occy Privacy Policies

Important information whether you’re a customer, candidate or prospect. 

Introduction – occy users 

Prospects using occy.com website 

Any personal information used by the occy website will be processed, stored, and protected by the data controller (occy) in line with the policies set out on this page. 

Customers using the occy portal 

Customers (the data controller) logging in and using the occy portal will be doing so knowing that occy (the data processor) operate according to the policies set out on this page and in line with the signed Subscription Agreement and Data Processing Agreement (DPA). If you wish to refer to the Subscription Agreement or the DPA then please contact your system administrator. 

Candidates using the occy portal 

Any personal information used by the occy portal (the data processor) or the hiring organisation (the data controller) will be processed, stored, and protected by the data processor (occy) in line with the policies set out on this page. 

occy.com privacy policy 

This privacy policy explains: 

  • What information we collect from the occy website and why we collect it 
  • How we use that information 
  • How to access and update that information 


Types of information we collect

The privacy policy covers the information you share with us via our website or when you become a client: 

  • Your name 
  • Organisation Address 
  • Your email address 
  • Telephone number and other contact information 


How we use the information we collect

Your information will be used by occy to provide you with information, including: 

  • Assess to webinars you have signed up for 
  • Send you your chosen downloads 
  • Contact you to arrange a requested demonstration 
  • To send you industry relevant information on a regular basis 


Who may have access to your information

Employees and contractors of occy. Also, we may share your information with certain 3rd party services to allow for end-to-end processing of job applications. The current services we use are:

  • RefNow, for reference checks (click here for information on their privacy policies)
  • uCheck for background verification (click here for information on their privacy policies)
  • Signable for e-signature services for job offers and employment agreements (click here for information on their privacy policies)
  • Google for Google calendar integration, occy’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Updating your information:

Should you wish to update your information, instigate your right to erasure or see what information is held about yourself, you can contact us directly by either calling 01908 268 362 or email [email protected] and we will be pleased to assist you. 


Customers using occy portal – privacy policy 

Customers (the data controller) logging in and using the occy portal will be doing so in line with the signed Subscription Agreement and Data Processing Agreement (DPA). If you wish to refer to the Subscription Agreement or the DPA then please contact your system administrator. 


Candidates using occy portal – privacy policy 

This policy explains: 

  • What information is collected during the application process and why its collected  
  • How that information is used  
  • How to access and update that information  

Types of information collected

This policy covers the information you share in the occy platform during the application process including:  

  • Your name, address, email address, telephone number and other contact information  
  • Your resume or CV, cover letter, previous and/or relevant work experience or other experience, education or other information you provide in support of an application  
  • Information from interviews and phone-screenings you may have if any  
  • Details of the type of employment you are or may be looking for, current and/or desired salary and other terms relating to compensation and benefits packages, willingness to relocate, or other job preferences  
  • Details of how you applied for the position you are applying for  
  • Any sensitive and/or demographic information obtained during the application process such as gender, information about your citizenship and/or nationality, medical or health information and/or your racial or ethnic origin. This information will be anonymised and used for statistical analysis and will not be personally identifiable. 
  • Reference information and/or information received from background checks (where applicable), including information provided by third parties  
  • Information relating to any previous applications you may have made to the hiring organisation via occy (a brand of Smart Recruit Online Ltd)  


How your information is used

Your information will be used by the hiring organisation in the occy platform for the purposes of carrying out the application and recruitment process which includes:  

  • Assessing your skills, qualifications, and interests against all relevant career opportunities  
  • Communications with you about the recruitment process and/or your application(s) 
  • Complying with applicable laws, regulations, legal processes or enforceable governmental requests  
  • Your information will also be used to protect the rights and property of our users, applicants, candidates, employees or the public as required or permitted by law.  
  • If you are offered and accept employment with the hiring organisation, the information collected during the application and recruitment process may become part of your future employment record and be migrated across to the new employer’s own internal HR Systems.  
  • Employers may seek your permission to conduct reference and/or background checks via the occy system and this information will subsequently be processed and stored securely within your application records.  


