Careers at
ARIA - Home
ARIA - Home

Privacy Policy

ARIA (“we”, “us”) are committed to protecting and respecting your privacy. This Privacy Notice sets out the basis on which the personal data collected from you, or that you provide to us, will be processed by us in connection with our recruitment processes. This Privacy Policy is provided in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

The Data Controller and the entity responsible for the processing of your personal data collected during the recruitment process is ARIA.

We use Pinpoint, an online software product provided by The Infuse Group Ltd (t/a Pinpoint Software), to assist with our recruitment process. Pinpoint (and where applicable, their sub- processors) may process personal information as a data processor in accordance with our instructions.

Where you apply for an opportunity posted by us, this Applicant Tracking System  Privacy Policy will apply to our processing of your personal information, in addition to our other Privacy Notice which is available on our website.

Your Personal Information

How is your personal data collected?

We collect personal data about you in the following ways: 
  • Direct Interactions: you provide us with your personal information throughout the job application process.
  • Third Parties: we will receive personal data about you from various third parties, such as from recruitment agencies, third parties that carry-out background checks or other pre-employment background screening, referrers, referees and former employers (e.g: We may use Pinpoint to link the data you provide to us with other publicly available information about you published on the Internet – this may include sources such as LinkedIn and other social media profiles).
  • Pinpoint: Pinpoint's technology enables us to search various databases, which may include your personal data, to find possible candidates to fill our job openings. When we obtain personal data about you in this way, we rely on our legitimate interests in recruiting suitable staff (UK GDPR Art 6(1)(f)). In these circumstances, we shall provide you with this Applicant Tracking System Privacy Policy no later than one month after we obtained the data, or at the first contact with you, whichever is earlier, as required by the UK GDPR. You can object to this processing at any time.

Information we collect from you

We collect and process some or all of the following types of information from you:
  • Identity Data: including first name, maiden name, last name, marital status, title, date of birth and gender.
  • Contact Data: including address, email address and other contact details. 
  • Identity Documents: including copies of Passports, Visa and other Identity documents relating to your entitlement to work. 
  • CV Data: including information about your career history, skills, experience and qualifications.
  • Health Data: including information about your health, medical conditions, for which we may have to make reasonable adjustments both during recruitment process and potential employment. 
  • Background Check Data: including biometric data and information obtained through criminal background checks and/or other pre-employment screening. 
  • References: including information obtained from references from previous employers or other referees.
  • Other Sensitive Data: including salary information, psychometric test data, ethnicity, religious beliefs, sexual orientation, and other diversity data.
  • Details of your visits to our careers website including, but not limited to, traffic data, location data and other communication data, the site that referred you to our careers website and the resources that you access.

Purposes for which we will use your personal data 

Lawful basis for processing

We process your personal data only where allowed under UK data protection law. The primary basis is our legitimate interests (UK GDPR Article 6(1)(f)) in recruiting qualified staff for our business and managing our recruitment process effectively. 

Depending on the stage and nature of processing, we also rely on other bases: for example, processing some data is necessary to take steps at your request prior to entering into a contract (Article 6(1)(b)) – this applies to evaluating you for employment and (if successful) preparing an employment contract for you. In addition, certain processing may be necessary for us to comply with our legal obligations (UK GDPR Article 6(1)(c)), such as verifying your right to work in the UK or making reasonable adjustments for disabled candidates under equality laws. If we ask for any information that is not strictly required and you choose to provide it, we may process that based on your consent (UK GDPR Article 6(1)(a)), which you can withdraw at any time. We explain these bases further in the context of specific purposes below. We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are (where appropriate).

Purpose/Activity: Manage, administer and communicate about your application.
Type of data: (a) Identity Data, (b) Contact Data, (c), Identity Documents, (d) CV Data. 
Lawful basis for processing including basis of legitimate interest: (a) To take steps prior to entering into an employment contract with you, (b) Necessary for our legitimate interests (to ensure recruitment of the most appropriate applicants).

Purpose/Activity: Assess your suitability for employment (including eligibility to work).
Type of data: (a) Identity Data, (b) Identity Documents, (c) CV Data, (d) References.
Lawful basis for processing including basis of legitimate interest: (a) To take steps prior to entering into an employment contract with you, (b) Necessary for our legitimate interests (to ensure recruitment of the most appropriate applicants), (c) Necessary to comply with a legal obligation.

Purpose/Activity: Equal-opportunity monitoring and providing reasonable adjustments.
Type of data: (a) Identity Data, (b) Health Data, (c) Other Sensitive Data.
Lawful basis for processing including basis of legitimate interest: (a) Necessary to comply with a legal obligation, (b) Necessary for our legitimate interests / substantial public interest (to ensure equal treatment of candidates), (c) Where required by applicable law, with your consent.

Purpose/Activity: Carrying out background/ security checks (role-dependent).
Type of data: (a) Identity Data, (b) Identity Documents, (c) Criminal Data.
Lawful basis for processing including basis of legitimate interest: (a) Necessary to comply with a legal obligation, (b) Necessary for our legitimate interest / substantial public interest (to prevent and detect unlawful acts), (c) Where required by applicable law, with your consent.

Purpose/Activity: Improve Pinpoint’s recruitment-platform services (analytics, trouble-shooting).
Type of data: (a) Technical/ usage data and candidate data in anonymised or aggregated form only.
Lawful basis for processing including basis of legitimate interest: Art 6 (1)(f) – legitimate interest in enhancing the reliability and user experience of the recruitment system.

