testrungo

GDPR & Data Subject Rights

Last updated: March 2026

This page explains your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our Privacy Policy explains in full how and why we process personal data.

1. Who We Are

We are a UK-based assessment platform providing candidate evaluation and recruitment tooling to businesses. We act as a data controller for data we collect directly, and as a data processor when handling candidate data on behalf of our business customers. Where required, we maintain a Record of Processing Activities (ROPA) under Article 30 UK GDPR.

2. Legal Bases for Processing

  • Contract: to deliver our platform and services to you or your organisation.
  • Legitimate interests: platform security, fraud prevention, and service improvement — balanced against your rights.
  • Legal obligation: where required by UK law.
  • Consent: for non-essential cookies and opt-in marketing communications.

3. Your Rights Under UK GDPR

  • Right of access (Article 15): request a copy of your personal data (Subject Access Request).
  • Right to rectification (Article 16): ask us to correct inaccurate or incomplete data.
  • Right to erasure (Article 17): request deletion where no compelling reason to retain it exists.
  • Right to restrict processing (Article 18): ask us to pause processing in certain circumstances.
  • Right to data portability (Article 20): receive your data in a structured, machine-readable format.
  • Right to object (Article 21): object to processing based on legitimate interests, including profiling.
  • Automated decision-making (Article 22): not to be subject to solely automated decisions with significant effects without human review.
  • Right to withdraw consent: where consent is our legal basis, you may withdraw at any time without affecting prior lawful processing.

4. Candidate Data and Business Customers

Where business customers use our platform to assess candidates, they are the data controller for that candidate data. If you are a candidate, please contact the organisation that invited you to exercise your rights. We will support our customers in responding to data subject requests as required under our data processing agreements.

5. International Transfers

We process data primarily within the UK. Where transfers outside the UK occur, we apply appropriate safeguards — such as UK International Data Transfer Agreements (IDTAs) or adequacy decisions — in compliance with Chapter V of UK GDPR.

6. Retention

Personal data is kept only as long as necessary for the purpose for which it was collected, or as required by law. A full retention schedule is available on request.

7. Exercising Your Rights

To submit a Subject Access Request or exercise any right, please contact us via our contact page. We will respond within one calendar month. Identity verification may be required.

8. Right to Complain

You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113. We would welcome the opportunity to resolve concerns before you contact the ICO.