
Last updated: 1st July 2026
This is the privacy notice of Spinner Medical Recruitment, the trading name of Spinner Industries Ltd, a company registered in Scotland (company number: SC706563), registered office at 3 Abbeyfields, High Street, Dunbar, East Lothian , Scotland, EH42 1HN]. In this document, "we", "our", or "us" refers to Spinner Industries Ltd, trading as Spinner Medical Recruitment.
Our data protection contact is: Alasdair Spinner, Director Email: hello@spinnermedical.com
Introduction
The goal of this policy is to explain what personal data Spinner Medical Recruitment collects, why we collect it, how we use it, and what rights you have over it. This applies whether you are a candidate, a client (hospital, health service, or other engaging organisation), or a visitor to our website.
"Process" means collect, store, transfer, use, or otherwise act on information.
This policy is written to comply with:
- The UK General Data Protection Regulation (UK GDPR)
- The Data Protection Act 2018
- The Privacy and Electronic Communications Regulations (PECR), in relation to cookies and electronic marketing
Because we place candidates into roles in Australia, and may process data relating to individuals in the EU/EEA from time to time, we also have regard to the EU GDPR and Australia's Privacy Act 1988 and Australian Privacy Principles (APPs) where relevant to a particular transfer or client relationship.
We are registered with the Information Commissioner's Office (ICO), registration number ZB446365
The information we collect
To carry out our recruitment activities, we may collect:
- Name, address, and contact details (email, phone)
- Curriculum vitae, employment history, and references
- Professional qualifications, medical registration details, logbooks, and specialty credentials
- Immigration status and right-to-work documentation for the UK, Australia, and other relevant jurisdictions
- Employment preferences, salary expectations, and availability
- Photographs, where provided
- Links to publicly available professional profiles (e.g. LinkedIn, hospital or health service staff pages)
- Correspondence between you and us
Special category data: In the course of verifying medical registration and right-to-work status, we may occasionally process data that touches on medical registration status, health information (for example, fitness-to-practise records) or other special category data. Where we do, our legal basis under Article 9 UK GDPR is that processing is necessary for the assessment of your working capacity, for reasons of substantial public interest, and/or is carried out with your explicit consent.
How we collect this information
We collect information:
- Directly from you, via our website, phone, email, or other correspondence
- From publicly available sources such as LinkedIn, hospital and health service staff directories, job boards, and online CV libraries
- From referees and named contacts you provide
- From our recruitment CRM system (currently Firefish) and associated tools
Where we obtain data from a source other than you, we will — within one month — inform you that we hold it, where it came from, whether it came from a publicly accessible source, and why we are processing it, unless an exemption applies (for example, where this proves impossible or would involve disproportionate effort).
Our legal basis for processing
Depending on the context, we rely on one or more of the following legal bases under Article 6 UK GDPR:
- Contract — processing necessary to take steps towards, or perform, a contract with you (e.g. progressing a job application or placement)
- Legitimate interests — for example, matching your profile to suitable roles, maintaining our candidate database, and normal business administration, balanced against your rights and interests
- Legal obligation — for example, right-to-work checks or responding to lawful requests from authorities
- Consent — for marketing communications and certain non-essential cookies, which you may withdraw at any time
-
International transfers — placements in Australia
Because our core service is placing candidates into roles with Australian hospitals and health services, personal data is regularly transferred outside the UK. This is important, so we want to be clear about it.
Australia does not currently have UK adequacy status. This means we cannot rely on an adequacy decision to transfer your data there — we must instead rely on one of the following, on a transfer-by-transfer basis:
- Appropriate safeguards under Article 46 UK GDPR, such as the ICO's International Data Transfer Agreement (IDTA), incorporated into our agreements with client hospitals and health services where required; or
- An Article 49 derogation, most commonly that the transfer is necessary for the performance of a contract between us and you, made at your request (i.e. progressing your application for a specific role), or that you have given explicit, informed consent to the transfer.
We assess each transfer in line with current ICO guidance, including the "not materially lower" standard for the level of protection under the Data (Use and Access) Act 2025. If you would like more detail on the safeguard used for a specific transfer of your data, contact us at hello@spinnermedical.com.
