Privacy Notice
1. Important information and who we are
1.1 BakerHicks is committed to protecting and respecting your privacy. Baker Hicks Limited (Kent House, 14-17 Market Place, London W1W 8AJ), BakerHicks AG, BakerHicks GmbH (Germany), BakerHicks GmbH (Austria), BakerHicks ApS, and BakerHicks SA, (trading as BakerHicks) as the context requires are part of the Morgan Sindall Group of companies.
1.2 Each BakerHicks entity is a data controller in respect of the use it makes of your personal data, and each complies with this Privacy Notice. Your personal data will be controlled by the BakerHicks entity that you engage with.
1.3 In this Privacy Notice, the terms “BakerHicks” 'we', 'our' or 'us' are used to refer to the data controller primarily responsible for your personal data.
1.4 At BakerHicks, we respect your privacy and have compiled this Privacy Notice to explain how we process your personal data and to help you understand your rights and responsibilities regarding the handling of personal data.
1.5 This Privacy Notice applies to you when using our website which is operated by BakerHicks Limited (regardless of where you visit it from), if you apply for a job or work placement with us, if you temporarily visit our premises or where we otherwise process your personal data for the purposes set out below, unless an alternative separate privacy notice applies to such processing.
1.6 This Privacy Notice also explains how we ensure that your personal data is processed in a responsible manner, in accordance with applicable data protection laws in the UK, the European Economic Area (EEA), and Switzerland, including the General Data Protection Regulation 2016/679 ("EU GDPR"), the GDPR as it forms part of UK law ("UK GDPR"), the Data Protection Act 2018, and the Data Use and Access Act 2025, as well as applicable national data protection laws (e.g., the German Bundesdatenschutzgesetz (BDSG), the Austrian Datenschutzgesetz (DSG), the Belgian Data Protection Act, and the Swiss Datenschutzgesetz (DSG)), as each are amended from to time (together the "Data Protection Laws"). "GDPR" shall mean the EU GDPR or the UK GDPR, as applicable.
1.7 If you have any questions about this Privacy Notice including any requests to exercise your legal rights (referred to in paragraph 11), please direct any complaint to dataprotection@morgansindall.com or to the Head of Information and Security, Morgan Sindall Group, Kent House, 14-17 Market Place, London W1W 8AJ.
2. The types of personal data we collect about you and how we collect it
2.1 Personal data means any information about an individual ("Data Subject") from which that person can be identified. Even if information alone cannot identify you as an individual, it may still constitute personal data if it can be linked to you when combined with other information. Examples of personal data are names, email addresses, postal addresses, IP addresses or a national insurance number.
2.2 We use different methods to collect data from and about you including through
- Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data (defined below). This may involve the use cookies and other similar technologies, subject to your preferences, as detailed in our Cookie Policy BakerHicks.
- Your interactions with us. You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you contact us for general enquiries.
2.3 The table below summarises the different categories of personal data we process about you and how BakerHicks collects this data.
Category of Data | Examples may include | How do we collect this data |
|---|---|---|
Contact Data | Personal contact details: Including your name, personal address, personal number, e-mail address and any personal details you include in correspondence to us. Business contact details (including from our suppliers): Your name, work email address, company name and address, work number, job title and any personal details you include in correspondence to us. | BakerHicks collects this information if you complete our online form, if you email us directly or if you attend any of our engagement events. When visiting our premises or sites we collect your contact details and the reason for your visit. |
Site Records | Where controlled by BakerHicks, your details contained in:
| From you when creating your temporary pass or if we are required to complete a site incident report. From our CCTV systems and on-site security (pursuant to which images may be taken and stored) in operation within our premises.
|
Survey and Outreach Data | Any responses submitted by you in response to a survey sent to you by us and obtained during the course of our engagement activities. | From you when you respond to a survey or questionnaire. |
Event Data | Images (including photographs and video) taken of you when attending any of our events, including any sign-up forms and child declaration forms. | From you when signing up to attend one of our events or during our events in the case of your image being taken. |
Technical Data | When you access this website, the browser used on your device automatically sends data to the server of our website, which is temporarily stored in a log file. This log file data includes IP address of the requesting browser, date and time of access, website from which the access occurs, browser type and version, operating system of the accessing device, access provider, country and language settings. | As you interact with our website, we will automatically collect Technical Data using third parties such as hosting providers and website service providers.
