← Back to Application
Data Processing Agreement (DPA)
Last Updated: December 2025
Effective Date: 1st January 2026
1. Preamble
This Data Processing Agreement ("DPA") forms an integral part of the engagement process when you submit your application to HC Marketing & Communications. It sets out the terms under which HC Marketing & Communications, as a Data Controller, processes your personal data in accordance with UK GDPR (Regulation (EU) 2016/679 as incorporated into UK law).
2. Definitions
- Personal Data: Information relating to an identified or identifiable applicant.
- Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).
- Data Controller: HC Marketing & Communications – the entity determining the purposes and means of processing.
- Data Subject: You – the applicant whose data is being processed.
- Data Processor: Third parties acting on behalf of HC Marketing & Communications (e.g., cloud storage providers, background check companies).
3. Scope of Processing
HC Marketing & Communications processes the following categories of personal data:
- Identification data (full name)
- Contact data (email, phone number, location)
- Professional data (years of experience, availability, CV/Resume)
- Consent records (GDPR compliance checkboxes)
4. Purposes of Processing
We process your data exclusively for the following purposes:
- Evaluation of your job application
- Communication regarding recruitment process updates
- Conducting interviews and assessments
- Background verification checks (if required)
- Making employment decisions
- Compliance with legal and regulatory obligations
- Marketing communications (only with your explicit consent)
5. Legal Basis for Processing
Under Article 6 UK GDPR, HC Marketing & Communications processes your data based on:
- Article 6(1)(a) – Consent: Your explicit consent provided through the application form checkboxes.
- Article 6(1)(b) – Contract Performance: Processing necessary to handle recruitment and employment relationship.
- Article 6(1)(f) – Legitimate Interests: Our interest in conducting fair and effective recruitment.
- Article 9 – Special Categories: No special category data is intentionally collected unless voluntarily disclosed (e.g., disability information for accommodations).
6. Data Retention Schedule
| Applicant Status |
Retention Period |
Legal Basis |
| Unsuccessful Candidate |
12 months post-application |
Operational necessity and legal compliance |
| Successful Candidate (Employment) |
Duration of employment + 6 years post-termination |
Employment law, tax, and accounting regulations |
| Marketing Consent Records |
Until consent withdrawn or 24 months |
Consent evidence and compliance |
7. Data Subjects' Rights
Under UK GDPR, you have the following rights regarding your personal data:
7.1 Right of Access (Article 15)
You can request a copy of all personal data we hold about you. We will provide this within 30 days of your request.
7.2 Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data. We will update your records immediately.
7.3 Right to Erasure (Article 17)
You can request deletion of your data. We will comply unless there is a legal obligation to retain it (e.g., ongoing legal proceedings, employment records).
7.4 Right to Restrict Processing (Article 18)
You can ask us to limit how we use your data while we verify its accuracy or legitimacy.
7.5 Right to Data Portability (Article 20)
You can request your data in a portable format (CSV, JSON) to transfer to another organization.
7.6 Right to Object (Article 21)
You can object to processing for marketing purposes. We will stop processing within 30 days.
7.7 Right to Withdraw Consent (Article 7)
You can withdraw consent to GDPR processing at any time by contacting info@hcmarketingsolutions.co.uk
7.8 Right to Lodge a Complaint
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or 0303 123 1113.
8. Exercise of Rights
To exercise any of the above rights, please submit a written request to:
- Email: info@hcmarketingsolutions.co.uk
- Reference: "Data Subject Rights Request"
- Include: Your full name, email, and specific right you're exercising
We will respond within 30 calendar days (or up to 90 days for complex requests).
9. Data Security Measures
HC Marketing & Communications implements the following technical and organisational safeguards:
- Encryption: SSL/TLS encryption for data in transit; AES-256 for data at rest
- Access Control: Role-based access; only authorized personnel can view applications
- Secure Storage: Data stored on secure, password-protected servers with redundancy
- Audit Logging: All data access is logged and monitored
- Incident Response: Procedures in place for data breaches
- Staff Training: All employees receive data protection training
- Vendor Assessment: Third-party processors are vetted for data protection compliance
10. Sub-Processors and Third Parties
Your data may be shared with the following categories of processors:
- Cloud Hosting Providers: For secure data storage and backups
- Email Service Providers: For sending recruitment communications
- Background Check Services: For employment verification (with your consent)
- Payment Processors: If applicable (e.g., for contract work setup)
- Legal Advisors: If required for compliance matters
All sub-processors are bound by Data Processing Agreements (DPAs) complying with UK GDPR Article 28.
11. International Data Transfers
Your data will primarily be processed within the UK. If transferred internationally:
- EU/EEA: No additional safeguards needed (adequacy decision)
- Outside EU/EEA: We use Standard Contractual Clauses (SCCs) or secure appropriate safeguards
- USA: We verify compliance with Data Privacy Framework or Standard Contractual Clauses
12. Data Breach Notification
In the event of a data breach involving your personal data, we will:
- Notify you without undue delay (within 72 hours)
- Provide details of the breach and affected data
- Explain the likely consequences
- Describe measures being taken to mitigate harm
- Provide a single point of contact for further information
13. Data Protection Impact Assessment (DPIA)
HC Marketing & Communications has conducted a Data Protection Impact Assessment for this process. The assessment confirms that:
- Data processing is necessary and proportionate
- Risks to data subjects have been identified and mitigated
- Appropriate safeguards are in place
14. Privacy by Design
Our application form implements privacy by design principles:
- Data minimization – only essential data collected
- Purpose limitation – data used only for recruitment
- Storage limitation – data retained only as long as necessary
- Transparency – clear privacy notices provided
- Accountability – consent records maintained
15. Contact Information
For questions or concerns about data processing, contact:
- Company: HC Marketing & Communications
- Data Protection Email: info@hcmarketingsolutions.co.uk
- Postal Address: [Your Company Address]
- Response Time: 10 business days
16. Governing Law
This Data Processing Agreement is governed by the laws of the United Kingdom and shall be interpreted in accordance with UK GDPR and the Data Protection Act 2018.
17. Changes to This Agreement
HC Marketing & Communications may update this DPA to reflect changes in law or our processing practices. You will be notified of material changes via email, and your continued participation in our process constitutes acceptance.
By submitting your application and checking the GDPR consent box, you acknowledge that you have read and understood this Data Processing Agreement and consent to the processing of your personal data as described herein.
This DPA complies with UK GDPR, Data Protection Act 2018, PECR (Privacy and Electronic Communications Regulations), and ICO guidelines as of December 2025.