Granite Recruitment & Consulting Ltd 9532582, also known as Granite Consulting, understand the importance of privacy to our candidates and clients. Granite Consulting has adopted this Privacy Policy as we recognise the right of our candidates and clients to keep their personal information private and secure.

This Privacy Policy covers Granite Consulting’s treatment of personally identifiable information that we collect or hold. Like many other organisations, Granite Consulting must comply with the National Privacy Principles contained in the Data Protection Act in dealing with personal information. The policy extends to all persons covered by the Data Protection Act in line with GDPR updates effective from May 2018

1. Personal Data held – the information we collect & store

Granite Consulting may collect information about you, such as your name, contact details, skills, qualifications, nationality, languages spoken, professional association memberships or accreditations, interests and your employment history and past responsibilities. We may also collect this and other types of personal information, such as references and employment objectives during the course of dealing with you, for example if you are considered for a particular position.

Where practicable, the purpose for which we collect personal information and the consequences of not providing it will be made clear at the time of collection.

Users who are not registered with Granite Consulting can generally visit the Granite Consulting website without revealing who they are or other personal information. If you provide us with personal information through the Granite Consulting website we may log your usage of Granite Consulting site for the purposes below.

2. Processing – How we use your personal information

Granite Consulting will use the personal information we collect for the purpose disclosed at the time of collection, or otherwise as set out in this Privacy Policy. We will not use your personal information for any other purpose without first seeking your consent, unless authorised or required by law. Granite Consulting will use the lawful basis of legitimate interest to process, store and manage your personal data. Granite Consulting strive to maintain full transparency of personal data processed.

Generally we will only use and disclose your personal information:

  • To establish and maintain your relationship as a website user, client or candidate of Granite Consulting, including providing you with interviews, newsletters, reports and other information;
  • To provide the services you have requested from GraniteConsulting;
  • To answer your enquiry;
  • To register you for events, promotions or competitions;
  • To assist us to make Granite Consulting’s services more valuable to our clients and candidates;
  • For direct marketing of products or services and to keep you informed of new developments we believe may be of interest to you. If we contact you in this way without obtaining prior consent,we will provide you with the opportunity to “opt out” of any further marketing communications;
  • To third parties who provide services to us such as IT consultants, mailing houses andfunction co-ordinators;and
  • To different parts of Granite Consulting to enable the development and marketing of other products and services, to improve our customer service in general and where there maybe opportunities overseas.

3. Transparency – Access to your information

You can access the personal information that Granite Consulting holds about you by contacting the Granite Consulting Privacy Officer as set out below. We will provide you with access to your personal information unless we are legally authorised to refuse your request. We may charge a reasonable amount of providing access.

If you wish to change personal information that is out-of-date or inaccurate please contact us. After notice from you, we will take reasonable steps to correct any of your information which is inaccurate incomplete or out of date.

We may refuse your request to access, amend or delete your personal information in certain circumstances. If we do refuse your request, we will provide you with a reason for our decision and, in the case of amendment, we will note with your personal information that you have disputed its accuracy.

4. Right to be forgotten

Upon request your personal data will be removed as appropriate and to be in line with UK GDPR guidelies. Transactional data where present will remain in place for as long as deemed necessary ie; HMRC or accounting records.

5. Right to complain

You have the right to make a complaint if you think that any of your rights have been infringed by us. All requests will be dealt with in your own merit, and in accordance with the Data Protection Legislation guidance set out by the Information Commissioner at

You can exercise your rights by contacting us using the details set out in the “Contact Address” section below.

6. Security

Granite Consulting will take reasonable steps to secure any personal information which we hold and to keep this information accurate and up to date. Personal information is stored in a secure server or secure files.

The Internet is not always a secure method of transmitting information. Accordingly, while we commit to making every effort and have sought to protect your personal information by implementing digital security systems in various sections of our website, Granite Consulting cannot accept responsibility for the security of information you send to or receive from us over the Internet or for any unauthorised access or use of that information. Should a data breach occur, we have compliant procedures in place to investigate and report the matter to the Individual. In the event of a breach, it will be reported to you within 72 hours of discovery. A record of any breaches will be kept by the company.

7. Changes to this Privacy Policy

Granite Consulting may amend this Privacy Policy from time to time and to keep in line with data protection regulations. We suggest that you visit our website regularly to keep up to date with any changes.

8. Contact us

If you would like any further information, have any queries, problems or complaints relating to Granite Consulting’s Privacy Policy or our information handling practices in general, please contact our Data Manager by emailing by writing to City Point, Temple Gate, Bristol, BS1 6PL. Alternatively you can email, +61 404 637 593

Level 10, 50 Queen Street, Melbourne, VIC 3000


Granite Consulting UK is committed to a policy of protecting the rights and privacy of individuals, including clients and suppliers, in accordance with the General Data Protection Regulation (GDPR) and domestic UK data protection legislation (“the Data Protection Legislation”).

Granite Consulting UK processes personal data in order to administer the client and supplier data and generally perform the duties of a recruitment organisation. This involves personal data of individuals as well as suppliers, clients and customers but also of a variety of individuals in third party organisations.

In compliance with our stated policy, Granite Consulting UK will ensure that all this information about individuals is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.

All members, office-bearers and any entity who deals with Granite Consulting UK must comply with the terms of this policy.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments to Data Protection or other legislation.


Granite Consulting UK is a ’Data Controller’ in terms of the Data Protection Legislation. The definition of ’Data Controller’ together with other key Data Protection Legislation definitions can be found at Annex A.

Data Protection Principles

The Data Protection Legislation requires that anyone processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable.

