VRS processes only the personal data that is reasonably necessary to provide its services, operate its business, comply with legal obligations, maintain commercial relationships, and fulfil the legitimate purposes for which the information was collected.

The categories of personal data processed by VRS will vary depending on the nature of the interaction with the individual and the services being provided. Personal data may include identification information, business contact information, professional details, employment history, qualifications, recruitment-related information, curriculum vitae, resumes, interview notes, assessment outcomes, communication records, customer account information, supplier information, marketing preferences, website usage information, technical identifiers, system access records, billing information, contractual information, and any other information voluntarily provided to VRS in connection with its business activities.

Where VRS delivers recruitment support services on behalf of customers, additional categories of personal data may be processed within customer-controlled systems in accordance with the customer's documented instructions. Such information may include candidate records, recruitment documentation, interview scheduling information, communication histories, applicant tracking information, customer relationship management records, recruitment workflow information, and other data necessary to support the agreed services.

VRS seeks to ensure that only personal data reasonably required for identified business purposes is processed and that unnecessary, excessive, or unrelated personal data is not intentionally collected, accessed, copied, retained, or disclosed.

The categories of personal data processed may evolve over time as VRS introduces new services, technologies, operational processes, or customer solutions. Where material changes occur, VRS will review this Policy and related privacy documentation to ensure ongoing transparency and compliance with applicable legislation.

VRS processes personal data only where an appropriate lawful basis exists under the GDPR or other applicable privacy legislation.

Depending on the circumstances, personal data may be processed because the individual has provided consent, because processing is necessary for the performance of a contract or to take steps prior to entering into a contract, because processing is required to comply with legal or regulatory obligations, because processing is necessary to protect the vital interests of an individual, because processing is carried out in the public interest where permitted by law, or because processing is necessary for the legitimate interests pursued by VRS or its customers, provided those interests are not overridden by the rights and freedoms of the individual.

Where VRS relies upon legitimate interests as the lawful basis for processing, reasonable consideration will be given to balancing the legitimate interests of VRS, its customers, and other stakeholders against the privacy rights and expectations of affected individuals. Where appropriate, VRS may undertake documented assessments to support this balancing exercise.

Where consent is relied upon, VRS will seek to ensure that consent is freely given, specific, informed, and unambiguous. Individuals will generally be able to withdraw consent at any time where consent constitutes the lawful basis for processing, although withdrawal of consent will not affect the lawfulness of processing undertaken prior to its withdrawal.

The lawful basis applicable to a particular processing activity will depend upon the nature of the relationship, the services being provided, the contractual arrangements in place, and the purposes for which the personal data is processed.

VRS recognises that certain categories of personal data require a higher standard of protection due to their sensitive nature.

VRS does not intentionally collect or process Special Category Data unless doing so is reasonably necessary for a legitimate business purpose, required by law, expressly authorised by the relevant individual, or otherwise permitted under applicable privacy legislation.

Where Special Category Data is processed, VRS aims to ensure that an appropriate lawful basis and, where required, an additional condition for processing exists under the GDPR or other applicable legislation. Such processing will generally be limited to the minimum amount of information reasonably necessary to achieve the relevant purpose.

Examples of circumstances in which Special Category Data may occasionally arise include information voluntarily disclosed by candidates during recruitment processes, accessibility or reasonable adjustment requests, information relating to legal compliance obligations, or other circumstances where the individual has chosen to provide such information.

Appropriate technical, organisational, and administrative safeguards will be applied to protect Special Category Data against unauthorised access, disclosure, misuse, or accidental loss. Access to such information will generally be limited to authorised individuals who require the information for legitimate business purposes and who are subject to appropriate confidentiality obligations.

VRS does not seek to process Special Category Data merely because it is available and encourages customers, candidates, independent contractors, and other stakeholders to avoid providing sensitive personal information unless it is reasonably necessary for the relevant purpose.

VRS is committed to collecting and processing personal data in accordance with recognised data protection principles and good governance practices.

Personal data will generally be collected lawfully, fairly, transparently, and only for specified, explicit, and legitimate purposes. VRS seeks to ensure that individuals understand why personal data is being collected, how it will be used, and the rights available to them in connection with that information.

VRS applies the principle of data minimisation by seeking to collect only the information reasonably necessary to fulfil identified business purposes and avoiding the collection of unnecessary or excessive personal data. Where practical, information requested from individuals will be limited to that which is relevant to the services being provided or the legitimate operation of the business.

