com   Questions about this policy, or requests for further information, should be directed to Sophie.


"Personal data" is any information that relates to a living individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

"Special categories of personal data" means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

"Criminal records data" means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.

Data Protection Principles

Cielo Costa regards the lawful and correct treatment of HR-personal data at the upmost importance in its operations. As such, we fully endorse and adhere to processing HR-related personal data in accordance with the following data protection principle which require that personal data:

  • Shall be processed lawfully, fairly and in a transparent manner
  • Shall be obtained only for specific, explicit and legitimate purposes
  • Shall be processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing
  • Shall be kept accurate by and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay
  • Shall be kept only for the time period necessary for processing
  • Shall be kept securely, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage

In accordance with requirements under the General Data Protection Regulation (GDPR) we will refer to our privacy notice for HR related personal data. The privacy notice is a document detailing the types of employee data that we process and the reason for processing the data.

We will inform individuals the reasons for processing their personal data, how the data is used and the legal basis for processing which is outlined in our privacy notice. Under no circumstances will we process personal data of individuals for other reasons other than those outlined in our privacy notice. In circumstances where we rely on our legitimate interests as the basis for processing data, an assessment will be carried out to ensure that those interests are not overridden by the rights and freedoms of individuals. 

We may process special categories of data and criminal records data in order to perform obligations or to exercise rights in employment law. Special categories of data relate to an employee’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data. Where we process special categories of data, we will always obtain your explicit consent to those activities unless this is not required by law or the information is required to protect your health in an emergency. We are processing data based on your consent, you have the right to withdraw that consent at any time.

We commit to updating personal data promptly when advised by an individual of information being inaccurate or that changes are required to be made

Personal data gathered during the employment, worker, contractor or volunteer relationship, or apprenticeship or internship is held in the individual's personnel file (in hard copy or electronic format, or both), and on the HR system. The periods for which we hold HR-related personal data are contained in our privacy notices and retention policy to individuals.

Cielo Costa records all processing activities in relation to personal data. This is carried out in accordance with the requirements of the General Data Protection Regulation (GDPR).

Employee rights

Individual’s also referred to as data subjects have the freedom to exercise several rights in relation to their personal data. Data subjects can request that we:

  • Shall rectify inaccurate data
  • Shall stop processing or erase data that is no longer necessary for the purposes of processing
  • Shall stop processing or erase data if the individual's interests override our legitimate grounds for processing data 
  • Shall stop processing or erase data if processing is unlawful
  • Shall stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual's interests override our legitimate grounds for processing data.

To instruct us to take any of the above steps, individuals are required to send all requests to Sophie.anthony@call-hr.com

Data Subject Access Requests

Individuals have the right to make a subject access request. Where a subject access request is made we will inform the individual of the following:


  • If their data is processed and the reason why it has been processed, the categories of personal data concerned. In situations where data has not been collected from the individual the source of the data will also be identified
  • Whom the data is or may be disclosed to, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers
  • How long their personal data is expected to be stored for or the criteria used to describe how long. This is supported by our retention policy
  • Their rights in relation to data including rectification or erased. Individuals are also able to restrict or object to their data being processed
  • Their right to raise a complaint where they feel we have failed to comply with their data protection rights to the Information Commissioner (ICO)
  • Details of any automated decision making or profiling and where used identify the logic involved.

Where a subject access request is made we will provide the individual with a copy of the personal data undergoing processing. Individuals are only eligible to receive copies of data only and not to the original document. If a request is made electronically data will then be provided in electronic format. Should additional copies be required we will charge a fee of £10, in order to cover administrative costs for the additional copies.

To make a subject access request, the individual should send the request to sophie.anthony@call-hr.com or use the organisation’s subject access request form for making a subject access request which can be found on the HR System.

It may be necessary in some cases for us to request proof of identification before subject access requests are able to be processed. Where identification is required we will inform individuals of the documents that are required.

We commit to respond to requests within a period of one month from the date it is received. In more complex cases It may be necessary to extend the response time by a further two months giving three months in total. We will write to the individual within one month of receiving the original request to confirm if this is the case.

If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it.  Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which we have already responded. If an individual submits a request that is unfounded or excessive, we will notify the individual that this is the case and whether or not we will respond to it.

Data security

Cielo Costa takes the security of HR-related personal data seriously. There are internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. Further details can be found in the use of technology and monitoring data policy.  

Where we engage third parties to process personal data on our behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Privacy Impact Assessments (PIA)

Some of the processing that we carry out may result in risks to privacy. Where processing would result in a high risk to individual's rights and freedoms, we will carry out a data privacy impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Data breaches

In the event of a breach of HR-related personal data that poses a risk to the rights and freedoms of individuals, we will report this to the Information Commissioner within 72 hours of discovery. All data breaches will be recorded regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures we have taken.

International data transfers

Under no circumstances will we transfer HR-related personal data to any countries outside of the EEA.

Individual responsibilities

It is the responsibility of the individual to ensure we keep their personal data up to date. In any event where data provided to us changes individuals should let us know at the earliest opportunity.

We may require certain Individuals to have access to the personal data of others (and of customer and clients) during the course of the employment/contract. In these instances we rely on individuals to conform to data protection obligations to staff (and customer and clients)

Those Individuals who have access to personal data are required to do the following:

  • Only access data that they have authority to access and only for purposes authorised by Cielo Costa
  • Not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
  • Keep data secure by complying with access rules inclusive of access to premises, computer access, password protection secure file storage and destruction.
  •  Never remove personal data, or devices containing or that can be used to access personal data, from our premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device;
  • Not to store personal data on local drives or on personal devices that are used for work purposes; and
  • Report data breaches of which they become aware to Sophie Anthony immediately.

Further details about the organisation's security procedures can be found in the use of technology and monitoring data policy.

Failure to observe these requirements may result in disciplinary action being taken. This will be dealt with under our disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.


Cielo Costa has a duty to ensure all individuals receive appropriate training around their data protection responsibilities. This will be carried out as part of the induction process and where necessary updates will be provided.

For those Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.


Should you require this policy to be sent to you via email or in paper format please contact Sophie.anthony@call-hr.com