Who we are
What does this policy cover?
In accordance with current legislation, we are registered with the Information Commissioner’s Office (ICO) as a data controller which involves explaining what personal data we collect and what we do with it. The ICO is the UK's independent body set up to uphold information rights.
What personal data do we collect?
When you register your CV with us via email for the purposes of applying for an advertised vacancy or as a speculative approach/enquiry we may ask for certain information from you, including, but not limited to: your name, address, email address, education, skills and qualifications, employment history (including remuneration details), references, job requirements (including location, salary sought, job industry, job title) plus any other information you may volunteer to us or which is contained in your CV.
If you make an enquiry with us using our online enquiry form, we may collect certain information from you, including, but not limited to: your name, your job title, your company name, your email address, your phone number, plus any other information you may volunteer to us as part of your enquiry.
If you are a client we may collect certain information from you including, but not limited to: your name, your job title, your company name, your email address, your phone number, plus any other information you may volunteer to us.
We will never ask you to provide special category data. Where you volunteer special category data we will never use it to uniquely identify you. Special category data is personal data which is more sensitive, such as information about your health or religion. You can find out more about special category data from the ICO.
Why do we collect your data?
It is necessary for our legitimate interests to collect and process your data in order to provide a service to you:
This means that we process it in ways you would reasonably expect, which have a minimal privacy impact and because there is a compelling justification to do so.
We know that legitimate interests is our lawful basis for processing your data because we have conducted a Legitimate Interest Assessment (LIA). Based upon that assessment, we have concluded that the rights and freedoms of you – the data subjects, would not be overridden and that in no way would you be caused harm by our processing your data in the manner set out within this policy.
How do we store your data?
The information you provide to us or that we hold about you is stored, where applicable, in a secure cloud server, electronically in our databases, or in our manual databases and sometimes in hard copy. When you call us by phone we collect Calling Line Identification (CLI) information. We do not record calls.
We utilise appropriate security measures to ensure data is protected such as anti-virus software, SPAM filters, firewalls, SSL encryption and cloud and hardware-based server back-up. More information about our cyber security can be found later on in this policy.
How long do we keep your data?
If you are a candidate or potential candidate we keep your data for two years from when we first receive it. If you are a client we retain sufficient personal information to be able to contact you indefinitely.
You have the right to obtain access to any personal information we hold about you.
You are entitled to have personal data rectified if it is inaccurate or incomplete.
Sometimes referred to as the right to be forgotten or right to deletion, you have the right to request that your data is erased. It is important to note however, that if you ask us to erase your data, we will remove any and all data we hold about you from our records. There is a risk that your data may be processed again in the future (for example we may contact you via social media). If you do not wish for us to contact you again at all, we would recommend you request that we restrict processing rather than asking us to delete your data, as this will ensure that we retain enough information about you to suppress processing.
You have the right to ask us to restrict processing. This means that we will stop processing your data, but may retain enough information about you to ensure we do not process it in the future.
You have the right to obtain and reuse your personal data for your own purposes across different services. For example should you wish to move, copy or transfer your data from one IT environment we will enable this in a safe and secure way, without affecting its usability.
You have the right to object to certain types of processing, including processing for direct marketing purposes. We do not currently do any direct marketing in this way.
We do not carry out this type of decision making. Which means we do not:
1) make decisions solely by automated means without any human involvement; or
2) automate processing of personal data to evaluate anything about you.
If you wish to discuss any of the above or make any of the above enquiries or requests you can do so at any time by contacting Laura Carr, Data Protection Officer on 01636 610000 or email@example.com or by post to Church House, 3 Church Walk, Newark, Nottinghamshire NG24 1JS.
We will respond to your enquiry/request within one month from when we receive it, but if it may take longer we will also let you know within the same timeframe.
Sharing your information with third parties
We will not disclose personal information that you provide to any third party, except under the following circumstances:
Where appropriate, before disclosing personal data to a third party, we contractually require the third party to take adequate precautions to protect that data and to comply with applicable law. Where you are asked to undertake psychometric assessment for the purposes of further consideration for a job opportunity, your personal data will be shared with SHL. The personal data that will be shared by us in this instance is limited to your name and email address. Any additional information you provide to them in the process of undertaking psychometric assessment is governed by a separate Data Processing Agreement.
Where your application is successfully shortlisted for consideration for a job opportunity, your personal information will be shared with our client. The information we share may include (but is not limited to):
Transfer of data abroad
We are a global business and from time to time, with your specific consent we may transfer your personal information to CFR Global Executive Search partners located around the world. Where appropriate, before disclosing personal data to another CFR Global Executive Search partner, we contractually require them to take adequate precautions to protect that data and to comply with applicable law for their jurisdiction. We will not share your data in this manner without your specific consent. In such circumstances, you are entitled to receive a copy of our Data Sharing Arrangement for Joint Controllers should you wish.
We use a third party provider, Mail Chimp, to deliver our e-newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see Mail Chimp’s privacy notice.
We use a third party service, WordPress.com, to publish our content which is hosted at WordPress.com, which is run by Automattic Inc. and to power our website search engine. We use a standard WordPress service to collect anonymous information about users' activity on the site, for example the number of users viewing pages on the site and search queries and results to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors who want to post a comment to enter a name and email address. For more information about how WordPress processes data, please see Automattic's privacy notice. No user-specific data is collected by either CFR or any third party when using the search function.
We are committed to protecting the security of your personal information. We use a variety of measures (including, but not limited to, firewalls, SSL encryption) to ensure that your personal information is protected from:
• unauthorised access;
• improper use or disclosure;
• unauthorised modification or alteration; and
• unlawful destruction or accidental loss.
We use a CRM platform called FileFinder Anywhere provided by Dillstone Systems to store your data. The data is hosted by us and not shared with any third parties through the use of this software.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 23 May 2018.
Complaints or queries
We aim to meet the highest standards when collecting and using personal data. For this reason, we take any complaints we receive about this seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. If you have any queries or wish to make a complaint you can call us on +44(0)1636 610000, email firstname.lastname@example.org or write to us at the address below. Alternatively please seek further guidance from the Information Commissioner’s Office.
How to contact us
You can contact us at any time by emailing us at email@example.com or write to Laura Carr, Data Protection Officer, Church House, 3 Church Walk, Newark, Nottinghamshire NG24 1JS and by phone on +44 (0)1636 610000.