Who may have access to your information

  • The data controller (the hiring organisation) – the employees and contractors of the hiring organisation that is posting the job advert   
  • The data processor – the employees and contractors of occy (a brand of Smart Recruit Online Ltd)  
  • occy and the hiring organisation both take appropriate steps to protect information about you that is collected, processed, and stored as part of the application and recruitment process  
  • It is your own responsibility to obtain consent from external referees before providing their personal information  


Updating your information

Should you wish to update your information, change your watchdogs, instigate your right to erasure, or see what information is held about yourself, you should contract the hiring organisation by email.  


Changes to this Policy 

We may change this policy from time to time. We will post any changes to this policy on this policy section of our website. 



You can read the GDPR policy for the data processor, occy, on this page. 

Should you wish to read the policy of the data controller, the hiring organisation, then contact them directly. 

Why does occy use cookies? 

Occy uses cookies and similar technologies like pixels and tags to ensure that we give you the best possible experience on our site and platform.  

A cookie is a small file placed onto your device. Cookies enable us to identify your device and enable the functioning of many occy features, including your ability to log into your account.  

If you don’t want to receive cookies, you can change your browser settings. If you use occy without changing your browser settings, we’ll assume that you’re happy to receive all cookies. Please note that the occy platform will not work properly without cookies. 


What types of cookies do we use?  

Occy uses two types of cookies, persistent and session. A persistent cookie is set once you have logged in to your account. The next time you visit the platform using the same device, the persistent cookie will enable us to recognize you as an existing user, so you may not need to log in before using our services.  

A session cookie identifies a particular visit to the platform. Session cookies expire after a short time, or when you close your web browser. 


When does occy put cookies on my device?  

Cookies may be set by us when you visit the platform or website. Or they may be set by other websites or services who run content on the page you’re viewing (known as third-party cookies). 


What are cookies used for?  

Cookies are used for many different purposes, they recognise when you navigate to our platform, store your preferences and improve your experience. Cookies also make your interactions with us more secure, faster, and help us ensure that your experience is personalised to you and in line with your settings.   


Occy uses cookies for a number of purposes, including: 

  • Authentication: occy uses cookies to recognise if you are logged into the platform, so that we can show you the right information and personalise your experience.  
  • Security: occy uses cookies to support or enable security features we have deployed, and to help us detect malicious activity and violations of our Subscription Agreement.  
  • Preferences, features and services: occy uses cookies to know what your communications preferences are, and they help you fill out forms on the site. Plus they provide you with features, insights, and customised content through our plugins  
  • Advertising: occy may use cookies to show you relevant advertising both on and off the site.  
  • Trusted partners help us serve advertising on and off the website, and analytics companies may also place cookies on your machine. 
  • Performance, Analytics and Research: occy uses cookies to help us learn how well our site and plugins perform across the globe. We also use cookies to understand, improve, and research products, features, and services, including when you access our site from other websites, applications, or devices such as your work computer or your mobile device. Most browsers allow you to control cookies through their settings preferences. Limiting the ability of websites to set cookies, however, may worsen your overall user experience. 

Key details 

  • ICO registration number: ZA455697 
  • Policy prepared by: Simon Billsberry 
  • Approved by board/management: Greg Dorban 
  • Policy became operational on:  01/04/2016 
  • Updated On:  17/04/2020 
  • Next review date:  17/04/2024



occy, a brand of Smart Recruit Online Limited, is required to keep and process certain information about its staff members, customers and applicants in accordance with its legal obligations under the General Data Protection Regulation (GDPR). 


This policy is in place to ensure all staff and system users are aware of their responsibilities and outlines how occy complies with the following core principles of the GDPR. 


