Who we are
What does this policy cover?
• sets out the types of personal data that we collect about you;
• explains how and why we collect and use your personal data;
• explains how long we keep your personal data for;
• explains when, why and with whom we will share your personal data;
• sets out the legal basis we have for using your personal data;
• explains the effect of refusing to provide the personal data requested;
• explains the different rights and choices you have when it comes to your personal data; and
• explains what measures we take to secure your data.
In accordance with current legislation, we are registered with the Information Commissioner’s Office (ICO) as a data controller which involves explaining what personal data we collect and what we do with it. The ICO is the UK’s independent body set up to uphold information rights.
What personal data do we collect?
When you register your CV with us via email for the purposes of applying for an advertised vacancy or as a speculative approach/enquiry we may ask for certain information from you, including, but not limited to: your name, address, email address, education, skills and qualifications, employment history (including remuneration details), references, job requirements (including location, salary sought, job industry, job title) plus any other information you may volunteer to us or which is contained in your CV.
If you make an enquiry with us using our online enquiry form, we may collect certain information from you, including, but not limited to: your name, your job title, your company name, your email address, your phone number, plus any other information you may volunteer to us as part of your enquiry.
If you are a client we may collect certain information from you including, but not limited to: your name, your job title, your company name, your email address, your phone number, plus any other information you may volunteer to us.
We will never ask you to provide sensitive (special category) data for example race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life; or sexual orientation. Where you volunteer such information we will never use it to uniquely identify you.
Where you volunteer special category data we will never use it to uniquely identify you. Special category data is personal data which is more sensitive, such as information about your health or religion. You can find out more about special category data from the ICO.
Why do we collect your data?
It is necessary for our legitimate interests to collect and process your data in order to provide a service to you:
• As a candidate it is necessary in order for us to consider your application for an advertised vacancy.
• As a prospective candidate it is necessary in order for us to consider your CV and other details you provide against future vacancies.
• As a client we require sufficient personal information to be able to contact you.
This means that we process it in ways you would reasonably expect, which have a minimal privacy impact and because there is a compelling justification to do so.
We know that legitimate interests is our lawful basis for processing your data because we have conducted a Legitimate Interest Assessment (LIA). Based upon that assessment, we have concluded that the rights and freedoms of you – the data subject, would not be overridden and that in no way would you be caused harm by our processing your data in the manner set out within this policy.
How do we store your data?
The information you provide to us or that we hold about you is stored, where applicable, in a secure cloud server, electronically in our databases, or in our manual databases and sometimes in hard copy. When you call us by phone we collect Calling Line Identification (CLI) information. We do not record calls.
We utilise appropriate security measures to ensure data is protected such as anti-virus software, SPAM filters, firewalls, SSL encryption and cloud and hardware-based server back-up. More information about our cyber security can be found later on in this policy.
How long do we keep your data?
If you are a candidate or potential candidate we keep your data for two years from when we first receive it. If you are a client we retain sufficient personal information to be able to contact you indefinitely.
Your Individual Rights
Under the EU General Data Protection Regulation 2016, you have a number of specific rights over how we handle your personal data which are set out below. Further information and advice can be found by contacting the Information Commissioner’s Office.
Right to be informed
Right of access
You have the right to obtain access to any personal information we hold about you.
Right to rectification
You are entitled to have personal data rectified if it is inaccurate or incomplete.
Right to object to processing
You have the right to object to certain types of processing, including processing for direct marketing purposes. We do not currently do any direct marketing in this way.
Rights related to automated decision making including profiling
We do not carry out this type of decision making; which means we do not:
• make decisions solely by automated means without any human involvement; or
• automate processing of personal data to evaluate anything about you.
Right to erasure
Sometimes referred to as the right to be forgotten or right to deletion, you have the right to request that your data is erased. It is important to note however, that if you ask us to erase your data, we will remove any and all data we hold about you from our records. There is a risk that your data may be processed again in the future (for example we may contact you via social media). If you do not wish for us to contact you again at all, we would recommend you request that we restrict processing rather than asking us to delete your data, as this will ensure that we retain enough information about you to suppress processing.
