GDPR Privacy Notice for Job Applicants
Reviewed: 13th January 2026
Who we are and how to contact us
Controller: UK Postbox Limited, 13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom.
Data Protection Officer (DPO): dpo@ukpostbox.com
Recruitment enquiries: careers@ukpostbox.com
Roe: We act as controller for all recruitment data.
What data we process (categories)
Application data: Name, contact details (email, phone, address), CV/resume, cover letter, application form responses, references, LinkedIn profile or portfolio links.
Right to work: Passport, visa, work permit or other documentation to verify eligibility to work in the UK.
Interview & assessment: Interview notes, test results, skills assessments, feedback forms.
Pre-employment checks: References from previous employers, background checks (DBS where role-appropriate), qualification verification, professional registrations.
Equality monitoring (optional): Ethnicity, gender, disability status, age range. This data is anonymised, kept separate from your application, and used only for diversity monitoring. Providing this information is entirely voluntary and will not affect your application.
Reasonable adjustments: Health information you disclose to request interview or workplace adjustments.
Special category data: We do not intentionally request special category data (such as health, ethnicity, religion) except for equality monitoring (optional and anonymised) and reasonable adjustments (where you choose to disclose). Background checks may reveal criminal convictions data where legally permitted for the role.
How we collect your data
• Directly from you (application form, CV, interview, correspondence).
• From recruitment agencies or job boards (if you apply via these channels).
• From referees (with your consent).
• From background check providers (DBS, qualification verification services) where role-appropriate.
• From publicly available sources (LinkedIn, professional portfolios) where you have made this information public.
Purposes and lawful bases
| Purpose | Examples | Lawful basis |
| Recruitment & selection | Reviewing applications, shortlisting, interviews, assessments, offer decisions | Legitimate interests (steps at request of applicant entering into contract, Art. 6(1)(f)) |
| Right to work verification | Checking passport, visa, work permit | Legal obligation (Immigration, Asylum and Nationality Act 2006) |
| Background checks | DBS checks, references, qualification verification | Legitimate interests (ensuring suitability for role) and legal obligation (where required for regulated roles) |
| Equality monitoring | Anonymised diversity statistics | Substantial public interest (Equality Act 2010) and explicit consent |
| Reasonable adjustments | Interview or workplace accommodations | Legal obligation (Equality Act 2010) and explicit consent |
| Legal compliance & defence | Employment tribunal claims, regulatory requests | Legal obligation and legitimate interests (establishing, exercising or defending legal claims) |
Where we rely on legitimate interests, we balance our interests against your rights. You may object to processing based on legitimate interests (see Your Rights below).
Who we share your data with (recipients)
• Internal staff: Hiring managers, interview panel members, HR, senior management (on a need-to-know basis).
• Recruitment agencies: Where you apply via an agency, we share application status updates.
• Background check providers: DBS, qualification verification services, professional registration bodies (where role-appropriate).
• IT service providers: Email, cloud storage, applicant tracking systems (acting as processors under our instructions).
• Professional advisers: Legal, audit, insurance (under confidentiality).
• Regulators and authorities: HMRC, Employment Tribunal, ICO, law enforcement (where required by law).
We require all processors to act only on our instructions, keep data secure, and not use it for their own purposes.
International transfers
We primarily store and process recruitment data in the UK/EEA. Where personal data is transferred outside the UK (for example, if we use a cloud-based applicant tracking system with servers outside the UK), we implement appropriate safeguards (International Data Transfer Agreement (IDTA), UK addendum to EU SCCs, or other recognised mechanisms) and carry out transfer risk assessments where required by law.
Security of your data
We apply layered security, including encryption in transit and at rest, role-based access controls and MFA for privileged access, logging/monitoring, network segmentation, vulnerability management, supplier due diligence, and employee vetting.
Certification: Cyber Essentials Plus.
How long we keep data (retention)
We keep recruitment data only as long as needed for the stated purposes and legal requirements, then securely delete or anonymise it.
• Unsuccessful applicants: 6 months from the end of the recruitment process. This allows us to consider you for similar future roles and defend against potential tribunal claims.
• Successful applicants: Your recruitment data becomes part of your employee record and is retained in accordance with our Employee Privacy Notice and Data Retention Policy.
• Equality monitoring data: Anonymised and retained for reporting purposes; identifiable data deleted after 6 months.
• Withdrawn applications: Deleted within 1 month of withdrawal unless you consent to retention for future opportunities.
Your rights under UK GDPR
You have the following rights:
• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your data (subject to legal and legitimate business reasons for retention).
• Restriction: Limit how we use your data in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Data portability: Receive your data in a structured, commonly used format.
• Withdraw consent: Where we rely on consent (equality monitoring, reasonable adjustments), you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Withdraw application: You can withdraw your application at any time by contacting careers@ukpostbox.com. We will delete your data within 1 month unless you consent to us retaining it for future opportunities.
How to exercise your rights: Email dpo@ukpostbox.com. We respond within one month (30 days), extendable by two months for complex requests. We may ask for ID verification to protect your information.
Automated decision-making and profiling
We do not carry out automated decision-making that produces legal or similarly significant effects about you. All recruitment decisions involve meaningful human review and assessment.
Changes to this notice
We may update this notice to reflect legal or operational changes. We will post the revised version with a new Reviewed date on our website and in recruitment communications.
Complaints
If you are unhappy about how we handle your data, contact us first via dpo@ukpostbox.com or careers@ukpostbox.com so we can try to resolve it. You can also complain to the Information Commissioner’s Office (ICO):
• Website: ico.org.uk
• Tel: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
UK Postbox Limited
13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom
Support: support@ukpostbox.com
Security: security@ukpostbox.com
Legal notices: legal@ukpostbox.com
Data protection: dpo@ukpostbox.com
Complaints: complaints@ukpostbox.com
Accessibility: accessibility@ukpostbox.com Website: www.ukpostbox.com
Registered in England and Wales Company Number: 06723381
MLR registration no: XLML00000192390
ICO registration no: ZA038907