The QHotels Collection Candidate Privacy Policy  

MAY 2024

The QHotels Collection is committed to complying with the General Data Protection Regulation and the Data Protection Act 2018 and UK GDPR. We know that you care how information about you is used and shared. Looking after the personal information you share with us is very important, and we want you to be confident that your personal data is kept safely and securely. This Candidate Privacy Policy describes how we treat personal information that we may collect about you when you apply for a job within The QHotels Collection company. 

Where someone is hired by us and becomes a member of the staff then the Staff Privacy Policy should be read, and this will apply on appointment.

We do not hold information longer than we need to, we hold the information securely and where we dispose of it, we do so responsibly and safely.

The purpose of this Privacy Policy is to help explain what personal information we collect and use, what we do with it and what your rights are in relation to your personal information. This policy acts as a privacy notice and is applicable to all candidates. 
This Privacy Policy describes:
1. The type of personal information we may collect about you
2. How we may get this information
3. Why we have and use this information
4. The lawful basis we rely on to be able to process your information
5. Who we share your information with and why 
6. How we store your personal data and for how long 
7. Your rights in relation to your personal data and how to exercise them

“Personal data” or ‘personal information’ means any information collected and logged in a format that allows you to be identified personally, either directly (e.g. name) or indirectly (e.g. telephone number). Before providing us with this information, we recommend that you read this document describing our approach to protecting the personal data of all our candidates. 

This policy is not contractual, and the Company reserves the right to change it at any time

The QHotels Collection is a selection of 19 hotels and resorts which combine:
1. Individual hotels, resorts, head office(s) and related central services operated by The QHotels Collection
2.  As well as branded hotels and resorts from:
DoubleTree by Hilton
Delta by Marriott

We will start to collect this data from the profile that you will have created on Harri, from any information provided by a third party, and then through further questions and forms we may send you and answers and more information you may give to us.

Categories of Personal Data

Description of Category

Contact Details

This is the personal data required to enable us to contact you.  This includes your first name, last name, telephone number, address and email address

Employment History & Experience

This is the personal data that is provided by you to help us assess your suitability for a role.  This may also include your current remuneration and associated benefits

Educational History & Qualifications

This is the personal data that is provided by you to help us assess your suitability for a role.

Right to Work Information

This is personal data that can be used by us to verify your right to work in the UK.  This can include passports, visas and information about nationality.

Additional Personal Information

This is additional personal information that you may supply us with via a CV or we may ask you about during an interview that provides us with further background information on you (e.g. what languages you speak or your hobbies and interests)

Sensitive Personal Employment Information

As a potential employer we will ask for sensitive information relating to you which is Special Category Data. This is so that we can carry out our responsibilities as an employer, ensure that we can comply with HMRC and Right To Work requirements, and ensure that we are aware of any medical, health, access and special needs, or other information which enables us to comply with our legal responsibilities and protects your rights under the law, including making any reasonable adjustments. This includes processing information relating to your:

·        medical and health situation including accessibility and any accident

·        carer responsibilities and dependents

·        gender

·        ethnic origin, gender identity, marital status, sexual orientation, religion, and any trade union membership. The provision of this information is voluntary but some information, such as that relating to HMRC and Right to Work requirements may be necessary to enable payroll and appointment processes to take effect

Equality and Opportunity  Information

This is personal data we may collect from staff to help ensure we are employing a diverse workforce.  We may ask you to provide information about your ethnic origin, sexual orientation, health, and religion or belief, but your provision of this information is voluntary. Much of this information will be Sensitive Personal Employment Information


This is usually the names and contact details of previous employers or personal contacts who can provide a reference to help verify your employment history

Information for Background Checks

On occasion we may wish to carry out a background check and may require you to provide us with additional information so we can carry out background checks e.g. criminal records or credit checks e.g. bank account details etc.

Feedback or Complaint Information

On occasion we may ask you to provide feedback on your recruitment experience.  You may also wish to make a complaint about the recruitment process.


We may collect the data above at various times throughout the recruitment process.  Usually much of this information will have been provided by you to us but in some circumstances, someone else may have, such as in relation to References.