|
Recruitment Information: We collect the following categories of personal data in connection with our recruitment activities. | ||
Application Data | Your Contact Data, CV, performance test results, your letter of application, your education and employment background, your relevant skills, information about your application process (e.g. interview feedback or notes) etc. Any special category data such as your health information necessary for us to make arrangements for any interview, or specific to the role you apply for. In case your application is successful we may also collect Vetting Data and Diversity and Equality Data, as detailed below. | BakerHicks collect this data directly from you when you interact with and submit details to us via our recruitment portal available on our website. BakerHicks may also use a third-party recruitment processing outsourcing agent, including WilsonHCG-EMEA Limited, to provide end-to-end recruitment services. BakerHicks may also use a third-party applicant tracking system, including the system provided by Greenhouse, to process applicants through the recruitment process. |
Vetting Data | ID verification checks, driving licence, passport, right to work documentation, information from global sanctions lists and screening checks including security clearance applications (undertaken as part of recruitment activities or as a standalone security vetting activity), background checks, criminal record information (insofar as legally authorised) and references. | BakerHicks uses third party vetting and sanctions providers to process job applications and undertake vetting. From you or your referees (if applicable). |
Diversity Data (in jurisdictions where legally permitted) | Your gender, racial or ethnic origin, nationality, sex and sexual orientation, religious or similar beliefs. | BakerHicks collect this data (where provided) directly from you when you interact with and submit details to us via our recruitment portal available on our website. |
3. Legal basis
3.1 Data Protection Law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:
- The processing can be performed if the Data Subject has given his or her consent;
- The processing is required for the performance of a contract to which the Data Subject is party;
- The processing is required for a legal obligation to which BakerHicks is subject;
- The processing is necessary to protect the vital interests of the Data Subject;
- The processing is necessary to perform a task carried out in the public interest or in the exercise of official authority; and
- The processing can be performed based on the legitimate interests pursued by BakerHicks or a third party.
3.2 Purposes for which we will use your personal data
- We have set out below a description of all the ways we use your personal data and the legal bases we rely on to do so.
- Where we are relying on a legitimate interest, we have undertaken an assessment to ensure that your rights and freedoms, including your right to data privacy, are properly balanced against ours or any relevant third parties' commercial interests.
Purpose/Use | Type of data | Legal basis |
|---|---|---|
To manage our relationship with you which will include: Notifying you about changes to our Privacy Notice. Dealing with your requests, complaints and queries. To receive goods and services from you as a supplier where applicable. | Contact Data | Necessary to comply with a legal obligation cf. section 6 (1) (c) of the GDPR. Necessary for our legitimate interests in managing our relationship with you and responding to online enquires or based on the contract legal basis cf. section 6 (1) (f) of the GDPR. |
To ensure a stable and secure connection to our website as well as for technical administration reasons including for security, troubleshooting and maintenance purposes. | Technical Data | Necessary for our legitimate interests in providing you with a functioning website service cf. section 6 (1) (f) of the GDPR. |
To monitor and administer visitors to our premises or sites and to help ensure that our offices and sites have security measures, including to investigate and report on any incidents on our premises or sites.