Reasonable steps are taken to ensure that personal data remains accurate, complete, and, where appropriate, up to date. Where inaccuracies are identified, VRS will endeavour to correct, update, or remove inaccurate information within a reasonable timeframe.

Personal data will not ordinarily be used for purposes materially different from those for which it was originally collected unless permitted by applicable legislation, authorised by the relevant individual, required to comply with legal obligations, or otherwise supported by an appropriate lawful basis.

These principles underpin VRS's broader approach to responsible information governance and are reflected throughout its operational procedures, technology controls, staff training, and internal governance framework.

VRS recognises and respects the rights afforded to individuals under the GDPR and other applicable privacy legislation.

Subject to applicable legal requirements and any permitted limitations or exemptions, individuals may have the right to request access to their personal data, request correction of inaccurate information, request deletion of personal data, request restriction of processing, object to certain processing activities, request portability of their personal data, withdraw consent where consent forms the lawful basis for processing, and lodge complaints with an appropriate supervisory authority.

Where VRS receives a request relating to personal data for which it acts as a Data Controller, VRS will endeavour to assess and respond to the request within the timeframes required under applicable legislation, subject to verification of the requester's identity and any applicable legal exceptions.

Where VRS receives a request relating to personal data processed solely on behalf of a customer in circumstances where VRS acts as a Data Processor, VRS will generally refer the request to the relevant customer or otherwise assist the customer in responding to the request in accordance with applicable contractual arrangements and legal obligations.

To protect the privacy and security of personal data, VRS may request information reasonably necessary to verify the identity and authority of the individual making the request before providing access to personal data or taking action in response to the request.

VRS is committed to handling data subject requests professionally, transparently, and in accordance with applicable legal obligations while balancing the privacy rights of individuals with any competing legal, contractual, regulatory, or legitimate business obligations that may apply.

VRS relies upon carefully selected third-party service providers to support the secure and efficient operation of its business. These providers may assist with cloud hosting, customer relationship management, applicant tracking systems, communication platforms, accounting systems, marketing platforms, document management, cybersecurity, productivity software, analytics services, payment processing, website functionality, and other operational activities.

Where third-party providers process personal data on behalf of VRS, reasonable steps are taken to ensure that those providers demonstrate appropriate standards of information security, confidentiality, privacy protection, and regulatory compliance consistent with the nature of the services being provided.

Depending upon the circumstances, VRS may assess providers through contractual due diligence, supplier evaluations, privacy reviews, security assessments, contractual confidentiality obligations, data processing agreements, technical security reviews, or other reasonable governance measures designed to protect personal data.

Third-party providers are generally authorised to process personal data only to the extent reasonably necessary to perform the services for which they have been engaged and are expected to maintain appropriate safeguards to protect that information throughout the duration of the processing activities.

Where appropriate, VRS seeks to ensure that contractual arrangements with third-party providers address matters such as confidentiality, information security, subcontracting, international data transfers, incident notification, deletion or return of personal data, audit rights where applicable, and compliance with relevant privacy legislation.

VRS periodically reviews its relationships with key service providers as part of its broader governance framework and may replace, suspend, or discontinue providers where it reasonably believes that they no longer meet the standards expected for the secure processing of personal data.

VRS recognises that effective compliance with the GDPR is a shared responsibility between VRS and its customers where personal data is processed as part of the services provided.

Where VRS processes personal data solely on behalf of a customer, the customer generally acts as the Data Controller and remains responsible for determining the purposes and lawful basis for processing personal data, ensuring that appropriate privacy notices are provided to relevant individuals, responding to data subject rights requests where required, determining appropriate retention periods, managing access permissions within customer-controlled systems, and complying with applicable legal obligations under the GDPR and other relevant privacy legislation.

Customers are also responsible for ensuring that personal data made available to VRS has been collected lawfully and that appropriate legal authority exists for VRS to process that information in accordance with the agreed services. Where customer personnel grant VRS access to applicant tracking systems, customer relationship management systems, email platforms, recruitment software, cloud storage platforms, or other business systems, customers remain responsible for configuring appropriate user permissions, access controls, authentication requirements, and security settings within those environments.

Where customers provide documented instructions relating to the processing of personal data, VRS will endeavour to process that information only in accordance with those instructions unless otherwise required by applicable law. If VRS believes that an instruction may conflict with applicable privacy legislation, contractual obligations, or recognised information security practices, VRS may notify the customer and seek clarification before proceeding.

