Last updated on 31 January 2025.
1. Introduction
Yaspa Limited (‘Yaspa‘, ‘us’, ‘we’, ‘our’) are committed to protecting your privacy and meeting our legal obligations when you apply for a job or you (or an agent acting on your behalf) share your employment details with us.
This privacy notice explains what personal data we collect and use relating to employment and associated candidates (‘you’, ‘your’) during the recruitment process.
As an information-led business, we place great importance on ensuring the quality, confidentiality, integrity, and availability of the data we hold, and in meeting our data protection obligations where we process personal data. We are committed to protecting the security of your personal data. We use a variety of technical and organisational measures to help protect your personal data from unauthorised access, use or disclosure.
We update this privacy notice from time to time in response to changes in applicable laws and regulations, to our processing practices and to products and services we offer. When changes are made, we will update the effective date at the top of this document.
2. What personal data do we process?
Personal data means any information about an individual from which that person can be identified, therefore, this does not include data where the identity of the person has been removed (anonymous data). There are ‘special categories’ of more sensitive personal data which require a higher level of protection. Yaspa is the controller of the personal data we hold about you, registered as such with the Information Commissioner’s Office (‘ICO’) under registration reference ZB799205.
When you apply for a position (whether as an employee or consultant) or submit your CV (or similar employment information) to us, whether directly or through an agency, complete psychometric tests and assessments either provided by us directly or via a partner, or attend an interview in person or by remote means, we will collect your personal data. This includes (but is not limited to):
– Name and contact details (address, mobile phone number and email address)
– Company details (where applicable)
– Date of birth and gender
– Work history and employment positions held
– Salary, other compensation, and benefits information
– Nationality / visa / work permit information (where applicable)
– Academic and professional qualifications, education, and skills
– Photographs you may submit with your application
– Demographic information
– Records we create during interviews or correspondence with you
– Results of pre-employment screening checks such as references or DBS checks (where applicable)
– Your performance on any psychometric tests or assessments
– Any other information you choose to give us
Please note, when we receive references, we do so on a confidential basis. As a result, we would never provide you with a copy of your reference from a referee.
We may also collect special category data in accordance with the Equality Act 2010. We will only do this, for example, to make reasonable adjustments to enable all candidates to apply for vacancies, attend interviews and to commence employment. This is also necessary to ensure we meet our legal obligations when recruiting.
3. Purposes and bases for using your personal data
We will process your personal information for the following purposes and under the following lawful bases:
| Purpose | Lawful Basis for Processing |
|---|---|
| To assess your suitability for the role This may include assessing your performance on psychometric tests and assessments. | Processing is necessary for taking steps to enter into a contract with you or for the performance of our contract with you (Article 6(1)(b) of the UK GDPR) For special category data, the additional basis that we rely on relates to our obligations in the field of employment and the safeguarding of your fundamental rights (Article 9(2)(b) of the UK GDPR and Schedule 1 Part 1(1) of the DPA 2018) |
| To make reasonable adjustments for you during the interview process and comply with our legal obligations under the Equality Act 2010 | Processing is necessary for us to comply with our legal obligations (Article 6(1)(c) of the UK GDPR) For special category data, the additional basis that we rely on relates to our obligations in the field of employment and the safeguarding of your fundamental rights (Article 9(2)(b) of the UK GDPR and Schedule 1 Part 1(1) of the DPA 2018) |
| To conduct pre-employment screening checks including checking your identity and your right to work in the UK | Processing is necessary for us to comply with our legal obligations (Article 6(1)(c) of the UK GDPR) For special category data, the additional basis that we rely on relates to our obligations in the field of employment and the safeguarding of your fundamental rights (Article 9(2)(b) of the UK GDPR and Schedule 1 Part 1(1) of the DPA 2018) |
| To contact unsuccessful applicants about future suitable vacancies | Processing is necessary for our legitimate interest of searching for suitable candidates for future vacancies based on their skills set out in the records we hold on candidates (Article 6(1)(f) of the UK GDPR) OR We will carry out this processing where you have consented to us retaining your data and contacting you about future vacancies based on the skills set out in the records we hold about you (Article 6(1)(a) of the UK GDPR) |
4. Sensitive personal data
We will only process sensitive ‘special category’ personal data where we meet one of the conditions required by law for doing so. This includes complying with legal obligations or exercising specific rights in the field of employment law. We may also ask for your explicit consent to process some special categories of personal data.
We process special categories of personal data when we collect or process information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work and to provide appropriate workplace adjustments.
5. Sharing of your information
We may share your data with service providers and suppliers to our business who process data on our behalf. In such cases, our service providers and suppliers are processors and may only use the data in line with our instructions and not for any other purpose. This and other obligations are agreed in the contract between Yaspa and the service providers and suppliers.
Your Personal Data may be processed outside of the UK. Where this is the case, we have taken appropriate steps to ensure that the Personal Data processed outside the UK has an essentially equivalent level of protection to that guaranteed in the UK. We do this by ensuring that:
– Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation), or
– We enter into an International Data Transfer Agreement (‘IDTA’) with the receiving organisation and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here international-data-transfer-agreement.pdf (ico.org.uk)).
Within Yaspa, your personal data will only be shared with those who need to have access to it, which will primarily be our HR personnel and hiring managers.
6. How long will we retain your information?
We will retain your personal data for only as long as is necessary for the recruitment process. If your candidacy is successful and you are employed or hired by us, your data will be processed and retained as set out in our employee privacy notice, provided to you with your employment paperwork.
