Privacy Policy

Document Control

Definitions and Interpretation

In this Privacy Policy, the following terms have the meanings set out below unless the context requires otherwise:

1. Introduction

Orizon Group Ltd (“Orizon”, “we”, “our”, or “us”) is committed to protecting the privacy, confidentiality, and security of personal data.

We are an employment business registered in England and Wales (Company Number: 17060906) providing business-to-business workforce solutions across the United Kingdom. We supply temporary, contract-based, trial-to-contract, and managed on-site workers to our business clients. All workers engaged through Orizon remain on our payroll for the duration of their assignment or contract.

Our operations span four core sectors:

• Hospitality: Flexible Temporary Staffing, Emergency and Last-Minute Cover, and Seasonal Peak Solutions
• Hotels and Venues: Flexible Temporary Staffing, Contract-Based Workers, Emergency and Last-Minute Cover, and Managed On-Site Workforce
• Warehousing and Logistics: Flexible Temporary Staffing, Contract-Based Workers, Seasonal Peak Solutions, and Managed On-Site Workforce
• Retail: Flexible Temporary Staffing, Seasonal Peak Solutions, Trial-to-Contract, and Managed On-Site Workforce

This Privacy Policy explains how we collect, use, store, share, and protect personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and all other applicable data protection legislation.

This policy applies to:

• Candidates who register with us or express interest in work opportunities
• Workers on our payroll, whether on temporary assignments, fixed-term or rolling contracts, trial-to-contract arrangements, or managed on-site workforce programmes
• Client representatives and contacts at the businesses we serve
• Suppliers, subcontractors, and their personnel
• Visitors to our website (www.orizongroup.co.uk or successor domains)
• Visitors to our physical premises

2. Data Controller and ICO Registration

Orizon Group Ltd is the data controller responsible for the personal data described in this policy. As data controller, we determine the purposes and means by which your personal data is processed.

We are registered with the Information Commissioner’s Office (ICO) as a data controller.

If you have any questions about this policy, your personal data, or wish to exercise any of your data protection rights, please contact us using the details above.

3. Personal Data We Collect

3.1 Candidates, Temporary Workers, and Contract-Based Workers

We collect and process the following categories of personal data from individuals who register with us, are placed on temporary assignments, enter into contract-based or trial-to-contract engagements, or are deployed through our managed on-site workforce programmes:

• Identity Data: full name, title, date of birth, gender, nationality, and photographs for identification and security badge purposes
• Contact Data: home address, personal email address, telephone number(s), and emergency contact or next-of-kin details
• Financial Data: bank account and sort code details, National Insurance number, tax code, student loan status, and pension information, collected solely for the purposes of payroll administration
• Employment Data: complete employment history, educational qualifications, professional certifications, licences, skills profile, and references from previous employers or professional referees
• Recruitment Data: curriculum vitae, application forms, covering letters, interview and assessment notes, test results, and all correspondence generated during the recruitment process
• Assignment and Contract Data: assignment schedules, contract terms, placement history, client site allocations, engagement type (temporary, contract, trial-to-contract, or managed on-site), start and end dates, contracted hours, and shift patterns
• Payroll and Benefits Data: salary or hourly rate, overtime records, holiday accrual and usage, statutory payments (SSP, SMP, SPP, ShPP, SAP), pension contributions, and payslip records
• Performance and Conduct Data: attendance records, timesheets, performance reviews, client feedback, disciplinary records, grievance outcomes, and investigation notes
• Identification Documents: copies of passport, driving licence, birth certificate, or other government-issued identification used for verification purposes
• IT and Communications Data: where applicable, work email address, system login records, and access credentials issued by Orizon

3.2 Special Category and Criminal Records Data

In certain circumstances, we process sensitive personal data that is subject to enhanced protection under Article 9 of the UK GDPR and criminal records data under Article 10. This includes:

• Right to Work Data: passport details, visa documentation, Biometric Residence Permit (BRP) information, Certificate of Sponsorship details, and Home Office online share codes, collected to verify your legal entitlement to work in the United Kingdom as required by the Immigration, Asylum and Nationality Act 2006
• Criminal Records Data: Disclosure and Barring Service (DBS) check results at Basic, Standard, or Enhanced level, where required by the nature of the role, the client’s regulatory obligations, or sector-specific legislation
• Health Data: information relating to physical or mental health conditions, disability status, workplace injury records, occupational health reports, and medical fitness assessments, collected where necessary for health and safety compliance, workplace risk assessments, reasonable adjustments under the Equality Act 2010, or the administration of Statutory Sick Pay
• Equal Opportunities Data: racial or ethnic origin, religious or philosophical belief, sexual orientation, and gender identity, collected on a strictly voluntary and anonymised basis for the sole purpose of equal opportunities monitoring and reporting in compliance with the Equality Act 2010

We process special category data and criminal records data only where we have identified both a lawful basis under Article 6 of the UK GDPR and an additional condition under Articles 9 or 10. We maintain an Appropriate Policy Document as required by Schedule 1 of the Data Protection Act 2018, which is attached as Appendix A to this policy.

