Thomas Privacy Notice

[Last updated 09/04/2019]

The following privacy notice applies to the websites and services offered by Thomas International UK Limited and outlines how we collect and use your information and is effective from the 25th May 2018.

When we mention “Thomas”, “we”, “us” or “our” in this privacy notice, we are referring to Thomas International UK Limited.

Thomas International UK Limited (“Thomas”), the Data Controller, can be contacted at 1st Floor, 18 Oxford Road, Marlow, SL7 2NL.

At Thomas we are committed to respecting your privacy and treat our customers’ data like our own to ensure its safety and security.

We also make sure we act in accordance with Data Protection legislation, including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”).

We may make changes to this privacy notice from time to time to ensure it remains up to date and in response to any feedback from users; any changes will be updated on this page.

We may also seek to let our customers know of any substantial changes via email.

This statement was last updated on 09/11/2018.

Are you registered with the Information Commissioner’s Office (ICO)?

Yes, Thomas International UK are registered with the ICO and our registration number is Z4982349; our entry on the ICO’s Register can be located here.

Do you have a Data Protection Officer?

Yes, Thomas take data protection very seriously and have a Data Protection Officer who monitors our compliance with the GDPR and other relevant legislation.

Should you have any queries or concerns please email them at [email protected] or call our Marlow office on (01628) 475366 and they will be happy to help.

Are Thomas always acting as data controller?

Whilst Thomas are registered with the ICO as a data controller, some of our activities mean we act solely as a data processor for our clients, for example when we provide them with our online assessment service.

A simple way to understand the difference is as follows.

The Data Controller decides what personal data is collected, the means of the collection and its purpose. Whereas the Data Processor acts specifically on explicit instructions by the relevant data controller to undertake a defined process, involving the personal data provided.

Where Thomas act as a data processor or sub-processor for clients, we have agreements in place to ensure data security and to ensure we act in accordance with our customers’ wishes and of course the relevant data protection legislation.

What personal data do you collect directly from you when you visit our website?

When requesting information about our services you may use a contact form where you are asked to enter your name, email address, postcode, phone number or other details to help your customer experience, or to provide you with documentation, such as whitepapers.

What personal data do we collect indirectly from you when you visit our website?

We may collect information about how you use our website to keep improving the way it works. We may collect statistics on how many people are visiting our website pages, where they come from, when they visit and how long they stay and what pages they look at.

This will include information about the originating IP addresses (which may infer your geographic location, but not your identity), internet service providers, the files viewed on our site and timestamps.

We may also look at the browser, operating systems and devices you use to make sure you get a good online experience, however you access our website.


We also use cookies on our website and full details of the cookies used on our website can be found on our cookies page which can be found here.

We’ve detailed below a quick diagram which explains the process of marketing communication to support with the process.

The prospect or customer can arrive to us from anywhere in the world and we may send the enquiry to the appropriate global partner based on the user’s locale.

If I take a Thomas assessment how is my personal data collected and used?

We’ve detailed below a quick diagram which explains the process of taking a Thomas assessment which we hope you find useful.

The company that has requested you take an online assessment is the data controller and Thomas are acting as the data processor. The data controller decides what data is collected, and what this data is used for. Should you have any concerns about the data you are being asked to provide or the process, you should contact them in the first instance.

We act as processor for two main methods of processing assessments – 1. providing customers with access to their own hub logins to manage the service themselves or 2. managing the service of sending the assessments out on the data controllers behalf – this will be described as the “Bureau” service in this document.

We also offer an assessment service directly to candidates, which is called “Personal Profile”, which can be taken directly and paid for online. The process is slightly different as there is no third party involved, so in the above diagram the process is a little simpler with the request coming directly from the applicant themselves and the “Personal Profile” report being provided directly to an applicant and assessment taken immediately after payment.

Are the assessments provided by Thomas considered “Automated Decision Making, including Profiling” as detailed in the GDPR?

No, all of the assessments Thomas provide should never be used in isolation in the recruitment or personnel development process. Thomas assessments are provided to the data Controller as part of their wider decision-making process alongside all of the other information that the Controller has collected.

Do Thomas use personal data in their research?

Thomas undertake research and analysis to further improve and enhance our services to our clients and candidates, which will require us to process personal data for this clearly defined purpose.

When we process personal data for research we do so as a data controller.