Where we store your data
Data held in our recruitment CRM (Firefish) is stored and secured in line with that provider's hosting arrangements. [Confirm current hosting location/region with Firefish directly — this should not be assumed to still be Azure Western Europe unless verified, as this may have changed since the CRM was first adopted.]
We also use the following processors in the course of our work:
- Firefish (CRM, candidate database, and communications)
- Devyce / Ringover (business telephony)
We have data processing agreements in place with each processor covering the security and handling of your data.
How long we keep your data
We retain personal data only for as long as necessary, having regard to:
- The nature of the data and its ongoing accuracy
- Your level of engagement with our services
- Legal or contractual obligations following a placement (e.g. rebate/refund guarantee periods)
- ICO retention guidance
Our standard retention period for candidate data with no engagement is 5 years, up to a maximum of 7 years, after which data is deleted or anonymised. Data relating to a completed placement may be retained for longer where required to meet contractual obligations to a client (for example, fee-guarantee periods) or statutory obligations.
You can ask us at any time to explain, shorten, or delete the retention period applied to your data — see "Your rights" below.
Your rights
Under UK GDPR, you have the right to:
- Be informed about how we process your data
- Access the personal data we hold on you
- Have inaccurate data corrected (rectification)
- Request erasure of your data in certain circumstances
- Restrict our processing of your data
- Receive your data in a portable format, in certain circumstances
- Object to processing based on legitimate interests or for direct marketing
- Not be subject to decisions based solely on automated processing which produce legal or similarly significant effects (we do not currently use automated decision-making of this kind in recruitment decisions)
- Lodge a complaint with the Information Commissioner's Office (ICO) — ico.org.uk, or by phone on 0303 123 1113 — if you are unhappy with how we've handled your data. We'd appreciate the chance to resolve any concern directly first, at hello@spinnermedical.com or call +447414531583
We may need to verify your identity before acting on a rights request.
Newsletters and marketing
Where you have given express consent, we may send you newsletters or updates about roles via our CRM system (Firefish). You can unsubscribe at any time using the link in any email, or by contacting hello@spinnermedical.com. We do not sell or share your contact details with third parties for their own marketing purposes.
Complaints about our service
When you raise a complaint, we record the details you provide and use them to investigate and resolve the issue. We will acknowledge receipt of your complaint within 30 days. Where resolving a complaint reasonably requires us to contact another party, we may share relevant details from your complaint with them — this is done at our discretion and only where necessary. We may compile anonymised statistics from complaints to monitor service quality.
Cookies
We use cookies on our website. Some are strictly necessary for the site to function (for example, keeping you logged in or remembering a job application in progress); others help us understand site usage or support functionality.
Where a cookie is not strictly necessary, we will ask for your consent before it is set, in line with PECR. You can manage or withdraw cookie consent at any time via your browser settings or our cookie preference tool. Further general information on cookies is available at Cookiepedia.
| Cookie |
Purpose |
Type |
| ASP.NET_SessionId |
Identifies your session; holds no personal data |
Strictly necessary / session |
| ffcookies-dismiss |
Suppresses repeat display of the cookie banner |
Strictly necessary / persistent |
| ffIEWarning |
Flags outdated browser versions |
Functional / persistent |
| ff_secCheck |
Tracks failed login attempts |
Functional |
| ff_AdDist |
Identifies when a job advert link from an email has been opened |
First-party |
| .ASPXAUTH |
Keeps you logged in |
Strictly necessary / persistent |
We do not currently respond to browser "Do Not Track" signals.
Legal jurisdiction and liability
This website provides general information about Spinner Medical Recruitment. We are not liable for actions taken in reliance on information on the site, to the extent permitted by law. If any part of these terms is found unenforceable, the remainder continues to apply. We do not undertake to comply with the laws of every jurisdiction from which our site may be accessed.
Changes to this notice
We will post any changes to this notice on this page and, where appropriate, notify you by email. Please check back periodically. Questions about this policy can be sent to hello@spinnermedical.com.