3.3 Client Data

• Full name, job title, department, and role of client representatives and authorised contacts
• Business email addresses, direct telephone numbers, and office addresses
• Company name, registered office address, company number, and VAT registration number
• Contractual and commercial records, including master terms of business, rate schedules, and service level agreements
• Correspondence and communication records relating to workforce requirements, service delivery, and billing
• Credit and financial information for the purposes of credit checks and debt recovery, where applicable

3.4 Supplier and Subcontractor Data

Where we engage suppliers or subcontractors, we collect the contact details and business information of their representatives necessary for the administration of our commercial relationship, including names, job titles, email addresses, telephone numbers, and banking details for payment.

3.5 Website Visitor Data

• Technical data including IP address, browser type and version, operating system, device type, screen resolution, and language settings
• Usage data including pages visited, time spent on each page, click paths, scroll depth, referring and exit URLs, and file download activity
• Data submitted through online forms, including contact enquiries, candidate registration, and job application portals
• Cookie identifiers and data collected through similar tracking technologies (detailed in Section 14)

3.6 CCTV Data

We operate closed-circuit television (CCTV) surveillance at our premises. CCTV systems capture video footage and still images of individuals entering, exiting, or present within monitored areas. Appropriate signage is displayed at all locations where CCTV is in operation, in accordance with the Surveillance Camera Code of Practice.

4. How We Collect Personal Data

4.1 Directly from You

• Candidate registration or job application forms submitted via our website, by email, or in person
• CVs, covering letters, and supporting documents submitted during the recruitment process
• Interviews, induction sessions, skills assessments, and onboarding processes
• Ongoing correspondence by email, telephone, SMS, WhatsApp, video call, or post
• Contracts of employment, assignment schedules, and engagement documentation signed by you
• Timesheets, expense claims, holiday requests, and absence notifications submitted during an assignment or contract
• Self-service portals or worker apps, where provided

4.2 From Third Parties

• Referrals from existing candidates, colleagues, or professional contacts
• Previous employers and professional referees providing employment references
• Government bodies and verification services for right-to-work checks, DBS checks, and licence verifications
• HMRC, the Pensions Regulator, and pension providers in connection with payroll and tax administration
• Our business clients, who may provide attendance data, performance feedback, or incident reports during your assignment or contract
• Credit reference agencies, where applicable for client credit checks

4.3 From Publicly Available Sources

• Professional networking platforms such as LinkedIn
• Publicly accessible registers, directories, and databases
• Companies House and other public corporate registries

4.4 Automatically

• Through cookies and similar tracking technologies when you use our website (see Section 14)
• Through CCTV surveillance systems at our premises
• Through IT system access logs, where applicable

5. Purposes and Legal Bases for Processing

Under the UK GDPR, every instance of personal data processing must be supported by a lawful basis under Article 6. The following table provides a comprehensive mapping of our processing purposes to their corresponding legal bases.

Where we rely on legitimate interests, we have conducted and documented a Legitimate Interest Assessment (LIA) for each processing activity to ensure that our interests do not override your fundamental rights and freedoms. You may request a copy of any LIA by contacting us.

Where we rely on your consent, you have the right to withdraw it at any time by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

5.1 Processing of Special Category and Criminal Records Data

Where we process special category data or criminal records data, we rely on the additional conditions set out below, in addition to a lawful basis under Article 6:

We maintain an Appropriate Policy Document in accordance with Paragraph 39 of Schedule 1 of the DPA 2018, setting out our procedures for compliance with the data protection principles and our retention and erasure policies for special category and criminal records data. This document is attached as Appendix A.

6. Data Protection Impact Assessments (DPIAs)

In accordance with Article 35 of the UK GDPR, we conduct Data Protection Impact Assessments (DPIAs) before commencing any processing activity that is likely to result in a high risk to the rights and freedoms of individuals. This includes, but is not limited to:

• Large-scale processing of special category data, including health information and DBS check results
• Systematic monitoring of individuals, including CCTV surveillance and workforce tracking
• Processing involving new technologies or novel approaches to data handling
• Large-scale profiling or automated decision-making that could significantly affect individuals

Our DPIAs are reviewed and updated whenever there is a material change to the processing activity, the technology used, or the regulatory environment. Where a DPIA identifies a high residual risk that cannot be sufficiently mitigated, we will consult the ICO before proceeding with the processing.

7. Who We Share Your Data With

We share personal data only where there is a lawful basis and a legitimate need. We do not sell, rent, or trade personal data to third parties under any circumstances.