Organisational methods for keeping data secure are imperative, and occy believes that it is good practice to keep clear practical policies, backed up by written procedures. 


This policy complies with the requirements set out in the GDPR, which came into effect on 25 May 2018. 


Why this policy exists 

This data protection policy ensures occy: 

  • Complies with data protection law and follow good practice 
  • Protects the rights of staff, customers and partners 
  • Is open about how it stores and processes individuals’ data 
  • Protects itself from the risks of a data breach 
  • Data Protection Law 


This policy has due regard to legislation, including, but not limited to the following: 

  • The General Data Protection Regulation (GDPR) 
  • The Freedom of Information Act 2000 


This policy will also have regard to the following guidance: 

  • Information Commissioner’s Office (2017) ‘Overview of the General Data Protection Regulation (GDPR)’ 
  • Information Commissioner’s Office (2017) ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’ 
  • This policy will be implemented in conjunction with the following other policies: 
  • Data Breach Policy – available on request 
  • Candidate Privacy Policy – available on request 
  • General Privacy Policy 


People, Risks and Responsibilities 

This policy applies to: 

  • The head office of occy 
  • All branches of occy 
  • All staff and volunteers of occy 
  • All contractors, suppliers and other people working on behalf of occy 


It applies to all data that the company holds relating to identifiable individuals.  This can include: 

  • Names of individuals 
  • Postal addresses 
  • Email addresses 
  • Telephone numbers 
  • …plus any other information relating to individuals 


Data Protection Risks 

This policy helps to protect occy from some very real data security risks, including: 

  • Breaches of confidentiality. For instance, information being given out inappropriately 
  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them 
  • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data 



Everyone who works for or with occy has some responsibility for ensuring data is collected, stored and handled appropriately. 


Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. 


A DPO will be appointed to: 

  • Inform and advise occy and its employees about their obligations to comply with the GDPR and other data protection laws. 
  • Monitor occy’s compliance with the GDPR and other laws, including managing internal data protection activities, advising on data protection impact assessments, conducting internal audits, and providing the required training to staff members. 


An existing employee will be appointed to the role of DPO provided that their duties are compatible with the duties of the DPO and do not lead to a conflict of interests. The individual appointed as DPO will have professional experience and knowledge of data protection law, particularly that in relation to recruitment. 


The DPO will report to the highest level of management at occy, which is the Chief Executive Officer. 


The DPO will operate independently and will not be dismissed or penalised for performing their tasks. 


Sufficient resources will be provided to the DPO to enable them to meet their GDPR obligations. 


However, these people have key areas of responsibility: 

The Board of Directors is ultimately responsible for ensuring that occy meets its legal obligations. 


The Data Protection Officer, Chris Earnshaw, is responsible for: 

  • Keeping the board updated about data protection responsibilities, risks and issues. 
  • Reviewing all data protection procedures and related policies, in line with an agreed Schedule. 
  • Arranging data protection training and advice for the people covered by this policy. 
  • Handling data protection questions from staff and anyone else covered by this policy. 
  • Dealing with requests from individuals to see the data occy holds about them (also called ‘subject access requests’). 
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data. 
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards. 
  • Performing regular checks and scans to ensure security hardware and software is functioning properly. 
  • Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services. 
  • Approving any data protection statements attached to communications such as emails and letters. 
  • Addressing any data protection queries from journalists or media outlets like newspapers. 
  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles. 


General Staff Guidelines 

  • The only people able to access data covered by this policy should be those who need it for their work. 
  • Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers. 
  • Occy will provide training to all employees to help them understand their responsibilities when handling data. 
  • Employees should keep all data secure, by taking sensible precautions and following the guidelines below. 
  • In particular, strong passwords must be used and they should never be shared. 
  • Personal data should not be disclosed to unauthorised people, either within the company or externally. 
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of. 
  • Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection. 


Applicable Data 

For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual, including information such as an online identifier, such as an IP address. 


GDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria, as well as to chronologically ordered data and pseudonymised data, e.g. key-coded. 


Sensitive personal data is referred to in the GDPR as ‘special categories of personal data’, which are broadly the same as those in the Data Protection Act (DPA) 1998. These specifically include the processing of genetic data, biometric data and data concerning health matters. 



In accordance with the requirements outlined in the GDPR, personal data will be: 

  • Processed lawfully, fairly and in a transparent manner in relation to individuals. 
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes. 
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 
  • Accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. 
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals. 
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The GDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”. 



occy will implement appropriate technical and organisational measures to demonstrate that data is processed in line with the principles set out in the GDPR. 


occy will provide comprehensive, clear and transparent privacy policies. 


Records of activities relating to higher risk processing will be maintained, such as the processing of special categories data or that in relation to criminal convictions and offences. 


Internal records of processing activities will include the following: 

  • Name and details of the organisation 
  • Purpose(s) of the processing 
  • Description of the categories of individuals and personal data 
  • Retention schedules 
  • Categories of recipients of personal data 
  • Description of technical and organisational security measures 
  • Details of transfers to third countries, including documentation of the transfer mechanism safeguards in place 


occy will implement measures that meet the principles of data protection by design and data protection by default, such as: 

  • Data minimisation 
  • Pseudonymisation 
  • Transparency 
  • Allowing individuals to monitor processing 
  • Continuously creating and improving security features 
  • Data protection impact assessments will be used, where appropriate 


Lawful Processing 

The legal basis for processing data will be identified and documented prior to data being processed. 


Under the GDPR, data will be lawfully processed under the following conditions: 

  • The consent of the data subject has been obtained. 
  • Processing is necessary for: 
    • Compliance with a legal obligation. 
    • The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 
    • For the performance of a contract with the data subject or to take steps to enter into a contract. 
    • Protecting the vital interests of a data subject or another person. 
    • For the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. 
  • Sensitive data will only be processed under the following conditions: 
    • Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law. 
    • Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent. 
    • Processing relates to personal data manifestly made public by the data subject. 
  • Processing is necessary for: 
    • Carrying out obligations under employment, social security or social protection law, or a collective agreement. 
    • Protecting the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent. 
    • The establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity. 
    • Reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards. 
    • The purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional. 
    • Reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices. 
    • Archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1). 



  • Consent must be a positive indication. It cannot be inferred from silence, inactivity or pre-ticked boxes. 
  • Consent will only be accepted where it is freely given, specific, informed and an unambiguous indication of the individual’s wishes. 
  • Where consent is given, a record will be kept documenting how and when consent was given. 
  • occy ensures that consent mechanisms meet the standards of the GDPR. 
  • Where the standard of consent cannot be met, an alternative legal basis for processing the data must be found, or the processing must cease. 
  • Consent accepted under the DPA will be reviewed to ensure it meets the standards of the GDPR; however, acceptable consent obtained under the DPA will not be reobtained. 
  • Consent can be withdrawn by the individual at any time. 


Legitimate Interests 

Where appropriate (with the example of webinars that have multiple hosts) we will apply the rules of contact by ‘legitimate interest’. This will cover communications with a candidate where it is in the individual’s interest to receive a communication from occy or a prospective client contact, where we have reasonable cause to believe of their involvement with recruitment related activities for a given organisation. In each instance where legitimate interest is applied we will follow the ICO guidelines and ensure that the individual is offered the opportunity to opt out of further communications with us. 


The Right to be Informed 

The privacy notice supplied to individuals in regards to the processing of their personal data will be written in clear, plain language which is concise, transparent, easily accessible and free of charge. 


