Temporary Staffing Solutions

Privacy Policy (UK GDPR)

Contact: info@thema-healthcare.co.uk

1. Who we are

Thema Ltd is a Healthcare Recruitment Agency. We act as a data controller for personal data we collect and use in our recruitment and business operations.

This Privacy Policy explains what personal data we collect, how we use it, the lawful bases we rely on, who we share it with, how long we keep it, and your rights under UK data protection law. 

2. Personal data we collect

Depending on your relationship with us (candidate, worker, client contact, referee, website visitor), we may collect:

A) Candidates / Workers

  • Identity & contact details: name, address, email, phone, DOB

  • Right to work & compliance: nationality/immigration status, RTW documents, DBS details/status, professional registrations (e.g., NMC/GMC), training records, references

  • Recruitment information: CV, employment history, qualifications, interview notes, availability, preferences, placements and performance feedback

  • Payroll/finance (where applicable): NI number, bank details, tax information, rates, timesheets

  • Special category data (where relevant/required): health information (e.g., occupational health, reasonable adjustments), equality & diversity data (if provided), vaccination status where required by client/site policy

  • Safeguarding and conduct: allegations/concerns, investigations and outcomes (where relevant)

B) Clients and business contacts

  • Name, job title, organisation, contact details

  • Communications and contract/relationship information

  • Billing and service records

C) Website users

  • Contact form enquiries

  • Technical data (IP address, device/browser data) and cookie data (see Cookies Policy)

UK GDPR requires transparency about what data is collected and why.

3. How we use your data and our lawful bases

We use personal data for the purposes below, relying on the following UK GDPR lawful bases (and conditions for special category data where applicable). 

Candidates / Workers

  • To assess suitability, manage recruitment processes, and arrange placements (contract steps / legitimate interests)

  • To meet legal/regulatory obligations (e.g., right to work checks, safeguarding) (legal obligation)

  • To administer pay, timesheets and invoicing (contract / legal obligation)

  • To manage quality, complaints, incidents, and safeguarding concerns (legal obligation / legitimate interests)

  • To provide reasonable adjustments or occupational health support (special category data – employment/social protection condition, or explicit consent where appropriate)

Clients

  • To provide recruitment services and manage contracts (contract / legitimate interests)

  • To communicate service updates and handle queries (legitimate interests)

  • To meet legal obligations (e.g., tax/accounting) (legal obligation)

Website and marketing

  • To respond to enquiries (legitimate interests / contract steps)

  • To run analytics (where enabled) (consent, via cookie settings)

  • To send direct marketing (where applicable and lawful) (commonly consent or soft opt-in, depending on context and channel)

PECR sets specific rules for electronic marketing and cookies, alongside UK GDPR. 

4. Who we share your data with

We may share personal data with:

  • Clients (care providers/healthcare organisations) for recruitment, onboarding, compliance and placement management

  • Compliance partners (DBS/ID verification, right to work checks, referencing services)

  • Payroll/accounting providers and payment processors (where applicable)

  • IT and hosting providers (email, cloud storage, CRM/ATS, website analytics)

  • Professional advisers (legal, auditors, insurers)

  • Regulators and authorities where required (e.g., Home Office, police, safeguarding bodies)

We require appropriate contractual safeguards with processors and only share what is necessary.

5. International transfers

If any suppliers process data outside the UK, we will ensure appropriate safeguards are in place (e.g., UK adequacy regulations or contractual protections).

6. How long we keep your data

We keep personal data only as long as necessary for the purposes described, including legal and regulatory requirements. Typical retention periods may include:

  • Candidate records: [e.g., 12–24 months] after last meaningful contact (unless you ask us to delete sooner where applicable)

  • Placement/payroll records: [e.g., 6 years] to meet tax/accounting requirements

  • Safeguarding/incident records: for as long as necessary based on the nature of the issue and legal/regulatory expectations

(Replace brackets with your operational retention schedule.)

7. Your data protection rights

Subject to legal conditions, you may have rights to:

  • Access your personal data

  • Correct inaccurate data

  • Erase data (in some circumstances)

  • Restrict or object to processing (in some circumstances)

  • Data portability (in some circumstances)

  • Withdraw consent (where processing is based on consent)

ICO guidance explains the right to be informed and how privacy information should be provided.

To exercise your rights, email info@thema-healthcare.co.uk.

8. Complaints

If you have concerns, please contact us first so we can resolve them. You also have the right to complain to the UK Information Commissioner’s Office (ICO).

9. Security

We use appropriate technical and organisational measures to protect personal data (e.g., access controls, encryption where suitable, staff training, supplier due diligence).