Customers are encouraged to maintain their own internal privacy policies, information security procedures, incident response plans, and governance frameworks to complement the services provided by VRS and to support ongoing compliance with applicable privacy legislation.

Nothing contained within this Policy transfers the legal responsibilities of a Data Controller to VRS unless expressly agreed in writing through an executed Data Processing Agreement or other contractual document.

For the avoidance of doubt, nothing contained within this Policy, any customer agreement, Statement of Work, Proposal, or operational arrangement shall be interpreted as creating an employment relationship, labour hire arrangement, agency worker relationship, partnership, joint venture, or similar relationship between the customer and any individual engaged by VRS in connection with the delivery of recruitment support services. VRS remains independently responsible for the governance, administration, management, and oversight of its own service delivery model.

VRS recognises that effective GDPR compliance depends not only upon written policies, but also upon organisational awareness, responsible governance, ongoing education, and consistent operational practices.

Accordingly, VRS seeks to promote a culture in which privacy, confidentiality, and responsible information handling form part of everyday business operations. Directors, authorised representatives, independent contractors, recruitment support professionals, consultants, and other individuals acting on behalf of VRS are expected to understand the importance of protecting personal data and to conduct themselves in accordance with applicable privacy legislation, contractual obligations, internal policies, and recognised information security practices.

Where appropriate, VRS may provide guidance, training materials, operational procedures, policy updates, security awareness initiatives, and practical resources designed to assist individuals in understanding their responsibilities when handling personal data. Training may cover topics including GDPR principles, confidentiality obligations, secure information handling, phishing awareness, password security, incident reporting, international data transfers, customer confidentiality requirements, and responsible use of technology.

Senior leadership is responsible for promoting accountability across the organisation by encouraging compliance with this Policy, supporting continual improvement initiatives, reviewing privacy-related risks, monitoring operational practices, and ensuring that appropriate governance arrangements remain in place as the business evolves.

VRS also encourages individuals to report suspected privacy concerns, security incidents, policy breaches, or other issues affecting personal data so that appropriate corrective action can be taken promptly.

Privacy governance is regarded as an ongoing organisational responsibility rather than a one-time compliance exercise, and VRS is committed to continuously strengthening its privacy culture through education, leadership, operational discipline, and continuous improvement.

This General Data Protection Regulation (GDPR) Policy will be reviewed periodically to ensure that it continues to reflect applicable legislation, regulatory guidance, operational practices, technological developments, customer requirements, and recognised industry standards.

VRS reserves the right to amend, update, replace, supplement, or withdraw this Policy at any time where necessary to reflect changes in legal obligations, business operations, service offerings, organisational structure, technology platforms, international processing arrangements, or other relevant circumstances.

Material changes may be communicated through the VRS website, customer communications, contractual documentation, or other appropriate channels where considered necessary.

The most current version of this Policy will be published within the VRS Legal Centre and will become effective from the date specified in the published version unless otherwise stated.

Continued engagement with VRS services following publication of an updated Policy may constitute acknowledgement of the revised Policy to the extent permitted by applicable law and any contractual arrangements between the parties.

Nothing contained within this Policy limits any additional privacy obligations contained within applicable customer agreements, Data Processing Agreements, Statements of Work, or other legally binding contractual documents.

Failure to comply with this Policy may result in corrective action, additional training requirements, removal from particular activities, access restrictions, contractual consequences, suspension of participation in activities, termination of arrangements, reporting to customers, reporting to authorities where appropriate, legal action, or other measures considered necessary in the circumstances.

The response to any breach will depend upon the seriousness, impact, frequency, intent, and surrounding circumstances of the conduct involved.

VRS reserves the right to determine appropriate actions on a case-by-case basis.

VRS welcomes enquiries relating to privacy, data protection, GDPR compliance, international data transfers, data subject rights, information security, or any other matters addressed within this Policy.

Individuals wishing to exercise their privacy rights, request further information, report a suspected Personal Data Breach, raise a concern regarding the processing of personal data, or seek clarification regarding this Policy are encouraged to contact VRS using the details below.

Privacy & Data Protection Enquiries

• Email: privacy@virtualrecruitment.solutions 

Legal & Compliance Enquiries

• Email: legal@virtualrecruitment.solutions

• Website: virtualrecruitment.solutions

VRS is committed to working cooperatively with customers, individuals, regulators, and other stakeholders to promote responsible data protection practices, maintain transparency, support lawful processing of personal data, and continually strengthen the privacy and information governance standards that underpin our international recruitment support services.