Recruitment Privacy Notice


Owlstone Medical Limited (referred to as “OML”, “We, “Our” or “Us”), is committed to protecting the privacy and security of your personal information.

You have been directed to or otherwise sent a copy of this privacy notice because you are applying for work with us (whether as an employee, worker or contractor). It makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under Data Protection Legislation, which means the Data Protection Act 2018 (DPA 2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, the EU General Data Protection Regulation (EU GDPR – where relevant) and any legislation implemented in connection with the aforementioned legislation.

If you are successful in your application, you will be provided with a separate privacy notice relating to your employment with us.

Data Controller 

Owlstone Medical Limited is the controller for the personal information we process as identified in this privacy notice.

We are registered with the Information Commissioner’s Office (the ICO) with registration number ZB023504.

We have appointed a Data Protection Officer to help us monitor internal compliance, inform and advise on data protection obligations, and act as a point of contact for data subjects and the ICO.

Our Data Protection Officer is:

The DPO Centre Ltd.
50 Liverpool Street

We have also appointed an EU Representative to act on our behalf for EU GDPR matters

Our EU Representative is The DPO Centre Europe Ltd.

For further details on how you can contact us or our EU Representative, please see the contact us section below.

The information we collect and when 

We only collect personal information that we know we will genuinely use and in accordance with the Data Protection Legislation. In connection with your application for work with us, we will collect, store, and use the following categories of personal information about you:

  • The information you have provided to us in your curriculum vitae and covering letter.
  • The information you have provided on our application form, including name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications.
  • Any information you provide to us during an interview.
  • The results of any tests or assessments as part of our interview process.
  • Information generated from background and/or security checks, where necessary, which could include information about criminal convictions and offences.
  • Cookies and IP addresses if you have applied via our wesbite. For more information please see our Cookie Policy on our website
  • CCTV images if you visit one of our sites

We may also collect, store and use the following types of more sensitive personal information:

  • Information about your race or ethnicity, religious beliefs, sexual orientation.
  • Information about your health, including any medical condition, health and sickness records.

How we collect and use your information 

In most instances we collect personal information directly from you, the candidate. In other instances, we may collect personal information from:

  • Recruitment agencies
  • Background check providers
  • Credit reference agencies
  • Disclosure and Barring Service in respect of criminal convictions
  • Your named referees
  • The Home Office, for employees requiring visas
  • Our immigration lawyers, with your consent, as part og the visa application process

We will use the personal information we collect about you to:

  • Assess your skills, qualifications, and suitability for the role
  • Carry out background and reference checks, where applicable
  • Communicate with you about the recruitment process
  • Keep records related to our hiring processes.
  • Comply with legal or regulatory requirements.

We only process your data when we have a lawful basis to do so:

  • It is in our legitimate interests to decide whether to appoint you as it would be beneficial to our business to appoint someone in the position you have applied for.
  • We also need to process your personal information to decide whether to enter into a contract of employment with you.
  • We may ask for your consent to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that.

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

How we use particularly sensitive personal information 

Special category data

We may use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.

We may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting in accordance with any governing legislation or such that a regulatory body requires us to do so.

Information about criminal convictions

We will collect information about your criminal convictions history if we offer you a position with us and you accept (conditional on checks and any other conditions, such as references, being satisfactory). Specifically, we process information required for Baseline Personnel Security Standard (BPSS), which will include a report from the DBS on criminal convictions history. We do this to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role and as part of our security policy. Our roles require a high degree of trust and integrity and it is therefore best practice to undertake such checks and a pre-requisitie in some instances.

We have in place an Appropriate Policy Document and safeguards which we are required by law to maintain when processing such data.

Automated decision making

  • You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

Who we might share your information with 

We will only share your personal information with the following third parties for the purposes of processing your application: recruitment agencies, Workable (our recruitment system) and parties involved with pre-employment checks, VISA applications and so on. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

International transfers of information 

Our data processing largely takes place in the UK.

If we were required to transfer your personal information out of the UK or EU to countries not deemed by the ICO (and or European Commission as relevant) to provide an adequate level of personal information protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the data protection legislation, such as the specific contracts approved by the ICO (or European Commission as relevant) providing adequate protection of personal information. 

Your rights over your information 

The right to be informed about our collection and use of personal data;

You have the right to be informed about the collection and use of your personal data. We ensure we do this through this privacy notice. This is regularly reviewed and updated to ensure it is accurate and reflects our data processing activities.

Right to access your personal information

You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is sometimes termed a ‘Data Subject Access Request’. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within one month from when your identity has been confirmed.

We would ask for proof of identity and sufficient information about your interactions with us that we can locate your personal information.

If you would like to exercise this right, please contact us as set out below.

Right to rectify your personal information

If any of the personal information we hold about you is inaccurate, incomplete or out of date, you may ask us to correct it.

If you would like to exercise this right, please contact us as set out below.

Right to object or restrict our processing of your data

You have the right to object to us processing your personal information for particular purposes or have its processing restricted in certain circumstances.

If you would like to exercise this right, please contact us as set out below.

Right to erasure

You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

If you would like to exercise this right, please contact us as set out below.

Right to portability

The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used and machine readable format. It also gives them you the right to request that a controller transmits this data directly to another controller.

If you would like to exercise this right, please contact us as set out below.

For more information about your privacy rights

The Information Commissioner’s Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access them here 

You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

How long we keep your information for 

We will retain your personal information for no longer than 24 months after we have communicated to you our decision about whether to appoint you. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations.

If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a longer period. If we do not contact you in 24 months, we will delete the data. You have the right to withdraw your consent for processing for this purpose at any time. To withdraw your consent, please contact us as set out below.


We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. If you would like additional assurances regarding how we process data securely please contact us as set out below.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Changes to Our Privacy Notice 

We may change this privacy notice from time to time (for example, if the law changes). We recommend that you check this notice regularly to keep up-to-date.

How to contact us 

If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this notice, the way your personal information is processed, please contact us by one of the following means:

By email:
By post: Owlstone Medical Limited, 183, Cambridge Science Park, Milton Road, Milton, Cambridge, CB4 0GJ
By phone: 01223 428200

If you are based in Europe, you can contact our EU Representative, The DPO Centre Europe Ltd:

By email:
By post: The DPO Centre Ltd, Rue des Poissonniers 13, 1000 Brussels, Belgium
By phone: +32 2 786 19 61

Thank you for taking the time to read our privacy notice.