ARIA may also process your personal data where required by law and/or in its legitimate interests (in protecting its business and reputation) for the purposes of: 
  • Exercising or fulfilling ARIA's legal rights and responsibilities, including compliance with statutory and regulatory obligations; 
  • Managing legal disputes involving applicants, employees and/or third parties; and 
  • The prevention or detection of fraud, crime or other unlawful or inappropriate conduct.

Disclosure of applicant personal data 

Where necessary and lawful, your personal data will be disclosed to certain third parties, for example, to: -
  • ARIA management and employees;
  • Our professional advisers, such as solicitors or accountants, and consultants;
  • Government departments and agencies;
  • Police and law enforcement agencies;
  • Courts and tribunals;
  • Insurers;
  • Partners, suppliers, agents, and service providers (e.g. Pinpoint); and
  • Third parties to gain references.

Automated decision making / profiling

Our recruitment process involves some automated processing to assist us in identifying suitable candidates, but we do not make any final hiring decisions based solely on automated decision-making. For example, we may leverage Pinpoint’s technology to automatically screen applications or search through candidate profiles based on criteria we have identified (such as specific skills, experience, or qualifications required for the role). This automated screening helps us efficiently shortlist candidates whose profiles match the role requirements. However, any important decision regarding your application – such as selecting candidates for interview, making an offer, or rejecting an application – is made by our team members, not by an algorithm. There is always human involvement in these decisions, and no algorithm can automatically eliminate you from consideration without human review. Given this, the use of automation will not have legal or similarly significant effects on you without a human check.

How we store your personal data

Security

We take appropriate measures to ensure that all personal data is kept secure including security measures to prevent personal data from being accidentally lost, or used or accessed in any unauthorised way. We limit access to your personal data to those who have a genuine business need to view it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means, therefore any transmission remains at your own risk.

Where we store your personal data

The data that we collect from you and process using Pinpoint’s services will be transferred to and stored at one of several datacentre locations in Amsterdam (Netherlands) and may be synchronised to one of several datacentre locations in London (United Kingdom) for backup and redundancy purposes. 

Our service provider Pinpoint is incorporated in Jersey, which is itself recognised as adequate by both the EU and the UK.

International transfers of your personal data

We do not routinely transfer applicant data outside the UK / EEA.

If a specific service provider (for example, a background-check or cloud-support vendor) needs limited access from a country outside the UK/ EEA, we ensure a similar degree of protection is afforded to it in the recipient country by ensuring at least one of the following safeguards is implemented: 
  • We transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data; and/or
  • We use specific contracts approved for use in your country of residence which give personal data the same protection it has in your country of residence (such as the EU Standard Contractual Clauses and/or UK International Data Transfer Addendum).
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data internationally.

How long we keep your personal data

We will not retain unsuccessful applicant data for longer than necessary and will delete it once it is no longer required for the purposes set out in the Policy. If your application is unsuccessful (or you decline an offer from us), we will normally keep your personal data for up to 24 months (2 years) from the end of the recruitment process. 

After 24 months, or if you request sooner as described below, we will delete or anonymise your personal data from our recruitment system. Your personal information will be deleted on one of the following occurrences:
  • You choose to delete your data via the Manage Your Data tool; or
  • You send us a written request to delete your data (see “Your Rights” below on how to request erasure); or
  • The 24-month retention period expires, in which case we will proactively purge your data from our systems.

Your rights

Under the UK GDPR you have a number of important rights regarding your personal data. In summary, you have the right to:
  • Access your personal data and to certain other supplementary information;
  • Require us to correct any mistakes in your information which we hold;
  • Request the erasure of personal data concerning you in certain situations;
  • Request access to the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format and the right to transmit this data to a third party in certain situations;
  • Request that we suspend or restrict the processing of your personal data;
  • Request that we provide you or a third party with a copy of your data in a structured, commonly used, machine-readable format.
  • Object to processing of personal data concerning you for direct marketing.
  • Not to be subject to automated decisions – as noted above, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects.
  • Withdraw consent – Where we are processing your personal data based on your consent (for example, if you consented to provide special category data or consented to us keeping your data in our talent pool beyond the normal retention period), you have the right to withdraw that consent at any time.
  • You have the right to claim compensation for damages. While we strive to protect your data and comply fully with the law, we include this right for completeness.
These rights may be subject to conditions and exemptions – for example, we might not erase data we are required to keep by law, or we might refuse a request for data portability if it adversely affects the rights of others – but we will inform you if such circumstances apply.

If you would like to exercise any of those rights, please either:
  • Utilise the Manage Your Data tool provided; or
  • Contact us using our contact details below, ensuring we have enough information to identify you, proving your identity and address and confirming which information to which your request relates

How to complain

We hope that we can resolve any query or concern you raise about our use of your information. You can always contact us at peopleops@aria.org.uk with questions or complaints, and we will do our best to address them.

The UK GDPR also gives you right to lodge a complaint with a data protection supervisory authority. In the UK, our primary supervisory authority is the Information Commissioner’s Office (ICO). You can contact the ICO about a concern at https://ico.org.uk/make-a-complaint or by calling their helpline at 0303 123 1113. The ICO’s address is Water Lane, Wycliffe House, Wilmslow, Cheshire SK9 5AF.

Effective Date: This Privacy Notice is effective as of 15th July 2025 and may be updated from time to time. We will notify candidates of any significant changes.