The information therefore may be collected in a variety of ways. This includes through the application and recruitment process, through the recruitment profile you create on Harri, CVs or resumes provided; obtained from your passport or other identity documents such as your driving licence; from forms completed by you; from correspondence with you; or through interviews or assessments.

We may collect personal information about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.

The information is stored in a range of different places, principally on Harri, but may be stored in our HR management systems and in other IT systems (including the Company's email system).

The points at which that collection of information is likely to take place are:
• When you apply for an advertised role
• When we are passed your information via Harri and our recruitment platform 
• When you send us a letter and/or CV asking for employment
• When you attend for an interview or assessment centre (phone or face-to-face)

We may also collect data about you when you visit our websites.  We do this by using Cookies.  For more details on what information we may collect from you when you visit our websites, please see our separate Cookies Policy Cookie Policy - The QHotels Collection

You are under no statutory or contractual obligation to provide data to the Company during the recruitment process. However, if you do not provide the information, the Company may not be able to process your application properly or at all.

You are also under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

The table below describes the purpose for collecting your data and the categories of data collected:


Categories of Data Collected

To enable us to contact you in relation to a job opportunity at The QHotels Collection

·        Contact Details

To enable us to assess your suitability for roles at The QHotels Collection

·        Employment History & Experience

·        Educational History & Experience

·        Sensitive Personal Employment Information

·        Additional Personal Information

To enable us to verify that you are eligible to take up a particular role with The QHotels Collection

·        Contact Details

·        Sensitive Personal Employment Information

·        References

·        Right to Work Information

·        Information for Background Checks

To enable us to ensure The QHotels Collection complies with its duties in relation to individuals with disabilities or certain health conditions, meet its obligations under health and safety law and makes reasonable adjustments to support you in a role with The QHotels Collection

·        Sensitive Personal Employment Information


To enable us to improve the effectiveness of our recruitment process

·        Equality and Opportunity Information

·        Feedback or Complaint Information

The Data Protection regulations are very clear when they state, that in order to process your personal information, we need to do so on the basis of one of the 6 proscribed “lawful bases” (rationales).  The table below sets out which lawful basis we rely on to process your personal data for each purpose. In addition, we are required to extra lawful bases for processing Special Category Data. The details of these extra bases and the arrangements which relate are set out in our Appropriate Policy Document which is a document we are required to have by law.

Lawful Basis for Processing


Legitimate Interests

·        To enable us to contact you in relation to a job opportunity at The QHotels Collection

·        To enable us to make reasonable adjustments to support you in a role with The QHotels Collection

·        To enable us to improve the effectiveness of our recruitment process


·        To enable us to assess your suitability for roles at The QHotels Collection

·        To help ensure we can carry out our obligations as an employer in relation to pay, pensions, benefits and other staff management arrangements

·        To enable us to verify that you are eligible to take up a particular role with The QHotels Collection

Legal Obligation

·        To enable us to verify that you are eligible to take up a particular role with The QHotels Collection

·        To enable us to carry out required vetting and checking

·        To enable us to comply with employment, carer, health and safety, disability discrimination, diversity and other relevant law including in relation to access, disability, caring, maternity, paternity and adoption

·        To enable us to carry out our legal obligations including but not only in relation to data protection and the processing of data subject requests

·        To enable us to ensure The QHotels Collection complies with its duties in relation to individuals with disabilities and certain health conditions, meets its obligations under health and safety law and makes reasonable adjustments to support you in a role with The QHotels Collection

·        To enable us to manage the diversity of our workforce including reporting


Where The QHotels Collection relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of individuals and has concluded that they are not.

Where The QHotels Collection processes Sensitive Personal Employment Information which are Special Categories of personal data, this is done on the basis of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. This is further explained in The QHotels Collection Appropriate Policy Document which it is required to maintain to explain how it treats Special Category Data.

A successful candidate has some obligations under their employment contract to provide The QHotels Collection with their personal data.  An individual may also have to provide The QHotels Collection with data to exercise their statutory rights.  Failing to provide the data may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, must be provided to enable The QHotels Collection to enter a contract of employment with you. If you do not provide other information, this will hinder The QHotels Collection’s ability effectively to administer the rights and obligations arising because of the employment relationship.

