1. Our Commitment to Data Protection

We operate under a strict data protection framework designed to:

• Protect all personal data we process
• Ensure lawful and transparent processing
• Maintain the highest standards of confidentiality
• Respect individual rights
• Protect employers from compliance risk
• Support ethical verification practices

Data protection is embedded into the architecture of Namely.

2. Legal Basis for Processing

We process personal data under the following lawful bases:

2.1 Consent (Primary Basis for Candidate Verification)

Candidates must provide explicit, informed consent for:

• Employment verification
• Education verification
• Certificate validation
• Reference checks
• Identity verification
• Right-to-work checks
• Skills or behavioural assessments

Consent is recorded and stored securely.

2.2 Contractual Necessity

Applicable to:

• Employer accounts
• Subscription billing
• Access to the platform
• Delivery of verification services requested

2.3 Legitimate Interests

Used only where it does not override the rights of individuals, such as:

• Improving platform security
• Fraud prevention
• Internal analytics
• Service improvement

2.4 Legal Obligations

Required for compliance with:

• Employment screening laws
• Immigration and right-to-work requirements
• Regulatory investigations
• Data retention obligations

3. Data We Process

Namely processes only the data necessary for verification and operational purposes.

3.1 Candidate Data

• Identity information
• Contact details
• Address history
• Employment history
• Education and qualification records
• Certificates and licences
• Reference details
• Skills and behavioural assessment data
• Right-to-work documents
• Verification outcomes

3.2 Employer Data

• Account information
• Billing details
• Verification logs
• Organisation details
• User activity records

3.3 Technical Data

• IP addresses
• Device and browser metadata
• Usage analytics
• Cookie identifiers
• System logs

4. Data Minimisation & Purpose Limitation

We strictly follow data minimisation principles:

• Only collect what is required
• Only store what is necessary
• Only use data for the stated verification purpose
• Never use data for marketing without consent
• Never sell personal data to third parties

5. Security Measures

Namely uses industry-leading security protocols, including:

• Full data encryption (in transit and at rest)
• TLS/SSL secure communication
• Role-based access controls
• Multi-factor authentication
• Encrypted backups
• Intrusion detection monitoring
• Regular penetration testing
• Audit logging
• Secure third-party data processors

We prioritise robust protection of sensitive information.

6. Data Sharing & Third Parties

We only share data when necessary to complete verification or fulfil legal obligations.

6.1 Trusted Verification Partners

Including:

• Educational institutions
• Previous employers
• Training & qualification bodies
• Government and regulatory databases
• Identity verification services

6.2 Compliance & Legal Authorities

Only when legally required, such as:

• Immigration enforcement
• Regulatory investigations
• Law enforcement requests

6.3 Technology & Infrastructure Providers

Including:

• Cloud hosting providers
• Analytics tools
• Security software

All third parties undergo strict due diligence and must meet GDPR standards.

7. International Data Transfers

If data is transferred outside the UK or EU, Namely ensures:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions (where applicable)
• Encrypted transmission
• GDPR-level protection by the receiving party

No data is transferred internationally without proper safeguards.

8. Data Retention

We retain verification data only for as long as necessary.

Typical timelines:

• Verification data: 6–12 months
• Employer account & billing: While active
• Access logs: 6–24 months
• Legal compliance records: As required by law

All data is deleted or anonymised after retention periods expire. For full details see our Data Retention Policy.

9. Data Subject Rights

Individuals have full rights under GDPR, including:

• Right to access – request copies of your data
• Right to rectification – correct inaccurate information
• Right to erasure – request deletion ("right to be forgotten")
• Right to restrict processing
• Right to object to certain processing activities
• Right to withdraw consent at any time
• Right to data portability

Requests can be made via:

Email: info@namely.ai

We respond within 30 days.

10. Candidate Consent Requirements

Namely requires employers to:

• Confirm consent has been obtained
• Provide candidates with a clear breakdown of checks
• Not proceed with verification without documented consent

If consent is withdrawn, all processing stops immediately.

11. Data Breach Protocol

In the unlikely event of a data breach:

• Affected individuals will be notified without undue delay
• The ICO will be informed when legally required
• Containment and mitigation procedures will be activated
• A full investigation will be conducted
• Preventative actions will be implemented

We maintain a formal incident response plan.

12. Accountability & Governance

Namely maintains:

• A Data Protection Officer (or compliance lead)
• Internal data processing records
• Staff GDPR training
• Access control policies
• Regular security audits
• Vendor compliance checks

Data protection is continuously monitored and updated.

13. Contact Details

For GDPR or data protection enquiries:

• Email: info@namely.ai