Data Protection Policy

The Petroplan group of companies (“Petroplan”) needs to keep certain information on its employees, contractors and prospective contractors/recruitment candidates and client contacts for its legitimate business interests of carrying out its day to day operations, meeting its business objectives of recruitment and candidate placement and complying with legal obligations.

Petroplan is committed to ensuring any personal data will be dealt with in line with the current Data Protection Legislation.

Data Protection Legislation means:

  1. unless and until the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) is no longer applicable in the UK, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK;
  2. the Data Protection Act 2018 so far as it remains in force; and
  3. any successor legislation to the GDPR or the Data Protection Act 2018.

To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully. 

This document also highlights key data protection procedures within the Petroplan group.  It is provided to all employees of Petroplan.  It is mandatory that all employees confirm their commitment to comply with its terms at all times.



In line with the current Data Protection Legislation, Petroplan will ensure that personal data will:

  • be collected from the data subject directly or from public job boards on which the data subject has uploaded their personal data;
  • be obtained in connection with employment/contracting opportunities and will not be processed in any manner incompatible with that purpose;
  • be held in accordance with Petroplan’s Data Retention Policy at set out below;
  • be processed in accordance with the rights of data subjects;
  • be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures.

‘Processing’ includes, without limitation, obtaining, saving, using, holding, amending, sharing, disclosing, destroying and deleting personal data. Personal data includes paper-based data as well as soft copies.

In relation to the personal data it processes, Petroplan will seek to ensure:

  • those handling personal data shall be required to follow this policy to help safeguard personal data.
  • data subjects have access to the information held about them and the ability to have incorrect personal data corrected.
  • personal data will only be used for the purposes for which it was given, which includes the sharing of personal data with legitimate third parties.
  • If personal data is used for another purpose, the data subject’s consent shall be explicitly obtained.

It is possible that personal data we collect may be transferred, stored and/or processed outside the European Economic Area (“EEA”). Countries outside the EEA may not offer the same level of data protection as the United Kingdom however we will take steps to ensure that all data is treated securely and in accordance with this policy, only doing so where the recipient of the data is contractually obliged to comply with UK data protection laws.

We have various offices outside the UK which will handle local job opportunities. Our overseas offices have access to our candidate and client database so that we may provide a truly global service.  We may also transfer personal data to our overseas offices or overseas clients so that candidates can be considered for roles outside the UK and for payroll and other administrative purposes.  Petroplan is unable to provide services to any contractor who is not happy for their data to be accessible/transferred in this way since it is crucial that all active candidate details are on our database.


Information we collect

In order to provide the best tailored employment opportunities, we need to process certain information about candidates, contractors and Petroplan employees.  Specifically, we collect the following information:

  • Candidates/contractors
  • information supplied when they register with our website;
  • information contained in CVs sent to us or uploaded to our website or a public forum (eg LinkedIn, job boards etc);
  • details contained in any emails sent to us whether relating to roles, placement/on-boarding or otherwise;
  • HR data including, without limitation, pay, bonuses, national insurance/social security numbers, passport numbers, training data and work permit details etc;
  • Payroll data including, without limitation, details of bank account and taxes;
  • information provided when we are contacted for any other reason; and
  • data gathered using cookies.
  • Employees/prospective employees 
  • information contained in CVs sent to us or uploaded to our website or a public forum (eg LinkedIn, job boards etc);
  • details contained in any emails sent to us; and
  • HR data including, without limitation, pay, bonuses, national insurance/social security numbers, benefit entitlements, pensions, appraisals, absence record, disciplinary and performance details etc;
  • Payroll data including, without limitation, details of bank account and taxes, company credit card details, expenses and tax details;
  • information provided when we are contacted for any other reason.

We may also be provided with information which is classed as special categories of personal data or otherwise treated differently under GDPR. This could include information about previous convictions or medical well-being/physical condition for example.  No-one is obliged to provide this information, however if they do, we will interpret this as them agreeing to this policy and giving us explicit consent to us providing this information to the relevant client and using the information in the ways described in this policy.

We may also be provided with details of other individuals (including, without limitation, referees, family members (including children) or next of kin/persons to be contacted in an emergency).  By doing so the relevant candidate/contractor/employee is confirming that they have that person’s consent to provide us with their details, to process the information for the intended purpose and to contact them for the intended purpose if necessary and/or appropriate.

We also collect very limited data relating to Clients and Suppliers to enable us to ensure our relationship and services run smoothly.  We generally only need to have contact details for individual contacts at the Client (such as their names, work location, telephone numbers and email addresses).  We also undertake compliance checks including “know your client” information and collect payment details (bank account details/tax registration number).

It is important that the personal information we hold is accurate and current.Please keep us informed by emailing us at [email protected] if your personal information changes during the period which we hold your data.



Petroplan’s purpose for processing personal data are recorded on the public register maintained by the Information Commissioner’s Office (ICO).  We notify and renew our notification on an annual basis as the law requires. 

If there are any interim changes, these will be notified to the Information Commissioner’s Office (ICO) within 28 days.



Overall responsibility for the security of personal data rests with Petroplan’s Board of Directors.

The Board of Directors are responsible for:

  • producing and communicating this policy; and
  • identifying potential problem areas or risks.

All staff of Petroplan who process personal information must undertake GDPR training and ensure they not only understand, but also act in line with this policy.  Any questions or concerns about the interpretation or operation of this policy should be taken up, in the first instance, with Jos Thomerson, Director of Operations, and Anna Bryant, General Counsel.

Any breach of this policy will be taken seriously and will result in formal disciplinary proceedings. 

Any employee who considers that the policy has not been followed in respect of their own personal data should raise the matter with Jos Thomerson, Director of Operations, and Anna Bryant, General Counsel.


Policy Implementation

Petroplan shall:

  • ensure personal data is collected in a fair and lawful way;
  • meet its obligations to specify the purposes for which personal data is used;
  • ensure that only the minimum amount of personal data needed is collected and used;
  • use reasonable endeavours to ensure the personal data used is up to date and accurate;
  • hold data in accordance with Petroplan’s Data Retention Policy as set out below;
  • take the appropriate technical and organisational security measures to safeguard personal data;
  • ensure the rights individuals have in relation to their personal data can be fully exercised.

Petroplan will ensure that:

  • everyone managing and handling personal information is trained to do so;
  • any disclosure of personal data will be in line with these procedures;
  • queries about handling personal information will be dealt with swiftly and politely.


Data Retention Policy

We will keep the personal data held by us for the periods defined below, after which we will delete the relevant information we hold relating to such individual:

  • senior executives of Petroplan permanently;
  • employees for a period of 6 years from the expiration/termination of their contract with us;
  • candidates who were not successful in their application for employment by Petroplan, for a period of 1 year from our last meaningful contact with them;
  • contractors for a period of 10 years from the expiration/termination of their contract with us;
  • permanent placements for a period of 10 years from the date of their placement;
  • contractor candidates for whom we do not make a placement for a period of 5 years from our last meaningful contact with them;
  • client/supplier or prospective client contacts where Petroplan has made placements (contract or permanent) for a period of 10 years after last contractor has finished.  For Companies/Clients where Petroplan has made no placements (contract or permanent 5 years after last meaningful contact save that we shall delete their details if we are informed that they no longer work for the relevant client;
  • financial personal data for a period of 7 years.


Employee Knowledge

Each employee will receive a copy of this data protection policy as part of their induction and will be required to sign to confirm receipt and understanding.  Any questions should be raised with Jos Thomerson, Director of Operations, and Anna Bryant, General Counsel.

Each employee will receive an annual reminder of this data protection policy in a team meeting or via e-mail.


Data Security

Petroplan will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

  • using lockable cupboards (with restricted access to keys);
  • password protection on personal information files (with limited knowledge of passwords as appropriate);
  • backing-up data on computers (to be kept off-site).

Any unauthorised disclosure of personal data to an unauthorised third party by an employee will result in disciplinary proceedings.


Subject Access Requests

Anyone whose personal information Petroplan process has the right to know:

  • what information Petroplan holds about them and why;
  • how to gain access to this information;
  • how to keep it up to date;
  • what Petroplan are doing to comply with Data Protection Legislation.

All data subjects have the right to request a copy of the personal data which we hold about them by contacting us at [email protected] They may request modification, updating or deletion of any such information.  We will respond to any such request within 30 days (although we may be allowed to extend this period in certain cases). 

Data subjects have the right to transfer their data from us to another data controller.  We will assist – either by directly transferring the data, or by providing a copy for to the data subject to transfer to the alternative data controller themselves.

Data subjects also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).  Details are as follows:

Phone:  0303 123 1113

Email:   [email protected]

Post:     Information Commissioner's Office

Wycliffe House
Water Lane

The following information will be required before access is granted:

  • full name and contact details of person making the request;
  • their relationship with the organisation (former/current employee, former/current contractor, former/current recruitment candidate on Petroplan’s employee or contractor database etc).

We may also require proof of identity (e.g. passport, driving licence or birth certificate) before access is granted.

We aim to comply with requests for access to personal information as soon as possible but will ensure it is provided within 30 days of receiving the written request as required by law, unless there is a good reason for delay.  In such cases, the reason for delay will be explained in writing to the individual making the request. 

We do however reserve the right to withhold the following:

  • Information in the case of unreasonably regular requests from individual employees;
  • Specific information if we cannot comply with an employee’s request without disclosing information relating to another individual, unless this can be readily excluded from the data to be supplied on request; and
  • Any data which is excluded through legislation.



This policy will be reviewed at intervals of 3 years to ensure it remains up to date and compliant with the law.