GDPR Data Policy

This document sets out our General Data Protection Regulation (GDPR) policy:

EU Health Staff Ltd is a recruitment agency, finding doctors for its clients to employ and operates the websites and

  1. The clients are:
    1. GP practices and hospitals both in the UK and overseas
    2. Other agencies with whom EU Health Staff Ltd has an agreement to look for candidates on their behalf
  2. The nominated Data Protection Officer is Paul Brooks, the MD of the company
  3. EU Health Staff currently holds the following data on candidates:
    1. Name and contact details
    2. CV of work experience, when provided by the candidate
    3. Email and telephone call summaries of what vacancies candidates are interested in.
    4. Referees for candidates. Sometimes, these were included in the candidate’s CV. At other times, we may have asked for referees contact details from candidates who have a job offer, so that we may take up references
    5. Registration and licensing information, which may be cross-checked with the medical licensing authorities (like the GMC)
    6. Google search of the candidate, based on name and work locations.
    7. Brief summary of progress, types of vacancy of interest, geographical areas of interest
  4. We store this data in order to be able to put forward appropriately qualified and interested candidates to our clients
  5. EU Health Staff stores this information :
    1. Within the main company computer and its associated back-up disk.
    2. On Excel spreadsheets to maintain a record of active / inactive candidates.
    3. Paper notebooks
  6. If we sent information to our clients, such as a CV and / or candidate contact details and / or a summary of what the candidate is looking for in a job, we transfer the information to the client via email.
  7. Before we send candidate information to a client, we will confirm with you that it is OK to do this
  8. We do not audit our clients’ data systems but we believe that they operate safe and secure systems. This is based on the knowledge that our clients are medical centres and they themselves operate secure data systems for their patient records
  9. Some of our clients are outside of the EU. These include all clients in Australia and Canada
  10. Inbound and outbound email data, including any attachments, are stored online on the computers of the company’s email service provider. These are accessible only via a password system. The email service provider is Fastmail, which has a good record on data security
  11. In addition, if a candidate has sent their CV as a PDF file, then we may have converted that into a Word document. In the processing of this conversion, Adobe, who operate the PDF system, take a copy of the document and store it within their online servers
  12. We keep candidate information for a period of 5 years.
  13. Candidates can ask to view all the data we hold at any time. We will generally respond within 24 hours unless we are away. In which case, it will be within 24 hours of our return to the office
  14. Candidates can ask for their data to be corrected / amended at any time. We will generally respond within 24 hours unless we are away. In which case, it will be within 24 hours of our return to the office
  15. Candidates can ask for their data to be deleted at any time. We will generally respond within 24 hours unless we are away. In which case, it will be within 24 hours of our return to the office
  16. When you send us your contact details and a CV, we will assess whether we have a suitable vacancy for you with our clients. If we do, we may call or email you to discuss your application. We will then add your details to our file of prospective candidates and prepare a brief summary about you. To complete the latter we may ask for additional information. For example: your expectations for a new job, whether you want full time or part time work, when you’d like to start work, how long you’d like to work there for, whether you are going with a partner and / or dependents. We may also check publicly available information on you such as looking at the GMC or IMC (in the case of Ireland) registers or doing a “google search” of your name & practice. We will store this information so that we can refer to it later when discussing jobs with you or for giving client(s) background information about you. You can ask us to not store or send to a client any or all of this information
  17. Please note that we never contact employers or referees etc at any point without your express permission
  18. We will let you know about the vacancies we have (either by telephone or by email) and give you brief details of those which might suit. At the same time we will ask you if we can send your CV to the client(s).
  19. If you agree (either by telephone or by email) to us sending your CV to our client(s), then we will send it to our contact(s) at the client(s) along with the brief summary of yourself (as noted in 1. above)
  20. Once we have lodged your CV with our client, we can give you more details on the client, including their website etc.
  21. If client(s) would like to discuss a job opportunity with you, we will let you know and confirm with you whether you are interested in the job and whether the client can contact you. If you agree, then we will arrange a mutually convenient time for the client to call you for an interview.
  22. If, after an interview, the client wishes to make you an offer, they may ask us to arrange references for you. If they want us to do this, we will contact you to let you know and to confirm the contact details for any referees and get your permission to make contact with them. We will not contact any referees without your express permission.
  23. Our data processing protocol is:
    1. We work on the understanding that you control what data we hold on you and the contact arrangements between us. For example, when you first contact us, if we have suitable vacancies, we will reply with general information, a summary of vacancies and ask if you would like us to keep in touch with you. We will then act on your instructions. If we are unable to contact you by email or telephone over an 8 week period from the last point of contact with us, we will delete your data, subject to the clause below (“What happens when you ask us to delete your data”).
  24. What happens when you ask us to delete your data:
    1. If you withdraw your application or your permission for us to use your data for whatever reason or at any time, then:
      1. If you have applied for a vacancy and your data has been passed to a client, then we will delete your CV and any summary notes from our system and we will ask our client(s) to do the same. We will not make further marketing contact with you.
      2. However, we and our client may keep some information about you and we may need to contact you again. This is solely for the establishment, exercise or defence of legal claimsas identified in the GDPR regulations(see:
        An example of why we might need to this is: if, after your data has been sent to the client, you withdraw your permission for us to use your data, our client will still be legally contracted to pay us if you subsequently apply to that client either directly or via another agency and take a job with them. We and our client will keep sufficient information to identify if this happens. (N.B. If you have applied for the same job via another agency, then it is the first agency to put you forward to the client who acts as the lead.)
  25.  Notes:
    1. If we do not have a suitable vacancy for you at the moment, we will do our best to let you know via email. We may at that point ask if we can keep a record of your details and CV in the event that a suitable vacancy becomes available. As the recruitment process for the type of vacancies we recruit for is typically 12 months, we will ask to keep your data for 12 months. After which it will be deleted.
    2. Sometimes we may miss candidate applications or we are unable to reply due to an email / telephone number not working. Our apologies in advance if this happens to you. Please feel free to contact us again to check.
    3. We occasionally receive applications from people who clearly don’t meet the qualifications needed for our vacancies. Sometimes, we reply to these emails if we think we can help the person with their enquiry. Otherwise, we delete them
    4. For our EU vacancies, we work with other agencies, based in the EU. These agencies are subject to the GPDR regulations.
    5. Our direct clients are medical facilities and so we believe that they operate safe and secure systems for personal data. However, we are not able to audit their data protection systems
    6. In the case of Australian and Canadian clients, they are outside of the EU and not part of the EU’s jurisdiction for the GDPR.
    7. In the case of EU clients (including those in the UK), they operate under the GDPR.


First of all, let me thank you for the very kind and warm way of welcoming me at the interview. You have put a lot of energy in helping me with all aspects of my trip there and made me be at ease with the “solemnity” of this interview.
The hotel stay and the journey back were ok and rather uneventful.
Thank you for updating me on the process of getting a work permit since I am completely unfamiliar with it, but, I’m sure, for you it is a piece of cake so I rest assured that everything will work fine.