7.1 Our Business Clients

We share relevant worker information with our clients to facilitate temporary assignments, contract-based placements, trial-to-contract engagements, and managed on-site workforce programmes. Information shared typically includes your name, relevant skills and qualifications, availability, and right-to-work confirmation. We apply the principle of data minimisation and share only what is strictly necessary for the client to evaluate suitability and manage the placement.

Where a worker is deployed on a managed on-site workforce programme, the client may have day-to-day supervisory responsibility but Orizon remains the data controller for the worker’s personal data and employment records.

7.2 Data Processors and Service Providers

We engage trusted third-party data processors who process personal data on our behalf under written data processing agreements compliant with Article 28 of the UK GDPR. These include:

• Payroll bureau and pension administration providers
• DBS and background screening providers
• IT infrastructure, cloud hosting, and software-as-a-service providers (including Google Workspace and Amazon Web Services)
• Accounting, bookkeeping, and professional advisory firms
• Email marketing and communications platforms
• Website hosting, maintenance, and analytics providers
• Occupational health providers, where applicable

All data processors are contractually required to process data only on our documented instructions, implement appropriate technical and organisational security measures, and notify us without undue delay of any personal data breach.

7.3 Government and Regulatory Bodies

We may disclose personal data to HMRC, the Home Office, the Health and Safety Executive, the Employment Agency Standards Inspectorate, the Information Commissioner’s Office, the Pensions Regulator, or other regulatory authorities where required or permitted by law.

7.4 Professional Advisers

We may share personal data with our legal advisers, insurers, auditors, and other professional consultants where necessary for the provision of professional services, insurance claims, or compliance with our legal obligations.

7.5 Law Enforcement

We may disclose personal data to police and other law enforcement agencies where required by law, court order, or where it is necessary for the prevention or detection of crime.

7.6 Other Disclosures

In the event of a business reorganisation, merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to appropriate safeguards and in compliance with the UK GDPR.

8. International Data Transfers

Some of our third-party service providers store or process personal data on servers located outside the United Kingdom, including in the United States and the European Economic Area.

Where personal data is transferred to a country outside the UK that has not received an adequacy decision, we ensure that one or more of the following safeguards is in place as required by Chapter V of the UK GDPR:

• An adequacy decision by the UK Secretary of State under Section 17A of the Data Protection Act 2018
• The UK International Data Transfer Agreement (IDTA)
• The UK Addendum to the EU Standard Contractual Clauses (SCCs)
• Binding Corporate Rules approved by the relevant supervisory authority

For each international transfer, we conduct a Transfer Risk Assessment (TRA) to evaluate the legal framework and data protection practices in the recipient country, as recommended by ICO guidance. You may request details of the safeguards applied to specific international transfers by contacting us at the details in Section 2.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal and regulatory obligations, or to establish, exercise, or defend legal claims. Our retention periods are based on statutory requirements, regulatory guidance, and legitimate business need.

At the end of the applicable retention period, personal data is securely deleted, destroyed, or irreversibly anonymised using methods appropriate to the data format.

Physical records are disposed of through certificated confidential shredding. Electronic records are permanently erased from our systems and those of our data processors, with written confirmation of destruction obtained where appropriate.

10. Data Security

We take the security of personal data seriously and have implemented appropriate technical and organisational measures in accordance with Article 32 of the UK GDPR to protect it against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption of personal data in transit (TLS 1.2 or above) and at rest (AES-256 or equivalent)
• Multi-factor authentication (MFA) enforced on all systems holding personal data
• Role-based access controls (RBAC) restricting access to authorised personnel on a strict need-to-know basis
• Regular security assessments, penetration testing, and vulnerability scanning
• Firewalls, intrusion detection systems, and endpoint protection
• Secure disposal of physical records through certificated confidential shredding services
• Mandatory data protection and information security training for all staff, completed at induction and refreshed annually
• Phishing simulation exercises and ongoing security awareness programmes
• Documented incident response plan and data breach management procedures
• Regular data backup with tested disaster recovery and business continuity arrangements
• Supplier security assessments conducted before engaging any data processor

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours of becoming aware of the breach in accordance with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to you, we will inform you directly and without undue delay in accordance with Article 34.

All data breaches, including those that do not meet the threshold for ICO notification, are recorded in our internal breach register, investigated, and used to improve our security measures.

11. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are subject to certain conditions and exemptions:

Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. We do not currently carry out solely automated decision-making.

Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of your rights, please contact us at the details in Section 2. We may request verification of your identity before processing your request. There is no charge for exercising your rights in the ordinary course, although we reserve the right to charge a reasonable administrative fee or decline to act on requests that are manifestly unfounded, repetitive, or excessive, in accordance with Article 12(5) of the UK GDPR.

