Thomas Privacy Notice

The following privacy applies to the websites and services offered by Thomas International UK and outlines how we collect and use your information and is effective from the 25th May 2018.

We may make changes to this privacy policy from time to time to ensure it remains up to date and in response to any feedback from users; any changes will be updated on this page.

Thomas International UK (“Thomas”), the Data Controller, can be contacted at 1st Floor, 18 Oxford Road, Marlow, SL7 2NL

Thomas are committed to respecting your privacy and complying with applicable data protection and privacy laws.

Thomas always treat our customers’ data like their own to ensure its safety, and act in accordance with Data Protection legislation, including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”).

This statement was last updated on 24th May 2018.

Are you registered with the Information Commissioners office (ICO)?

Yes, Thomas International UK are registered with the ICO and our registration number is Z4982349

Do you have a Data Protection Officer?

Yes, Thomas take data protection very seriously and have a Data Protection Officer who is responsible for all matters relating to data protection and you can them contact should you have any queries.

Please email them at [email protected] or call our Marlow office on (01628) 475366 and they will be happy to help.

Are Thomas always acting as data controller?

Whilst Thomas are registered with the ICO as a data controller, some of our activities mean we act solely as a data processor for our clients, for example when we provide them with our online assessment service.

A simple way to understand the difference is as follows.

The Data Controller decides what personal data is collected, the means of the collection and its purpose. Whereas the Data Processor acts specifically on explicit instructions by the relevant data controller to undertake a defined process involving the personal data provided.

Where Thomas act as a data processor or sub processor for clients, we have agreements in place to ensure data security and to ensure we act in accordance with our customers’ wishes and of course the relevant data protection legislation.

What personal data do you collect directly from you when you visit our website?

When requesting information about our services you may use a contact form where you are asked to enter your name, email address, postcode, phone number or other details to help your customer experience or to provide you with documentation, such as whitepapers.

What personal data do we collect indirectly from you when you visit our website?

We may collect information about how you use our website to keep improving the way it works. We may collect statistics on how many people are visiting our website pages, where they come from, when they visit and how long they stay and what pages they look at.

This will include information about the originating IP addresses (which may infer your geographic location but not your identity), internet service providers, the files viewed on our site and timestamps.

We may also look at the browser, operating systems and devices you use to make sure you get a good online experience however you access our sites.

We also use cookies on our website and full details of the cookies used on our website can be found on our cookies page which can be found here.

We’ve detailed below a quick diagram which explains the process of marketing communication to support with the process.

The prospect or customer can arrive to us from anywhere in the world and we may send the enquiry to the appropriate global partner based on the users locale.

If I take a Thomas assessment how is my personal data collected and used?

We’ve detailed below a quick diagram which explains the process of taking a Thomas assessment which we hope you find useful.

The company that has requested you take an online assessment is the data controller and Thomas are acting as the data processor. The data controller decides what data is collected, and what this data is used for. Should you have any concerns about the data you are being asked to provide or the process you should contact them in the first instance.

We act as processor for two main methods of processing assessments – 1. providing customers with access to their own hub logins to manage the service themselves or 2. managing the service of sending the assessments out on the data controllers behalf – this will be described as the Bureau service in this document.

Are the assessments provided by Thomas considered “Automated Decision Making, including Profiling”?

No, all of the assessments Thomas provide should never be used in isolation in the recruitment or personnel development process. Thomas assessments are provided to the data Controller as part of their wider decision making process alongside all of the other information that the Controller has collected.

Do Thomas use personal data in their research?

Thomas undertake research and analysis to further improve and enhance our services to our clients and candidates, which will require us to process personal data for this clearly defined purpose.

When we process personal data for research we do so as a Controller.

When processing personal data for research, we ensure to adopt appropriate safeguards such as pseudonymisation (where the data is not fully identifiable) and ensure that only our dedicated team of researchers have access to the data to undertake this work. Our research and psychology teams are bound by the latest ethical guidelines and data protection laws. Once their research is completed all data used is fully anonymised so it is impossible to identify any one individual from the data.

In the event Thomas is the Controller: What lawful basis do Thomas have for using your data?

This can depend, although we can assure you that Thomas only ever process data when we have a lawful basis to do so.

Based on the variety of services we provide and how they are provided, we will rely on different lawful basis when processing your data.

We may also process your data as a controller to allow us to achieve our legitimate interests, always ensuring that these are carefully balanced and do not adversely impact your rights.

There may also be particular instances where we require your consent for the processing of your personal data. We will ensure consent obtained is aligned with current applicable legislation and is specific and informed when this is required and the basis for processing.

How do Thomas ensure the security of their systems and protect my data?

Everyone at Thomas takes the security of personal data entrusted to us extremely seriously. All our servers that are used for our assessments are housed in highly secure environments and within the EEA.

Thomas regularly test the security of our networks and involve external experts to help us with this. Access to personal data is restricted and only accessed by those who have a legitimate reason to access it.

All our offices have access control systems in place and all colleagues at Thomas receive regular training on data protection and IT security.

If you would like to know more about how we secure our systems then please read our IT Security Document available on the website which gives more detail about how we embed both Security and Privacy by Design.

Does Thomas engage with any sub processors?

Thomas is made up of different legal entities, details of which can be found below:

Thomas International Ltd
Thomas International (UK) Ltd
Thomas Technologies Ltd

This privacy notice is issued on behalf of the Thomas Group so when we mention ”Thomas”, “we”, “us” or “our” in this privacy notice, we are referring to the relevant company in the Group responsible for processing your data.

We will let you know which entity will be the controller for your data when you purchase a product or service with us.

Thomas International (UK) Ltd is the controller and responsible for this website.

If you have any questions or want to request further information about us please don’t hesitate to contact us at [email protected].

How and where is your data stored?

Thomas ensure the security of clients’ and their candidate’s data at all times and this forms a part of everything we do.

Our main servers our housed in the highest rated datacentres in the UK (Tier 1), which tightly controls access to the physical environment and provides exceptional system availability. Thomas also manage our IT environment ourselves, ensuring we retain full control of the systems that underpin the assessments we provide and the data they hold.

We ensure that all personal data that people provide as part of the assessment process resides in the EEA and is given the protection it deserves.

How long do we keep personal data?

As prescribed in the GDPR Thomas only keep personal data as long as necessary. When deciding how long we keep personal data we take into account any minimum retention requirements set out in law. These retention periods relate in the main to our activities as a data controller and not a processor.

If you are undertaking a Thomas assessment, Thomas act solely as a data processor and the employer, or potential employer, is acting as the data controller and so they will decide how long data should be retained and manage the retention and deletion process accordingly.

For our clients using the Thomas Bureau service (where we provide a managed service for sending out assessment links) the relationship of controller and processor remains, with Thomas taking instruction from the client to delete data on their explicit instructions; however, within our retention policy we have made provision for deletion of personal data relating to assessments at the end of the service with a Thomas Hub client.

What rights do I have?

The GDPR brings in many changes including enhanced new rights, enabling data subjects to have more control of their data and how it is used.

The GDPR gives you the right:

  • To request access to the personal data we hold about you, without charge (certain exceptions apply and can be explained by contacting the subject access email below in more detail as needed).
  • To request correction of your personal data if it is incorrect or out of date. If the data we hold about you is out of date, incomplete or incorrect you can inform us and your data will be updated.
  • To request to withdraw consent for processing your data if that process relies on consent.
  • To request that we delete your data. If you feel we should no longer be using your data, you can request that we erase the data that we hold. Upon receiving a request for erasure we will confirm whether it has been deleted or the reason why it cannot be deleted.
  • The right to object to processing of your data. You may request that we stop processing information about you. Upon receiving your request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or bring or defend legal claims.
  • To request that we transfer your data to another controller if the data is processed by automated means (i.e. excluding paper files).
  • The right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Please be aware that if you are taking a Thomas assessment, the controller (this would normally be your employer, potential employer or educational establishment) is ultimately responsible for assisting you in exercising your rights, so we would recommend that you contact them in the first instance.

If you want to exercise one of the above rights you need to contact the Controller

To exercise any of your rights please contact at [email protected], or alternatively you can write to us at:

Data Protection Officer
Thomas International
1st Floor, 18 Oxford Road

We will aim to respond to your request within 30 days, unless in the case of a request that is seen to be complex or excessive.

Thomas reserve the right to charge an admin fee or refuse a request where requests for data are clearly unreasonable or excessive, particularly if they are repetitive.

Changes to this privacy policy

We will act on feedback from our customers and any changes in the regulations to amend this privacy policy and will post any changes here on our website with details of the date this was amended.

We may also seek to let our customers know of any substantial changes via email.

Reporting a Data Breach

Should you believe that there has been a loss of personal data that we use or manage, or an unlawful use or disclosure of this data, please contact our Data Protection Officer at [email protected] or call them on 01628 475366.

Resolving Privacy Issues

At Thomas we will always try our best to resolve any data privacy issue you may have so please remember you can contact our Data Protection Officer at [email protected].

However, you have the right to refer any data privacy issue or concern to the ICO at any time. You can find full details of how to contact the ICO at