In relation to data obtained both directly from the data subject and not obtained directly from the data subject, the following information will be supplied within the privacy notice: 

  • The identity and contact details of the controller, and where applicable, the controller’s representative and the DPO. 
  • The purpose of, and the legal basis for, processing the data. 
  • The legitimate interests of the controller or third party. 
  • Any recipient or categories of recipients of the personal data. 
  • Details of transfers to third countries and the safeguards in place. 
  • The retention period of criteria used to determine the retention period. 
  • The existence of the data subject’s rights, including the right to: 
  • Withdraw consent at any time. 
  • Lodge a complaint with a supervisory authority. 
  • The existence of automated decision making, including profiling, how decisions are made, the significance of the process and the consequences. 


Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement and the details of the categories of personal data, as well as any possible consequences of failing to provide the personal data, will be provided. 


Where data is not obtained directly from the data subject, information regarding the source the personal data originates from and whether it came from publicly accessible sources, will be provided. 


For data obtained directly from the data subject, this information will be supplied at the time the data is obtained. 


In relation to data that is not obtained directly from the data subject, this information will be supplied: 

  • Within one month of having obtained the data. 
  • If disclosure to another recipient is envisaged, at the latest, before the data are disclosed. 
  • If the data are used to communicate with the individual, at the latest, when the first communication takes place. 


The Right of Access 

  • Individuals have the right to obtain confirmation that their data is being processed. 
  • Individuals have the right to submit a subject access request (SAR) to gain access to their personal data in order to verify the lawfulness of the processing. 
  • occy will verify the identity of the person making the request before any information is supplied. 
  • A copy of the information will be supplied to the individual free of charge. 
  • Where a SAR has been made electronically, the information will be provided in a commonly used electronic format. 
  • Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will be charged. 
  • All fees will be based on the administrative cost of providing the information. 
  • All requests will be responded to without delay and at the latest, within one month of receipt. 
  • In the event of numerous or complex requests, the period of compliance will be extended by a further two months. 
  • The individual will be informed of this extension, and will receive an explanation of why the extension is necessary, within one month of the receipt of the request. 
  • Where a request is manifestly unfounded or excessive, occy holds the right to refuse to respond to the request. 
  • The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority and to a judicial remedy, within one month of the refusal. 
  • In the event that a large quantity of information is being processed about an individual, occy will ask the individual to specify the information the request is in relation to. 


The Right to Rectification 

  • Individuals are entitled to have any inaccurate or incomplete personal data rectified. 
  • Where the personal data in question has been disclosed to third parties, occy will inform them of the rectification where possible. 
  • Where appropriate, occy will inform the individual about the third parties that the data has been disclosed to. 
  • Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex. 
  • Where no action is being taken in response to a request for rectification, occy will explain the reason for this to the individual, and will inform them of their right to complain to the supervisory authority and to a judicial remedy. 


The Right to Erasure 

Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. 


Individuals have the right to erasure in the following circumstances: 

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed 
  • When the individual withdraws their consent 
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing 
  • The personal data was unlawfully processed 
  • The personal data is required to be erased in order to comply with a legal obligation 
  • The personal data is processed in relation to the offer of information society services to a child 


occy has the right to refuse a request for erasure where the personal data is being processed for the following reasons: 

  • To exercise the right of freedom of expression and information 
  • To comply with a legal obligation for the performance of a public interest task or exercise of official authority 
  • For public health purposes in the public interest 
  • For archiving purposes in the public interest, scientific research, historical research or statistical purposes 
  • The exercise or defence of legal claims 


Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. 


Where personal data has been made public within an online environment, occy will inform other organisations who process the personal data to erase links to and copies of the personal data in question. 


The Right to Restrict Processing 

Individuals have the right to block or suppress processing of their personal data. In the event that processing is restricted, occy will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future. 


occy will restrict the processing of personal data in the following circumstances: 

  • Where an individual contests the accuracy of the personal data, processing will be restricted until occy has verified the accuracy of the data 
  • Where an individual has objected to the processing and occy is considering whether their legitimate grounds override those of the individual 
  • Where processing is unlawful and the individual opposes erasure and requests restriction instead 
  • Where occy no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim 


If the personal data in question has been disclosed to third parties, occy will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so. 


occy will inform individuals when a restriction on processing has been lifted. 