The Principles require that personal information:

  • Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions aremet;
  • Shall be obtained only for one or more specified and lawful purposes and shall notbe further processed in any manner incompatible with that purpose or thosepurposes;
  • Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
  • Shall be accurate and where necessary, kept up todate;
  • Shall not be kept for longer than is necessary for that purpose or thosepurposes;
  • Shall be processed in accordance with the rights of data subjects under theAct;
  • Shall be kept secure i.e. protected by an appropriate degree ofsecurity;
  • Shall not be transferred to a country or territory outside the European EconomicArea, unless that country or territory ensures an adequate level of data protection or an accredited security arrangement is inplace.

Rights of Data Subjects

The data subject has rights under the act. These consist of:

  • The right to be informed that processing is beingundertaken;
  • The right of access to one’s personal information;
  • The right to prevent processing in certaincircumstances;
  • The right to correct, rectify, block or erase information regarded asincorrect.
  • Data Subjects also have the right to take any complaints about how Granite Consulting UK process their personal data to the Information Commissioner: 0303 123 1113.

Information Commissioner’s Office Wycliffe House

Water Lane Wilmslow Cheshire SK95AF


Personal data held by Granite Consulting UK is as provided by individuals at the point of engagement. These will include Names, Work Address, Mailing Address, chosen email for the contact purposes, current company details, current job level, employment Status, and roles. Where applicable additional details will be held for the purpose of payment processing orinvoicing.


Granite Consulting UK uses personal data in line with the lawful basis of legitimate interest, in order to maintain and manage each individual’s associated business interest. This means Granite Consulting UK will use personal data as part of the normal business administration process required to run the organisation including engagement with third parties which include but are not limited to:-

  • Bullhorn
  • SAGE Accounts and associatedprocesses
  • Banking details for financial transactions
  • Reports back to Granite Consulting UK Directors andmanagement
    HMRC; and
  • Granite Consulting UK outsourcedAccountants

In the event that any processing of personal data is contemplated by Granite Consulting UK which requires the consent of the data subject(s), such consent will be obtained prior to any processing.


There are situations where personal data held by Granite Consulting UK is shared with or is accessible by third party organisations such as our professional advisers, website and IT support providers, payment card processors and the like. In such cases Granite Consulting UK will have arrangements in place with such third parties setting out parties’ roles and responsibilities for data protection and with legally binding obligations for the protection of personal data.


Granite Consulting UK are committed to protecting the privacy of personal data and will use appropriate standards of technology and operational security to protect personal data including a secure server and network firewall connection. Operationally, access to personal data is restricted to authorised personnel who are under a duty to maintain the confidentiality and security of such information.


Individual’s data will be held for the term of the active engagement as appropriate for the individual and then for any period required in order to comply with HMRC rules or any other regulations or legislation.

If an individual actively requests that their engagement be cancelled – this will be actioned on receipt of such request, however some information will need to continue on file for a period of time in accordance with tax and accounting practices.


Granite Consulting UK is responsible for ensuring compliance with this policy. The Directors and management will meet regularly and address any data protection related issues that arise and generate initiatives or communications as necessary to ensure compliance with this policy.

At an operational level, Granite Consulting UK will ensure that:-

  • there is always someone with specific responsibility for and knowledge of data protection who will act as the internal and external point of contact, handle complaints from data subjectsand report to the organisation on data protection operations;
  • anybody wanting to make enquiries about handling personal information knows what to do and who to refer enquiriesto;
  • queries about handling personal information are promptly and courteously dealtwith;
  • methods of handling personal information are clearlydescribed;
  • a regular review and audit is made of the way personal information is held, managed and used, including where new categories of personal data are processed or where processing takes place or if processing is deemed to present a risk to the rights and freedoms of individuals;
  • appropriate records of processing records are maintained;
  • methods of handling personal information are regularly assessed and evaluated, particularlyif new processing takes place or if processing is deemed to present a risk to the rights and freedoms of individuals;
  • performance with handling personal information is regularly assessed and evaluated;
  • breaches of personal data are promptly assessed, contained and mitigated;and
  • breaches of personal data are reported to the ICO and data subjects where necessary.


This policy will be updated as necessary to reflect best practice or future amendments made to the Data Protection Legislation.

The ICO’s website ( provides further detailed guidance.

For help or advice on any data protection issues, please do not hesitate to contact the Data Management Team on

Annex A

Key Definitions

  • ‘Personal Data’means data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual. Under the GDPR, the definition of personal data will explicitly extend to IP addresses.
  • Sensitive Personal Data’ means information about an individual’s ethnicity, political opinions, their religious beliefs or other beliefs of a similar nature, membership of a trade union, disability, sexual orientation, the commission or alleged commission by them of any criminal offence, or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings of the sentence of any court in suchproceedings.
  • Under the GDPR, the term ‘sensitive personal data’ will be replaced by the definition special category data which means any personal data information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual or orientation and their genetic or biometricdata.
  • ‘Processing’ means any operations or set of operations which is performed on personal data whether or not by automated means such as collection, use, disclosure or storage ofpersonal data etc.
  • ‘Data Controller’ means the organisation which, either alone or jointly with another organisation, determines the manner and purpose of the processing of personal data. The Data Controller is primarily responsible for compliance with the Data Protection Legislation.
  • ‘Data Processor’means an organisation (such as a contractor)which processes personal data on behalf of a Data Controller. Under the GDPR a Data Processor also has responsibilities for compliance with the Data ProtectionLegislation
  • ‘Personal Data Breach’ means a breach of security leading to the accidental orunlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed