FAQs for clients

The EU General Data Protection Regulation (GDPR) is perhaps the most significant piece of European privacy legislation in the last twenty years, which seeks to strengthen the rights that EU individuals have over their data, creating a uniform data protection law across Europe, including the UK.

Thomas International UK (Thomas) currently complies with all applicable data protection regulations and is committed to GDPR compliance when the GDPR takes effect on 25 May 2018. Thomas has a dedicated internal team made up of cross-functional stakeholders to drive our organisation to meet requirements.

Is Thomas registered with the Information Commissioners Office (ICO)?

Yes, Thomas is registered with the ICO and our full details can be found here.

In our agreements with Thomas you are defined as the “Data Processor” and ourselves as “Data Controller”. Can you provide more detail of the roles and responsibilities between ourselves and Thomas?

Thomas as the Data Processor will “act solely on the Specific Instructions of Company in relation to the Processing of Company Personal Data”.

This means that we will only process the data as per our clients’ instructions. Our Data Processing Agreement (DPA) details this and the other responsibilities of both data controller and processor.

Do you share the information we provide with other organisations?

No, Thomas does not share any client personal data with any other organisations without our client’s specific permission and instruction. As the Data Processor, Thomas is only permitted to act on the strict instructions of our clients who are the Data Controllers and ultimately “own” the data.

We’ve been contacted by a candidate who is looking to be forgotten. How do we ensure the candidate’s data is removed completely?

Clients have access to their Thomas Hub which enables them to manage and delete the data of any data subject who wishes to exercise their right to be deleted.

How long does Thomas hold the data in their database?

As Data Processor, we do not “own” the data and our clients have access to delete the data from their Thomas Hub. Therefore, we will retain the data on our systems until the clients delete the records and data.

For research purposes data is held separately on a secure permissioned database. You can request that this data is removed at any time by contacting [email protected].

Where does Thomas store and process the data that is provided?

Thomas process all assessment data within the European Economic Area (EEA) and have the main processing of data on our own dedicated servers in Tier 1 datacentres in London. We also utilise the Cloud with controls to ensure that all candidate data that is provided is processed solely in the EEA.

What is Thomas' policy on transferring customer data outside of the EEA?

Thomas do not currently transfer any candidate data that is covered by GDPR outside of the EEA and have organisational and technical controls in place to ensure this continues to be the case.

Our Data Processing Agreement (DPA) does detail the process for agreeing any such transfers.

What recognised accreditations does Thomas hold?

Thomas hold ISO 9001 accreditation.

What technical security measures does Thomas take to protect our data?

Thomas takes data security extremely seriously, with both organisational and technical measures in place to protect client and candidate data.

Our security document, which can be downloaded here, details the technical security measures we take including details of the accreditations of the datacentres we use for the processing of client data.

What organisational measures does Thomas take to protect data?

In addition to the technical measures taken, Thomas ensures that organisational measures are taken equally as seriously to ensure data is suitably protected.

At Thomas we:

  • Ensure all employees are aware of data protection matters, updated on emerging security risks (e.g. spear phishing, malware) and undertake data protection training which is reviewed annually
  • Carry our pre-employment checks on all employees
  • Have a Data Protection Officer who is our champion for data protection and can be contacted directly with any queries our clients or candidates may have about their data and how we protect it
  • Have access control systems in place at all offices to ensure only authorised individuals can access our premises
  • Ensure that access to our systems are designed, controlled and monitored to restrict access by users to the data, ensuring further protection of the data we hold
  • Have appropriate policies and procedures in place to support our technical measures.
What data protection training do Thomas employees undertake?

Thomas ensures that all employees (including temporary and interim staff) undertake extensive training to help support them in their work. The mandatory training includes online training for data protection and the changes under GDPR. This training is reviewed on an annual basis so that any changes in the legislation and updated training are incorporated, helping to ensure that staff are up to date in their knowledge and skills.

Who should I contact if I have a data protection query?

Should you have any queries around data protection please contact our Data Protection Officer in the first instance at [email protected].

If you wish to escalate an issue or make a complaint, then you should contact the Information Commissioners Office (ICO). Full details of how to register a concern or make a complaint can be found at https://ico.org.uk/concerns/.