The Right to Data Portability 

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. 


Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability. 


The right to data portability only applies in the following cases: 

  • To personal data that an individual has provided to a controller 
  • Where the processing is based on the individual’s consent or for the performance of a contract 


When processing is carried out by automated means personal data will be provided in a structured, commonly used and machine-readable form. 


occy will provide the information free of charge. 


Where feasible, data will be transmitted directly to another organisation at the request of the individual. 


occy is not required to adopt or maintain processing systems that are technically compatible with other organisations. 


In the event that the personal data concerns more than one individual, occy will consider whether providing the information would prejudice the rights of any other individual. 


occy will respond to any requests for portability within one month. 


Where the request is complex, or a number of requests have been received, the timeframe can be extended by two months, ensuring that the individual is informed of the extension and the reasoning behind it within one month of the receipt of the request. 


Where no action is being taken in response to a request, occy will, without delay and at the latest within one month, explain to the individual the reason for this and will inform them of their right to complain to the supervisory authority and to a judicial remedy. 


The Right to Object 

Should an individual wish to object to their data being processed they will need to contact occy directly via [email protected] 


Individuals have the right to object to the following: 

  • Processing based on legitimate interests or the performance of a task in the public interest 
  • Direct marketing 
  • Processing for purposes of scientific or historical research and statistics. 


Where personal data is processed for the performance of a legal task or legitimate interests: 

  • An individual’s grounds for objecting must relate to his or her particular situation. 
  • occy will stop processing the individual’s personal data unless the processing is for the establishment, exercise or defence of legal claims, or, where occy can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual. 


Where personal data is processed for direct marketing purposes: 

  • occy will stop processing personal data for direct marketing purposes as soon as an objection is received. 
  • occy cannot refuse an individual’s objection regarding data that is being processed for direct marketing purposes. 


Where personal data is processed for research purposes: 

  • The individual must have grounds relating to their particular situation in order to exercise their right to object. 


Where the processing of personal data is necessary for the performance of a public interest task, occy is not required to comply with an objection to the processing of the data. 


Where the processing activity is outlined above, but is carried out online, occy will offer a method for individuals to object online. 


Privacy by Design and Privacy Impact Assessments 

occy will act in accordance with the GDPR by adopting a privacy by design approach and implementing technical and organisational measures which demonstrate how occy has considered and integrated data protection into processing activities. 


Data protection impact assessments (DPIAs) will be used to identify the most effective method of complying with occy’s data protection obligations and meeting individuals’ expectations of privacy. DPIAs will allow occy to identify and resolve problems at an early stage, thus reducing associated costs and preventing damage from being caused to occy’s reputation which might otherwise occur. 


A DPIA will be used when using new technologies or when the processing is likely to result in a high risk to the rights and freedoms of individuals. 


A DPIA will be used for more than one project, where necessary. High risk processing includes, but is not limited to, the following: 

  • Systematic and extensive processing activities, such as profiling 
  • Large scale processing of special categories of data or personal data which is in relation to criminal convictions or offences 


occy will ensure that all DPIAs include the following information: 

  • A description of the processing operations and the purposes 
  • An assessment of the necessity and proportionality of the processing in relation to the purpose 
  • An outline of the risks to individuals 
  • The measures implemented in order to address risk 


Where a DPIA indicates high risk data processing, occy will consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR. 


Data Breaches 

The term ‘personal data breach’ refers to a breach of security which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. 


The DPO will ensure that all staff members are made aware of, and understand, what constitutes as a data breach as part of their continuous development training. 


A full Data Breach Policy is available from the DPO. 


Data Security 

Confidential paper records will be kept in a locked filing cabinet, drawer or safe, with restricted access. 