| Contact Data Site Records | Necessary for our legitimate interests to manage visits to our sites and premises cf. section 6 (1) (f) of the GDPR. Necessary for our legitimate interests to ensure the safety of our premises and for crime prevention and public safety cf. section 6 (1) (f) of the GDPR. To comply with our legal and regulatory obligations, including health and safety laws cf. section 6 (1) (c) of the GDPR. |
To get your feedback through your voluntary participation in customer satisfaction surveys (except where the survey is anonymous only). | Survey and Outreach Data
| Necessary for our legitimate interests (to carry out research, inform strategy and to help us make improvements) cf. section 6 (1) (f) of the GDPR. |
To carry out community engagement activities, including attending school careers events and showcasing educational videos of our projects. | Contact Data Survey and Outreach Data Event Data | Necessary for our legitimate interests (to educate and engage with the community on the benefits of our projects and raise awareness of opportunities within our business cf. section 6 (1) (f) of the GDPR. |
Recruitment Information | ||
To carry out recruitment and selection tasks to process job applications. | Application Data | Necessary for our legitimate interests in managing our relationship with you cf. section 6 (1) (f) of the GDPR. Legitimate interest: To support future recruitment processes more efficiently (i.e. where you are an unsuccessful candidate, but we retain your information for potential future opportunities) cf. section 6 (1) (f) of the GDPR. Necessary for the performance or entering a contract with you cf. section 6 (1) (b) of the GDPR. |
Where you are successful with an application, to carry out recruitment screening where appropriate and permitted by law and to carry out right to work checks. | Vetting Data | Necessary for our legitimate interests to ensure that recruits are suitable to work in certain high-risk environments, to prevent criminal or unlawful acts, to protect the public against dishonesty and to comply with regulatory requirements (e.g. for government contracts) cf. section 6 (1) (f) of the GDPR. Necessary for the performance or entering a contract with you cf. section 6 (1) (b) of the GDPR. Legal obligation where our vetting checks are required by law cf. section 6 (1) (c) of the GDPR. |
Where you are successful with an application, to promote equal opportunities and diversity and for reporting/monitoring statistics (in jurisdictions where legally permitted) | Diversity and Equality Data | Necessary for our legitimate interests toensure we maintain a diverse workforce and address any inequality of opportunity in our working practices cf. section 6 (1) (f) of the GDPR. Legal obligations where it is necessary to comply with employment, regulatory and equality and diversity requirements cf. section 6 (1) (c) and 9 (b) of the GDPR. |
4. Special Categories of Personal Data
4.1 Certain personal data fall into 'special categories of personal data', such as data regarding your race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying a person, data concerning your health (including mental and physical health), data concerning your sex life or sexual orientation, or criminal convictions, records (including DBS checks) and offences (together "Sensitive Data").
4.2 Where and to the extent we process Sensitive Data, we will only do so as permitted under applicable Data Protection Laws and in jurisdictions where legally permitted, including where:
- we have your explicit consent;
- the processing is necessary to carry out and exercise obligations and rights in employment and social security law;
- the processing is necessary to protect your (or someone else's) vital interests where you are physically or legally incapable of giving consent;
- the processing is necessary to establish, exercise or defend legal claims;
- the processing is necessary for the prevention or detection of crimes and unlawful acts;
- the processing is necessary for regulatory requirements applicable to us or our business customers;
- the processing is necessary for reasons of substantial public interest.
5. Cookies
Cookies and similar technologies: We use "cookies" and other web technologies to collect information and support certain features of our websites. For more information about the cookies we use and how to change your cookie preferences, please see our Cookie Policy BakerHicks
5.1 Who do we share your information with?
5.2 We may share your personal data where necessary with third parties who will process it on behalf of BakerHicks as data processors for the purposes identified above. In particular, your personal data may be shared with:
- third party providers of website and IT administration services such as website development, hosting and maintenance;
- the Morgan Sindall Group of companies;
- for Vetting Data, with third party sponsors to confirm security clearance status; and
- survey providers.
5.3 In the event that the business is sold or integrated with another business your details will be disclosed to our advisers and any prospective purchaser's adviser and will be passed to the new owners of the business. These parties act as independent data controllers.
5.4 We may also disclose personal data when we consider disclosure is appropriate to comply with the law or a court order, or to otherwise defend legal claims. This may include to law enforcement agencies, courts, tribunals and regulatory bodies, professional advisors (such as lawyers, auditors and other advisors) acting as independent data controllers. We may also disclose personal data to prevent or investigate a possible crime.
5.5 We will always require third-party service providers to respect the security of your personal data and to treat it in accordance with the law.
6. Other Websites and Services
The site may contain links to third party websites operated by other companies, including websites operated by our third-party service providers, and other third parties. This notice does not apply to personal data collected on any of these third-party websites, unless specifically mentioned in this notice. When you access third-party web sites through a link on this site, please take a few minutes to review the privacy policy posted on that site.
7. International transfers
7.1 We may transfer your personal data to third-party service providers that carry out certain functions on our behalf. This may involve transferring personal data outside the UK, EEA and Switzerland to countries which have laws that do not provide the same level of data protection as the Data Protection Laws.
7.2 Where your personal data is transferred, stored and/or otherwise processed outside the UK, the EEA or Switzerland, we will take all reasonable steps to ensure that your personal data is treated securely and in accordance with this notice. When personal data is transferred internationally to a country that is not deemed adequate by the European Commission, or the relevant competent authority, we will rely on acceptable and defined legal mechanisms such as using standard contractual clauses which have been approved by the European Commission or the relevant competent authority , such as the ICO's IDTA and SCCs. In certain cases, we may transfer data without such safeguards, for example if you have provided consent to the disclosure, or if it is necessary in relation with a contract or to defend, exercise or enforce legal claims. If you would like a copy of the safeguards provided please contact us using the information provided below.
8. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.
9. How long will you use my personal data for?
9.1 We will retain your personal data only for as long as we need it for the purposes set out in this notice, except in circumstances where we need to retain it for longer to comply with legal obligations or for legal claims.
9.2 To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it, whether we can achieve those purposes through other means and the applicable legal, regulatory, tax, accounting or other requirements.
9.3 Where you have applied to work for us and have been unsuccessful, we will usually retain your personal data for a period of six months after we have communicated our decision. We retain your personal data for this period to defend any legal claims or disputes. We may also wish to retain your personal data for a longer period of no longer than two years subject to your consent, on the basis that a future opportunity may arise and we may wish to consider you for that. If you do not wish for us to retain your personal data for this purpose, you may object to such processing by emailing gdpr@morgansindall.com.
9.4 In some circumstances you can ask us to delete your data: see paragraph 11 below for further information.
10. Your legal rights
10.1 You have a number of rights under Data Protection Laws in relation to your personal data.
10.2 In certain circumstances, you have the following rights, subject to any exemptions which we may be able to rely on to refuse your rights request:
Right | Description |
|---|---|
To be informed | A right to be informed about the personal data we hold about you. |
Of access | A right to access the personal data we hold about you and to check that we are lawfully processing it (commonly known as a "subject access request") |
To rectification | A right to require the rectification of any inaccurate personal data we hold about you. We may need to verify the accuracy of any new data you provide to us. |
To object | A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we are able to demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights, or which are for the establishment, exercise or defence of legal claims. |
To erasure | A right to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. |
To restrict processing | In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example):
|
To data portability | In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used and machine-readable format. You also have the right to require us to transfer this personal data to another organisation, at your request. Note that this right only applies to automated information which you initially provided consent for us to use. |
In relation to automated decision making and profiling | A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not carry out any automated processing or profiling. |
To withdraw | A right to withdraw your consent, where we are relying on it to use your personal data. |
10.3 If you wish to exercise any of the rights set out above, please see the contact details at section 1.7.
What we may need from you
10.4 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
11. Complaints
11.1 If you have a complaint or concern around the use of your personal data in the context of your engagement with us, you have the right to complain to us. Please contact gdpr@morgansindall.com. We will try our very best to assist you and rectify any concerns or complaints.
11.2 If you are dissatisfied with our response, you have the right to make a complaint at any time to the competent data protection authority:
- In the UK, the Information Commissioner's Office (ICO), the UK regulator for data protection issues (https://ico.org.uk/global/contact-us/); Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; Telephone Number: 0303 123 1113;
- In Switzerland, the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch); Address: Feldeggweg 1, 3003 Bern, Switzerland; Phone: +41 58 462 43 95;
- In Germany, the German data protection authorities, a list of which can be found here: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html;
- In Austria, the Austrian Data Protection Authority (www.dsb.gv.at); Address: Österreichische Datenschutzbehörde Barichgasse 40–42 1030 Vienna Austria; Phone: +43 1 52 152-0;
- In Belgium, the Gegevensbeschermingsautoriteit (https://www.gegevensbeschermingsautoriteit.be); Address: Rue de la Presse 35 / Drukpersstraat 35 1000 Brussels Belgium; Phone: +32 2 274 48 00; and
- In Denmark, Datatilsynet (https://www.datatilsynet.dk); Address: Carl Jacobsens Vej 35 2500 Valby; Phone: + 45 33 19 32 00.
12. Changes to the Privacy Notice and informing us of changes
12.1 We keep our Privacy Notice under regular review.
12.2 It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address
Please contact us should you require this Privacy Notice in an alternative format or language.