Protecting the personal data of our Candidates is very important to us and we do not sell this information to others.   Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and relevant IT staff if access to the data is necessary for the performance of their roles.

Within The QHotels Collection, we may, when appropriate or necessary, share your personal data with third parties.  

Some examples of the categories of third parties with whom we share your data are:

Third Party Processor


Recruitment and resource management platforms

We work with a number of platforms and providers including Harri and Fourth

Recruitment Agencies and Recruitment Websites

We work with a number of agencies supporting recruitment or the provision of agency or temporary staff enabling you to work with us

IT Services Providers

The QHotels Collection work with a number of businesses who support our website and other business systems.  This includes those Partners who provide data storage facilities to us.  Your details will be stored on these systems.  These include Harri our applicant tracking and onboarding system

Your Referees

The QHotels Collection may (with your permission) contact the referees you have provided details for

Regulators, Government Agencies, Credit Reference Agencies, and Law Enforcement Agencies

The QHotels Collection may, if required by law, in support of your application for a role, release your personal information to government agencies, law enforcement agencies and regulators

The QHotels Collection will not otherwise share your data with other third parties.  However, The QHotels Collection may share your data with third parties in the context of a sale of some or all of its business, dependent on the stage in the process the recruitment has reached.  In those circumstances the data will be subject to confidentiality arrangements.


Your personal data is stored in the Company’s HR management systems and in other IT systems (including the Company’s email system and our HR service providers such as Harri and Fourth).
Your information is primarily stored in the UK or the European Economic Area (EEA).  However, your data may be transferred outside of the EEA, and processed by staff and organisations outside of the EEA in order to support the application process. Countries outside of the EEA may not provide the same level of legal protection when it comes to your personal information. 

Therefore, where we make any transfers outside of the UK & EEA these will be conducted in accordance with UK GDPR, including the use of processors based in the United States.  By submitting your data to us, you agree to this handling. We will base any sharing of data outside of the UK & EEA on the following: 
• The transfer is necessary for the delivery of our services to you
• The transfer will be based on the standard data protection clauses for transfer of personal data to countries outside of the UK & EU/EEA adopted by the UK government and the European Commission.

Note: some non-EEA countries are recognised by the UK & European Commission as providing an adequate level of data protection to EEA standards. The full list of these countries is available at

The QHotels Collection take data security seriously, and we have appropriate technical and organisational procedures, in accordance with applicable legal provisions, to protect your personal data against illicit or accidental destruction, accidental alteration or loss, and unauthorised access or disclosure.

We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable information. Our security procedures mean that we may occasionally request proof of identity before we disclose your personal information back to you or someone acting on your behalf.

Our information security policies and procedures are aligned with widely accepted international standards. These standards are applied and are reviewed regularly and updated as necessary to meet our business needs, changes in technology, and regulatory requirements.
To this end, we have taken the following technical and organisational measures;

• We have in place firewalls and encryption of computer and mobile device systems
• When personal data is transferred encryption technology is used
• We have in place User ID / Password systems and procedures and Two Factor authentication on our internal systems as well as only permitting access from ‘Trusted Locations’
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data when you transmit it via email; therefore, any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

• We have measures in place to protect against accidental loss and unauthorised access, use, destruction, or disclosure of data
• We place appropriate restrictions on the levels and type of access to personal information and have organisational measures such as user IDs / passwords to control staff access to personal data in line with their job requirements.
• We implement appropriate measures and controls, including monitoring and physical measures, to store and transfer data securely
• We conduct Privacy Impact Assessments in accordance with legal requirements and our business policies
• We require privacy, information security, and other applicable training on a regular basis for our employees who have access to personal information and other sensitive data
• We take steps to ensure that our employees and contractors operate in accordance with our information security policies and procedures and any applicable contractual conditions
•  We require, through the use of contracts and security reviews, our third-party data processors to protect any personal information with which they are entrusted in accordance with our security policies and procedures

Where The QHotels Collection engages third parties to process personal data on its behalf as its data processors, those third parties are required to do so in accordance with UK GDPR based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and company measures to ensure the security of data.