Confidential paper records will not be left unattended or in clear view anywhere with general access. 


Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed up off-site. 


Where data is saved on removable storage or a portable device, the device will be kept in a locked filing cabinet, drawer or safe when not in use. 


Memory sticks will not be used to hold personal information unless they are password-protected and fully encrypted. 


All electronic devices are password-protected to protect the information on the device in case of theft. 


All necessary members of staff are provided with their own secure login and password. 


Where personal information that could be considered private or confidential is taken off the premises, either in electronic or paper format, staff will take extra care to follow the same procedures for security. 


The person taking the information from occy premises accepts full responsibility for the security of the data. 


Before sharing data, all staff members will ensure: 

  • They are allowed to share it. 
  • That adequate security is in place to protect it. 
  • Who will receive the data has been outlined in a privacy notice. 


Under no circumstances are visitors allowed access to confidential or personal information. Visitors to areas of occy containing sensitive information are supervised at all times. 


The physical security of occy’s buildings and storage systems, and access to them is reviewed on an annual basis. If an increased risk in vandalism/burglary/theft is identified, extra measures to secure data storage will be put in place. 


occy’s takes their duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary action. 


The Data Protection Officer is responsible for continuity and recovery measures are in place to ensure the security of protected data. 


Data Retention 

Data will not be kept for longer than is necessary.   Where appropriate we will only retain personal data where it has not been used or has any further significance or purpose for a maximum period of time of 2 years. 


How long we retain your Personal Data depends on the type of data and the purpose for which we process the data. We will retain your Personal Information for the period necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law. 


Unrequired data will be deleted as soon as practicable. Some records relating to former employees of occy may be kept for an extended period for legal reasons, but also to enable the provision of references. 


Paper documents will be shredded or pulped, and electronic memories scrubbed clean or destroyed, once the data should no longer be retained. 

Terms of Use of occy 

occy provides this Website and Services (located at www.occy.com) to you subject to the notices, terms, and conditions set forth in these terms (the “Terms of Use”). In addition, when you use any of our Services, you will be subject to the rules, guidelines, policies, terms, and conditions applicable to such service, and they are incorporated into this Terms of Use by this reference. This Terms of Service was created by occy, a brand of Smart Recruit Online. 


These Terms of Use are effective as of 12/02/2023. 


Your eligibility for use of the Website is contingent upon meeting the following conditions: 

  • You are at least 18 years of age 
  • You use the Website and Services according to these Terms of Use and all applicable laws and regulations determined by the state and country of residence 
  • You provide complete and accurate registration information and maintain accurate registration information on the Website 
  • You agree and understand that occy may, at any time, and without prior notice, revoke and/or cancel your access if you fail to meet these criteria or violate any portion of these Terms of Use 


Use of this Website 

In connection with your use of our Website, you must act responsibly and exercise good judgment. Without limiting the foregoing, you will not: 

  • Violate any local, state, provincial, national, or other law or regulation, or any order of a court 
  • Infringe the rights of any person or entity, including without limitation, their intellectual property, privacy, publicity or contractual rights 
  • Interfere with or damage our Services, including, without limitation, through the use of viruses, cancelbots, Trojan horses, harmful code, flood pings, denial-of-service attacks, packet or IP spoofing, forged routing or electronic mail address information or similar methods or technology 
  • Use automated scripts to collect information or otherwise interact with the Services or the Website 
  • Enter into this agreement on behalf of another person or entity without consent or the legal capacity to make such agreements as a representative of an organization or entity 


Subscription Agreement 

The Subscription Agreement confirms that you agree to operate responsibly within the laws and regulations of the country within which you operate and within the reasonable guidelines set out by ourselves. It aims to provide clear guidelines on what is permitted within the confines of the agreement by each user and what would be considered to be a breach of our conditions. 


For example, occy maintains high ethical standards that are outlined within the agreement and will not tolerate offensive or discriminatory behaviour. Each user must be authorised and only access the site using their official login details, which must not be shared under any circumstances. 


The Subscription Agreement also outlines SLAs, Supplier and Customer obligations, proprietary rights, confidentiality, indemnity, Limitations of liability, termination clauses and third party rights. 


The SaaS agreement is written in accordance with the laws of England and Wales. 


You can access the full Subscription Agreement by contacting your system administrator. 


A copy of the SaaS agreement is also available within the settings area once you are logged into your account. 


Data Protection Agreement 

The DPA confirms that you agree to operate responsibly within the laws and regulations of the country within which you operate and within the reasonable guidelines set out by ourselves. 


It provides guidelines on how we manage and process data and how we apply suitable security measures. You will also find information about 3rd party processors of data. 


You can access the full Data Protection Agreement by contacting your system administrator. 


Intellectual Property 

All code, text, software, scripts, graphics, files, photos, images, logos, and materials contained on this Website, or within the Services, are the sole property of occy. 


Unauthorized use of any materials contained on this Website or within the Service may violate copyright laws, trademark laws, the laws of privacy and publicity, and/or other regulations and statutes. If you believe that any of the materials infringe on any third party’s rights, please contact occy immediately at the address provided below. 


Third-Party Websites 

Our Website may link you to other sites on the Internet or otherwise include references to information, documents, software, materials and/or services provided by other parties. These websites may contain information or material that some people may find inappropriate or offensive. 


These other websites and parties are not under our control, and you acknowledge that we are not responsible for the accuracy, copyright compliance, legality, decency, or any other aspect of the content of such sites, nor are we responsible for errors or omissions in any references to other parties or their products and services. The inclusion of such a link or reference is provided merely as a convenience and does not imply endorsement of, or association with, the Website or party by us, or any warranty of any kind, either express or implied. 


Disclaimer of Warranty and Limitation of Liability 

The Website is provided “AS IS.” appfigures, its suppliers, officers, directors, employees, and agents exclude and disclaim all representations and warranties, express or implied, related to this Website or in connection with the Services. You exclude occy from all liability for damages related to or arising out of the use of this Website. 


Changes to these Terms of Use 

occy retains the right to, at any time, modify or discontinue, any or all parts of the Website without notice. 


Additionally, occy reserves the right, in its sole discretion, to modify these Terms of Use at any time, effective by posting new terms on the Website with the date of modification. You are responsible for reading and understanding the terms of this agreement prior to registering with, or using the Service. Your use of the Website and/or Services after any such modification has been published constitutes your acceptance of the new terms as modified in these Terms of Use. 


Governing Law 

These Terms of Use and any dispute or claim arising out of, or related to them, shall be governed by and construed in accordance with the internal laws of the GB without giving effect to any choice or conflict of law provision or rule. 


Any legal suit, action or proceeding arising out of, or related to, these Terms of Use or the Website shall be instituted exclusively in the federal courts of GB. 


Services Level Agreements 

The Supplier shall, during the Subscription Term, provide the Services to the Customer on and subject to the terms of this Agreement. 


The Supplier shall use reasonable endeavours to make the Services available 24 (twenty-four) hours a day, 7 (seven) days a week, except for planned maintenance. 


The supplier aims to maintain a system uptime in excess of 99% and to rectify priority bugs and fixes within 24 hours wherever possible. 


The supplier aims to fix all non-essential features and services that are impaired or not working properly within 48 hours, but non disabling or cosmetic issues with little or no impact on normal operations will be updated at the next available software release wherever possible. 


Unscheduled maintenance performed outside Normal Business Hours, provided that the Supplier has used all reasonable endeavours to give the Customer notice in advance of such unscheduled maintenance. 4.3 The Supplier will, as part of the Services and at no additional cost to the Customer, provide the License paying Customer’s Administration team, with customer support services (which includes online, telephone and video training, coaching and mentoring) during Normal Business Hours.