If your candidacy is not successful, we will retain your CV, application details and interview notes for 12 months (from the date we notified you we would not move forward with your application). Where you are unsuccessful in your application, we may ask if you would like your details to be retained in our talent pool. If you consent to this, we will proactively contact you should any suitable vacancies that arise that may be of interest to you. Please let us know if you would like us to delete your records before our retention period lapses and we will do so.
We will also retain personal data where it is necessary to comply with our legal obligations or as necessary in relation to legal claims. This is rare but may mean we need to retain your data for longer than 12 months.
7. Your rights
Individuals whose personal data we process have the following rights:
– You have the right of access to your personal data and can request copies of it and information about our processing of it
– If the personal data we hold about you in incorrect or incomplete, you can ask us to rectify or add to it
– Where we are using your personal data with your consent, you can withdraw your consent at any time
– Where we are using your personal data because it is in our legitimate interests to do so, you can object to us using it this way
– In some circumstances, you can restrict our processing of your data, request a machine-readable copy of your personal data to transfer to another service provider and compel us to erase your personal data
If you wish to exercise any of your rights, please contact us at dpo@yaspa.com or write to us at the following address: Yaspa Limited, 1 St Katharine’s Way, London E1W 1UN
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
In addition to the above, please note that you have the right to make a complaint at any time to the ICO if you are concerned about the way in which we are handling your personal data.
8. Contact
You can contact us in relation to data protection and this privacy notice by emailing us at dpo@yaspa.com.
| Categories of Individuals | Categories of Personal Data | Purpose of Processing | Lawful Basis | Retention Period |
|---|---|---|---|---|
| Users making a payment or withdrawal/refund with Yaspa | Identifying Information, Order Identifying Information, Financial Information, Device Information | To initiate and process a quick and secure payment to, or payout from, a merchant. | Contractual obligation | 6 years (as per the GDPR), unless requested to be removed |
| Users undertaking an account verification check through Yaspa | Identifying Information, Financial Information | To verify your identity and/or update your contact information when the Service is used for Identity Verification. | Contractual obligation | Consent held for a period of 90 days6 years (as per the GDPR), unless requested to be removed |
| Users consenting to Yaspa’s financial health checks | Identifying Information, Financial Information | To deliver the User and/or the merchant with the advertised services derived from the data shared. | Contractual obligation | Consent held for a period of 90 days6 years (as per the GDPR), unless requested to be removed |
| Users signed up to ongoing account access | Identifying Information | To refresh your Identifying and Financial Information. | Legitimate interest in providing the service | Consent held for a period of 90 days6 years (as per the GDPR), unless requested to be removed |
| All | Device Information | To provide and improve our services. | 6 years (as per the GDPR) |
Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.
8. Storage
Your open banking data is stored securely using industry-standard encryption and security measures. Specifically:
– Data is encrypted both in transit and at rest.
– Access to your data is restricted to authorised personnel only.
– We regularly monitor and update our systems to protect against unauthorised access, loss, or misuse of data.
9. Sharing your Personal Data
We may share your Personal Data with our trusted and carefully selected third parties, including:
– With service providers assisting us in delivering our services (e.g., cloud storage providers)
– When required to do so by law or regulatory authorities
– With your explicit consent for any other purpose not covered above.
10. International Transfers
Your Personal Data may be processed outside of the UK. This is because the organisations we use to provide our service to you are based outside the UK.
We have taken appropriate steps to ensure that the Personal Data processed outside the UK has an essentially equivalent level of protection to that guaranteed in the UK. We do this by ensuring that:
– Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation), or
– We enter into an International Data Transfer Agreement (‘IDTA’) with the receiving organisation and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here international-data-transfer-agreement.pdf (ico.org.uk)).
11. Your rights and how to complain
You have certain rights in relation to the processing of your Personal Data, including the:
Right to be informed
You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.
Right of access (commonly known as a ‘Subject Access Request’)
You have the right to receive a copy of the Personal Data we hold about you.
Right to rectification
You have the right to have any incomplete or inaccurate information we hold about you corrected.
Right to erasure (commonly known as the right to be forgotten):
You have the right to ask us to delete your Personal Data.
Right to object to processing
You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.
Right to restrict processing
You have the right to restrict our use of your Personal Data.
Right to portability
You have the right to ask us to transfer our Personal Data to another party.
Automated decision-making
You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
Right to withdraw consent
If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.
Right to lodge a complaint
You have the right to lodge a complaint with the relevant supervisory authority, if you are concerned about the way in which we are handling your Personal Data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:
Contact us | ICO
0303 123 1113
For supervisory authorities in other countries within the EU see the link: https://edpb.europa.eu/about-edpb/about-edpb/members_en
How to exercise your rights
You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.
12. Children’s privacy
We do not offer our products and services to children and we do not knowingly collect Personal Data of children without parental consent, unless permitted by law. If you are a child, you must have your parent’s permission to use our services. If you learn that a child has provided us with their Personal Data without parental consent, you may contact us, as described below, and if appropriate, we will securely and permanently delete it, in accordance with applicable law.
13. How to contact us and our Data Protection Officer
If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please contact us as follows:
Yaspa Limited1 St Katharine’s Way
London
E1W 1UN
dpo@yaspa.com
We have also appointed a Data Protection Officer (‘DPO’). Our DPO Evalian Limited can be contacted as follows:
Evalian Limited
Unit 5 West Lodge
Nobs Crook
Colden Common
Winchester
England
SO21 1TH
dpo@evalian.co.uk
03330 500111
Please mark your communications FAO the ‘Data Protection Officer’.
14. Changes to this privacy notice
We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify you of the changes where required by applicable law to do so.
Last modified: 25 January 2025.