If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws.

If your application for employment is unsuccessful, the company will hold your data on file for a maximum of one year. 

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. Please see the Staff Privacy Policy for more information.

Personal information may be destroyed or deleted at the earliest of:
•  At the end of the period for which it is retained
• When it is no longer required or
• If the Data is erased following a suitable request from the individual to have it deleted, exercising their right as we explain below
Where we delete or destroy Personal Data, it will be disposed of securely and carefully:
• Personal Data stored electronically would be deleted using the standard data deletion method for each system; and
•  Personal Data stored in hardcopy form would be securely disposed of


Under UK GDPR and the Data Protection Act 2018 you have certain rights over the personal information that we hold about you. The rights available to you depend on our lawful basis for processing your information. Accordingly, some rights may not be exercisable in every instance. For example, where we are required by law or regulation to retain some data or records, it may not be possible for us to execute a request to delete that data.

We will respond as promptly as we can. In general, we have one month in which to respond to your request from the day after the date on which we received your request, unless there are special circumstances, such as where you make a complex request or more than one request, where we may need extra time of up to two additional months.

Normally we would ask someone making a request for identifying information to verify their identity We do this to protect their personal information and their interests. There is more detail on this below. In most cases involving staff we do not expect to need to verify identity, but in the case of some requests, or if a request is made via a third party, then some verification may be necessary.

Your rights include the right to access information we hold about you, the right to correct your information (if it is inaccurate or incomplete) and in some circumstances you have the right to restrict or stop the processing of your personal information. 

Where we are processing personal information with your consent, you can withdraw this consent at any time by contacting our Privacy Team at [email protected].  You also have the right to ask us not to process your personal information where we are relying on a legitimate interest to do so. 

There are some circumstances in which you can request the deletion of your information and these include:
• When the personal data is no longer necessary for the purpose for which it was originally collected or processed 
• If we rely on your consent as a lawful basis for holding the data, and you have withdrawn your consent 
• Where we rely on legitimate interests as our basis for processing and you object to the processing of your data, and there is no overriding legitimate interest to continue this processing 
• Where we have processed the personal data unlawfully i.e. without lawful basis 

You have the right to have the data we hold about you transferred to another organisation and to reuse your personal data for your own purposes across different services. We will transfer this information in a commonly used format. This right only applies to the following circumstances: 
• To personal data you have provided to us 
• Where the processing is based on your consent or for the performance of a contract 
• When processing is carried out by automated means 
You can find further information on your data protection rights from the Information Commissioner's Office (ICO) at 

If you would like to request to exercise any of your rights or if you have any queries related to accessing your personal information, correction, or your rights under UK GDPR including requiring a copy of the information we hold on you, we will provide this free of charge and within one month. Please contact our Privacy Team if you wish to exercise any of your rights by emailing the Privacy Team at [email protected].  

Or if you’d like, you can write to us at:
Data Privacy,
Chesford Hub
CV8 2LD, United Kingdom (UK)
Reg. No 11745703

For the purposes of confidentiality and personal data protection, we may need to identify you to respond to your request. You may be asked to include a copy of two official pieces of identification, such as a driver’s license or passport, along with your request.

If your personal data is inaccurate, incomplete or not up to date, please send the appropriate amendments to the Privacy Team as indicated above.

All requests will receive a response as swiftly as possible and in accordance with applicable law.

If you have any concerns about our use of your personal information, you can make a complaint to us at [email protected].

You can also complain to the ICO if you are unhappy with how we have used your data.

Details of their contact information can be found at or you can contact them at:

Information Commissioner’s Office

Wycliffe House
Water Lane
Helpline number: 0303 123 1113
ICO website:

We may change or update this Privacy Policy from time to time, to reflect how we are processing your data. If we make significant changes, we will advise staff so that you are able to review the changes.

If you want further information about this Privacy Policy, then please send your request to our Privacy Team at [email protected]