12. Direct Marketing

We may send you communications about relevant job opportunities, assignment availability, sector-specific updates, or Orizon services in the following circumstances:

• Where you have given your prior consent to receive marketing communications
• Where we have a legitimate interest in contacting registered candidates about positions matching their profile, skills, and sector preferences (in accordance with PECR Regulation 22 and ICO guidance on the soft opt-in)

All marketing communications include a clear and straightforward method of opting out. You may also withdraw your consent or object to direct marketing at any time by contacting us. We will action all opt-out requests promptly and in any event within 28 days. Opting out of marketing will not affect any other processing of your personal data.

13. Automated Decision-Making and Profiling

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. All decisions regarding candidate suitability, worker allocation, contract-based placement, trial-to-contract conversion, and managed on-site workforce deployment are made or meaningfully overseen by qualified human decision-makers.

Should we introduce automated decision-making or profiling in the future, we will update this policy, conduct a DPIA, and ensure that appropriate safeguards are in place, including the right to obtain human intervention, express your point of view, and contest the decision.

14. Cookies Policy

Our website uses cookies and similar tracking technologies. Cookies are small text files stored on your device when you visit our website. We use cookies for the purposes described below, in compliance with PECR and UK GDPR.

14.1 Cookie Inventory

Note: This cookie table will be updated following a full technical cookie audit upon website launch. Additional cookies may be identified and added at that time.

14.2 Cookie Categories

• Strictly Necessary Cookies: Required for the website to function. These cannot be disabled and do not require consent under PECR Regulation 6(4).
• Analytical and Performance Cookies: Help us understand how visitors interact with our website. Placed only with your explicit prior consent.
• Functional Cookies: Enable enhanced features and personalisation. Placed only with your consent.
• Marketing and Targeting Cookies: Used to deliver relevant advertisements and measure campaign effectiveness. Placed only with your explicit prior consent.

14.3 Managing Your Cookie Preferences

A cookie consent banner is displayed on your first visit, allowing you to accept or reject non-essential cookies by category. You may change your preferences at any time via the cookie settings link in the website footer. You may also control cookies through your browser settings (guidance available at www.allaboutcookies.org). Blocking certain cookies may impair website functionality.

15. CCTV Policy

Orizon Group Ltd operates CCTV surveillance at its premises in accordance with the UK GDPR, the Data Protection Act 2018, and the Surveillance Camera Code of Practice issued under the Protection of Freedoms Act 2012.

Purpose

• Prevention and detection of crime, including theft, vandalism, and unauthorised access
• Health, safety, and security of staff, workers, and visitors
• Investigation of incidents, accidents, complaints, and disciplinary matters
• Supporting law enforcement investigations where lawfully required

Legal Basis

We rely on our legitimate interests under Article 6(1)(f) of the UK GDPR for the operation of CCTV. A DPIA and Legitimate Interest Assessment have been completed for CCTV processing.

Retention and Access

CCTV footage is retained for a maximum of 30 days and is then automatically overwritten, unless it is required for an ongoing investigation, legal proceeding, or regulatory enquiry. Access is restricted to authorised personnel and footage will only be disclosed to third parties where there is a lawful basis for doing so. You have the right to request access to CCTV footage of yourself by submitting a Subject Access Request.

16. Children’s Data

Our recruitment and staffing services are directed exclusively at individuals aged 16 and over. We do not knowingly collect or process personal data from children under the age of 16.

Where we engage workers aged 16 or 17, we will ensure that any additional legal protections applicable to young workers are observed, including those under the Working Time Regulations 1998 and the Management of Health and Safety at Work Regulations 1999.

If we become aware that personal data has been collected from a child under 16 without appropriate parental or guardian consent, we will take immediate steps to securely delete that data.

17. Third-Party Links

Our website may contain hyperlinks to websites, platforms, and services operated by third parties. We have no control over, and accept no responsibility for, the content, privacy practices, or data handling of those external sites. We strongly encourage you to review the privacy policy of every website you visit via links from our site.

18. Changes to This Privacy Policy

We review this Privacy Policy at least annually and may update it more frequently to reflect changes in our data processing activities, applicable legislation, regulatory guidance, ICO enforcement trends, or business operations.

Where we make material changes, we will take reasonable steps to notify affected individuals in advance, including by publishing a prominent notice on our website and, where appropriate, by direct communication via email.

The effective date and version number are stated on the cover page. Previous versions of this policy are retained for record-keeping purposes and are available upon request.

19. How to Make a Complaint

If you are dissatisfied with how we have handled your personal data, we encourage you to contact us first so that we may address your concerns directly and promptly.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

• Website: https://ico.org.uk/make-a-complaint
• Helpline: 0303 123 1113 (Monday to Friday, 9am to 5pm)
• Live Chat: Available via the ICO website
• Postal Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

20. Contact Us

For any enquiries relating to this Privacy Policy, your personal data, or to exercise any of your rights, please contact: