Candidate Privacy

This summary explains how we handle your personal data during Integrity Due Diligence or related vetting checks. It is designed to be clear and understandable while meeting the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and applicable UK data protection developments, including the Data (Use and Access) framework (DUAA), and where relevant, the EU GDPR.

M.INT takes a proportionate, transparent, and secure approach to personal data. This summary explains:

• Who controls and processes your data
• What data we collect and why
• How your data is used and shared
• How long your data is kept
• Your rights, including how to make a complaint

1. Who Handles Your Data

Data Controller: The organisation instructing M.INT. This may be a prospective employer, recruitment agency, production company, or other client. The Data Controller determines the purposes and lawful basis for processing your personal data.

Data Processor: M.INT acts strictly on the instructions of the Data Controller and does not make hiring, casting, or scouting decisions.

2. What Data We Collect

We collect only information that is relevant and proportionate to the vetting process.

We may obtain personal data:

• Directly from the Data Controller; and
• From publicly available sources, including media publications, social media platforms, blogsites, digital archives, public records, company registries, sanctions lists, and professional databases.

The categories of personal data we may process include:

• Identity and contact details
• Professional, academic, and residential history
• Supporting documentation (e.g. CVs, references, identification documents)
• Public online activity, including posts, engagements, and publications

Special category data (racial or ethnic origin, religion, health data, sexual orientation, political opinions, trade union membership, etc.) is not actively collected. Where such data is encountered incidentally in publicly available sources, it is handled only where necessary under Article 9(2)(e) UK GDPR (data manifestly made public) and in accordance with applicable safeguards. Any data that is not relevant to the purpose of the assessment is disregarded without further processing.

3. How Your Data Is Used

Your personal data is used solely for the purposes of:

• Verifying identity and background information
• Conducting integrity, reputational, and security-related assessments
• Producing structured due diligence reports for the Data Controller

We do not use personal data for marketing or any unrelated purpose.

Lawful basis for processing:
Processing is carried out on behalf of the Data Controller, who determines the lawful basis for the assessment. In most cases, this will be legitimate interests (Article 6(1)(f) UK GDPR), in connection with proportionate due diligence relating to employment, engagement, or reputational risk decisions.

Where special category data is processed, this is handled in accordance with Article 9(2)(e) UK GDPR and applicable safeguards.

Automated decision-making:
M.INT does not carry out automated decision-making or profiling.

4. Who Sees Your Data

Your personal data may be shared only with:

• The Data Controller (employer, recruitment agency, production company, or other instructing organisation)
• Authorised sub-processors or service providers involved in the screening process, all bound by equivalent data protection obligations
• Legal or law enforcement authorities where required by law

5. International Data Transfers

Our research may involve accessing publicly available international sources.

Research is primarily conducted within the United Kingdom. Where personal data is transferred outside the UK, this will only occur where appropriate safeguards are in place, such as adequacy regulations, Standard Contractual Clauses (SCCs), or approved international data transfer frameworks.

6. How Long We Keep Your Data

Unless otherwise instructed by the Data Controller, M.INT will retain personal data for no longer than three (3) years following completion of the relevant vetting or due diligence engagement. This retention period reflects the legitimate interests pursued in connection with the provision of due diligence services, including maintaining an appropriate audit trail, supporting informed decision-making in respect of senior or high-profile appointments, and enabling proportionate re-screening or review where required by the Data Controller.

Retention periods are determined in accordance with the UK GDPR storage limitation principle and are subject to periodic review to ensure they remain necessary, proportionate, and limited to the purposes for which the data was collected.

Where relevant to the nature of the engagement, M.INT applies differentiated retention periods, with shorter retention for underlying or supporting data and longer retention for final due diligence reports and associated audit records, in line with the principle of data minimisation, applied throughout the retention period.

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised, unless continued retention is required or permitted by applicable law.

7. Your Rights

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your data
• Restrict or object to processing
• Request data portability
• Withdraw consent where applicable

How to exercise your rights:
Please contact the Data Controller who instructed the vetting process. M.INT will assist where possible and in coordination with the Data Controller.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your personal data has been processed unlawfully: https://ico.org.uk/make-a-complaint/

8. Complaints

If you are dissatisfied with the way M.INT has handled your personal data, you may raise a formal complaint using our online complaint form or by emailing data.security@mintanalysis.co.uk.

How we handle complaints:

• M.INT will acknowledge receipt of your complaint within 2 working days
• Your complaint will be securely logged, reviewed, and where applicable, referred to the relevant Data Controller
• We will provide a substantive response without undue delay

If your complaint remains unresolved, you have the right to escalate to the UK Information Commissioner's Office (ICO):
ico.org.uk/make-a-complaint  |  0303 123 1113

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption
• Access controls and role-based permissions
• Secure IT infrastructure and monitoring

10. Data Breaches

In the event of a personal data breach:

• M.INT will notify the Data Controller without undue delay
• The Data Controller is responsible for determining whether affected individuals must be informed

11. Questions or Support

For any queries relating to this summary or your personal data:
Email: data.security@mintanalysis.co.uk

M.INT is not required to appoint a Data Protection Officer under applicable law. Data protection queries should be directed to the email above.

12. Related Policies

• Cookie Policy – for information on website cookies and tracking technologies