When processing personal data for research, we ensure to adopt appropriate safeguards such as pseudonymisation (where the data is not fully identifiable) and ensure that only our dedicated team of researchers have access to the data to undertake this work.

Our research and psychology teams are bound by the latest ethical guidelines and data protection laws. Once their research is completed all data used is fully anonymised, so it is impossible to identify any one individual from the data.

In the event Thomas is the Controller: What lawful basis do Thomas have for using your data?

This can depend, although we can assure you that Thomas only ever process data when we have a lawful basis to do so.

Based on the variety of services we provide and how they are provided, we may rely on different lawful basis when processing your data.

We may also process your data as a controller to allow us to achieve our legitimate interests, always ensuring that these are carefully balanced, recorded and do not adversely impact your rights.

There may also be particular instances where we require your consent for the processing of your personal data. We will always ensure any consent obtained is aligned with current applicable legislation and is specific and informed when this is required and our lawful basis for processing

How do Thomas ensure the security of their systems and protect my data?

Everyone at Thomas takes the security of personal data entrusted to us extremely seriously. All our servers that are used for our assessments are housed in highly secure environments and within the EEA (European Economic Area).

Thomas also manage our IT environment ourselves, ensuring we retain full control of the systems that underpin the assessments we provide and the data they hold.

Thomas regularly test the security of our networks and involve external experts to help us with this. Access to personal data is restricted and only accessed by those who have a legitimate reason to access it.

All our UK offices have access control systems in place and all colleagues at Thomas receive regular training on data protection and IT security.

If you would like to know more about how we secure our systems then please read our IT Security Document available on the website, which gives more detail about how we embed both Security and Privacy by Design in our systems and processes.

Does Thomas engage with any sub processors?

Thomas is made up of different legal entities, with Thomas International UK Limited having two permitted sub processors within the Thomas group of companies who work to provide our assessments and services.

  • Thomas International Ltd (Company registration number 01568983)
  • Thomas Technologies Ltd (Company registration number 07726868)

In addition to providing the Thomas assessments, we also work with third-parties who provide additional solutions used by some of our customers and who act as sub processors.

Currently we use the following third parties (sub processors):

We will ensure that the above list is regularly updated to reflect the sub processors used by Thomas.

Thomas always ensure that any sub-processing is only undertaken when required and, in such instances, only undertaken by suitable companies and measures are in place to protect personal data being processed.

Thomas ensure sufficient checks are made to ensure the security of processing and this is governed by a suitable contract.

How and where is your data stored?

Thomas ensure the security of customers’, clients’ and their candidate’s data at all times and this forms a part of everything we do.

We ensure that all personal data that people provide as part of the assessment process stays in the EEA and is given the protection it deserves.

In certain circumstances, Thomas may process personal data, other than assessment data, outside of the EEA. An example of such processing would be the use of systems such as Salesforce, which Thomas use (as a data controller) to manage our customer interactions, customer orders and holds details of potential customers and leads.

Whenever Thomas process or transfer personal data outside of the EEA, we ensure that this receives the same levels of protection as it would within the EEA and complies with all relevant legislation.

How long do we keep personal data?

As prescribed in the GDPR Thomas only keep personal data as long as necessary. When deciding how long we keep personal data we take into account any minimum retention requirements set out in law. These retention periods relate in the main to our activities as a data controller and not a processor.

If you have been asked to take a Thomas assessment, Thomas usually act as a data processor and the employer, or potential employer, is acting as the data controller and so they will decide how long data should be retained and manage the retention and deletion process accordingly.

For our clients using the Thomas Bureau service (where we provide a managed service for sending out assessment links) the relationship of controller and processor remains, with Thomas taking instruction from the client to delete data on their explicit instructions; however, within our retention policy and agreements we have made provision for deletion of any remaining personal data relating to assessments at the end of the service, for both Thomas Hub and Thomas Bureau clients.

If you are taking an assessment directly with Thomas, via our “Personal Profile” assessment service, then we will only keep your assessment data in an identifiable format for three months.

How does Thomas ensure the security of any payments made online?

Thomas take secure online payments for assessments, including the “Personal Profile” PPA assessment using Stripe as our payment partner (please see ).

Stripe offer a highly secure payment platform and full details of their security and privacy policy, detailing how information provided for payment processing is collected and used, can be found here.

What rights do I have?

The GDPR brings in many changes including enhanced new rights, enabling data subjects to have more control of their data and how it is used.

The GDPR gives you the right to contact the data controller:

  • To request access to the personal data they hold about you, without charge (certain exceptions apply).
  • To request correction of your personal data if it is incorrect or out of date. If the data they hold about you is out of date, incomplete or incorrect you can inform them, and your data will be updated.
  • To request to withdraw consent for processing your data if that process relies on consent.
  • To request that they delete your data. If you feel they should no longer be using your data, you can request that they erase the data that they hold. Upon receiving a request for erasure, they will confirm whether it has been deleted or the reason why it cannot be deleted.
  • To object to processing of your data. You may request that they stop processing information about you. Upon receiving your request, they will contact you and let you know if they are able to comply or if they have legitimate grounds to continue to process your data. Even after you exercise your right to object, they may continue to hold your data to comply with your other rights or bring or defend legal claims.
  • To request that they transfer your data to another controller if the data is processed by automated means (i.e. excluding paper files).
  • The right to request restriction of processing of your personal data. This enables you to ask them to suspend the processing of your personal data: (a) if you want them to establish the data’s accuracy; (b) where their use of the data is unlawful but you do not want them to erase it; (c) where you need them to hold the data even if they no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to their use of your data but they need to verify whether they have overriding legitimate grounds to use it.

Please be aware that if you have been asked to complete a Thomas assessment by a company or organisation, the Data Controller (this would normally be your employer, potential employer or educational establishment) is ultimately responsible for assisting you in exercising your rights, so we would recommend that you contact them in the first instance.

If Thomas are acting as Data Processor we are unable to fulfil your request and will simply pass this to the company or organisation who are acting as the Data Controller.

To exercise any of your rights where Thomas are acting as Data Controller please contact us at [email protected], or alternatively you can write to us at:

Data Protection Officer
Thomas International
1st Floor, 18 Oxford Road

You can also contact us via our Social Media channels (Twitter, Facebook and LinkedIn), or phone us on (01628) 475366.

Examples of where Thomas are acting as Data Controller would include, but are not limited to:

  • Processing of customer and prospective customer (prospect) personal data.
  • Processing of personal data of employees and ex-employees.
  • Processing of personal data in the course of recruiting new Thomas employees.
  • Processing of candidate data for research purposes.
  • Providing the “Personal Profile” assessment service.

Thomas, when acting as Data Controller, will aim to respond to your request within 30 days and at no charge.

However, in the case of a request that is seen to be complex or excessive we may require more time to respond to you. In such instances we would always contact you to try and discuss the request and see how we can assist, and always within the initial 30-day period.

Thomas also reserve the right to charge an admin fee or refuse a request where requests for data are clearly unreasonable or excessive, particularly if they are repetitive.

Links to other websites

This website may contain external links to other “non-Thomas” websites. This privacy notice does not cover how that organisation processes personal data and we would strongly encourage you to read the privacy notices on any such websites you visit.

Disclosure of your personal data

Under certain circumstances, Thomas may be required to disclose your personal data if required to do so by law, or in response to valid requests by law enforcement or other government agencies.

Thomas may disclose your personal data in the good faith belief that such action is necessary to:

  • Comply with a legal obligation.
  • Protect and defend the rights or property of Thomas.
  • Prevent or investigate possible wrongdoing in connection with services we provide.
  • Protect the personal safety of users of our services or the public.
  • Protect against legal liability.

Thomas will only ever fulfil requests for personal data in circumstances where we are permitted to so in accordance with applicable law and regulation.

Changes to this Privacy Notice

We will act on feedback from our customers and any changes in the regulations to amend this privacy notice and will post any changes here on our website with details of the date this was amended. We may also seek to let our customers know of any substantial changes via email.

Reporting a Data Breach

Should you believe that there has been a loss of personal data that we use or manage, or an unlawful use or disclosure of this data, please contact our Data Protection Officer at [email protected] or call them on (01628) 475366.

Resolving Privacy Issues

At Thomas we will try our best to resolve any data privacy issue you may have, so please remember you can always contact our Data Protection Officer at [email protected].

However, you have the right to refer any data privacy issue or concern to the ICO at any time. You can find full details of how to contact the ICO at