GDPR Privacy Policy


At Urban Nerds Agency Limited, we are committed to being transparent about how we collect and use the personal data of our workforce, and to meeting our data protection obligations. This policy sets out our commitment to data protection, and individual rights and obligations in relation to personal data.

This policy applies to the personal data of job applicants, employees, workers, contractors, volunteers, interns, apprentices and former employees, referred to as HR-related personal data. This policy does not apply to the personal data of clients or other personal data processed for business purposes.

We have appointed James Benenson, Director as Urban Nerds Agency Limited’s Data Controller (person with responsibility for data protection compliance within the business). They can be contacted at Questions about this policy, or requests for further information, should be directed to them.


“Personal data” is any information that relates to an individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

“Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

“Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

Data protection principles

We process HR-related personal data in accordance with the following data protection principles:

We process personal data lawfully, fairly and in a transparent manner.

We collect personal data only for specified, explicit and legitimate purposes.

We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.

We keep accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.

We keep personal data only for the period necessary for processing.

We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

We will update HR-related personal data promptly if an individual advises that their information has changed or is inaccurate.

We keep a record of our processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

What information do we collect?

We collect and process a range of information about you. This includes:

Your name, address and contact details, including email address and telephone number, date of birth and gender.

The terms and conditions of your employment.

Details of your qualifications, skills, experience and employment history, including

start and end dates, with previous employers and with us.

Information about your remuneration, including entitlement to benefits such as pensions or insurance cover.

Details of your bank account and national insurance number.

Information about your marital status, next of kin, dependants and emergency


Information about your nationality and entitlement to work in the UK.

Information about your criminal record.

Details of your work pattern (days of work and working hours) and attendance at work.

Details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave.

Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence.

Assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence.

Information about medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments.

We may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or covering letters; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, we may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.

Data will be stored in a range of different places, including in your employee file, our HR management systems and in other IT systems (including our email system).

Why do we process personal data?

We need to process data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefit, pension and insurance entitlements.

In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, it is required to check an employee’s entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.

In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows us to:

Run recruitment and promotion processes.

Maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights

Operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace

Operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;

Operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;

Obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;

Operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure we comply with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;

Ensure effective general HR and business administration;

Provide references on request for current or former employees;

Respond to and defend against legal claims; and

Maintain and promote equality in the workplace.

Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities).

Where we process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the organisation uses for these purposes is anonymised or is collected with the express consent of employees, which can be withdrawn at any time. Employees are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.

Where do we get your data from?

We may receive some of your personal data from a third party recruiter/HR Consultancy who run/aid the recruitment process. Occasionally we or the third party recruiter/HR Consultancy may obtain your personal data from publicly accessible sources e.g. LinkedIn.

Who has access to data?

Your information may be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles.

We may share your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. We may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.

We also shares your data with third parties that process data on our behalf, in connection with HR, payroll, the provision of benefits and the provision of occupational health services.

International data transfers

We will not transfer your data to countries outside the European Economic Area.

How do we protect data?

We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. We use a cloud- based system/online HR system to store your data, that requires 2 factor authentication. Physical documents containing your data are kept under lock and key in filing cabinets/rooms.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate measures to ensure the security of data.

Data breaches

If we discover that there has been a breach of HR-related personal data that poses a risk to the rights and freedoms of individuals, we will report it to the Information Commissioner within 72 hours of discovery. We will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.

For how long do we keep data?

The organisation will hold your personal data for the duration of your employment. The period for which your data is held after the end of employment is 6 years.

Your rights

As a data subject, you have a number of rights. You can:

Access and obtain a copy of your data on request (see below).

Require us to change incorrect or incomplete data.

Require us to delete or stop processing your data, for example where the data is no

longer necessary for the purposes of processing.

Object to the processing of your data where we are relying on its legitimate interests as the legal ground for processing.

If you would like to exercise any of these rights, please contact James Benenson,

If you believe that we have not complied with your data protection rights, you can complain to the Information Commissioner.

Subject access requests

If you make a subject access request, we tell you:

Whether or not your data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you.

To whom your data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers.

For how long your personal data is stored (or how that period is decided).

Your rights to rectification or erasure of data, or to restrict or object to processing.

Your right to complain to the Information Commissioner if you think Urban Nerds Agency Limited has failed to comply with your data protection rights.

Whether or not we carry out automated decision-making and the logic involved in any such decision-making.

We will also provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise.

If you want additional copies, we will charge a fee, which will be based on the administrative cost to us of providing the additional copies.

To make a subject access request, you should send the request to In some cases, we may need to ask for proof of identification before the request can be processed. We will inform you if we need to verify your identity and the documents we require.

We will normally respond to a request within a period of one month from the date it is received. In some cases, such as where we process large amounts of your data, we may respond within three months of the date the request is received. We will write to you within one month of receiving the original request to tell you if this is the case.

If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it. Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which we have already responded. If you submit a request that is unfounded or excessive, we will notify you that this is the case and whether or not we will respond to it.

What if you do not provide personal data?

You have some obligations under your employment contract to provide us with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide us with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable us to enter a contract of employment with you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

Automated decision-making

Employment decisions are not based solely on automated decision-making.

Individual responsibilities

Individuals are responsible for helping us keep their personal data up to date. You should let us know if data provided to us changes, for example if you move house or change your bank details.

You may have access to the personal data of other individuals, our customers and clients in the course of your employment, contract, volunteer period, internship or apprenticeship. Where this is the case, we rely on individuals to help meet our data protection obligations to staff, customers and clients.

If you are an individual who has access to personal data, you are required:

• To access only data that you have authority to access and only for authorised purposes.

  • Not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation.
  • To keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction)
  • Not to remove personal data, or devices containing or that can be used to access personal data, from our premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device.
  • Not to store personal data on local drives or on personal devices that are used for work purposes.Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under our disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.


    We will provide training to all individuals about their data protection responsibilities as part of the induction process and at appropriate times thereafter.

    If you are an individual whose role requires regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, you will receive additional training to help you understand your duties and how to comply with them.