Right to restrict processing
You have the right to ask us to restrict processing. This means that we will stop processing your data, but may retain enough information about you to ensure we do not process it in the future.
Right to data portability
You have the right to obtain and reuse your personal data for your own purposes across different services. For example should you wish to move, copy or transfer your data from one IT environment we will enable this in a safe and secure way, without affecting its usability.
If you wish to discuss any of the above or make any of the above enquiries or requests you can do so at any time by contacting us on 01636 610000 or firstname.lastname@example.org or by post to Church House, 3 Church Walk, Newark, Nottinghamshire NG24 1JS.
We will respond to your enquiry/request within one month from when we receive it, but if it may take longer we will also let you know within the same timeframe.
Sharing your information with third parties
We will not disclose personal information that you provide to any third party, outside the CFR Consulting Group, except under the following circumstances:
• as necessary for job applications or other services that you have requested;
• with third parties who act for us for further processing i.e. to provide services that you have requested (such as reference checks, qualification and criminal reference checking services and psychometric assessment);
• to third parties who perform functions on our behalf and who also provide services to us (such as professional advisors, IT consultants carrying out testing and development work on our business technology systems); or
• when we believe the law requires it; for example, to prevent and detect crime and to produce anonymised statistics.
Where appropriate, before disclosing personal data to a third party, we contractually require the third party to take adequate precautions to protect that data and to comply with applicable law. Where you are asked to undertake psychometric assessment for the purposes of further consideration for a job opportunity, your personal data will be shared with the assessment provider. The personal data that will be shared by us in this instance is limited to your name and email address. Any additional information you provide to them in the process of undertaking psychometric assessment is processed and controlled by them. Where your application is successfully shortlisted for consideration for a job opportunity, your personal information will be shared with our client. The information we share may include (but is not limited to):
• Your CV and any other similar written documents that you have provided to us demonstrating your work experience;
• Comments from your interview(s) with us;
• Psychometric assessment reports; and
• Evidence of identification and qualifications.
Transfer of data abroad
We are a global business and from time to time, with your specific consent we may transfer your personal information to CFR Global Executive Search partners located around the world (see Global Network listing at www.cfr-group.com). Where appropriate, before disclosing personal data to another CFR Global Executive Search partner, we contractually require them to take adequate precautions to protect that data and to comply with applicable law for their jurisdiction. We will not share your data in this manner without your specific consent. In such circumstances, you are entitled to receive a copy of our Data Sharing Arrangement for Joint Controllers should you wish.
Visiting our website
We use a third party provider, Mail Chimp, to deliver our e-newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see Mail Chimp’s privacy notice.
We use a third party service, WordPress.com, to publish our content which is hosted at WordPress.com, which is run by Automattic Inc. and to power our website search engine. We use a standard WordPress service to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site and search queries and results to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors who want to post a comment to enter a name and email address. For more information about how WordPress processes data, please see Automattic’s privacy notice. No user-specific data is collected by either CFR or any third party when using the search function.
Storing your data
We are committed to protecting the security of your personal information. We use a variety of measures (including, but not limited to, firewalls, SSL encryption) to ensure that your personal information is protected from:
• unauthorised access;
• improper use or disclosure;
• unauthorised modification or alteration; and
• unlawful destruction or accidental loss.
We use a CRM platform called FileFinder Anywhere provided by Dillistone Systems to store your data. The data is hosted by us and not shared with any third parties through the use of this software.
Links to other websites
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 3rd February 2020.
Complaints or queries
We aim to meet the highest standards when collecting and using personal data. For this reason, we take any complaints we receive about this seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. If you have any queries or wish to make a complaint you can call us on +44(0)1636 610000, email email@example.com or write to us at the address below. Alternatively please seek further guidance from the Information Commissioner’s Office.
How to contact us
You can contact us at any time by emailing us at firstname.lastname@example.org or write to CFR Global Executive Search, Church House, 3 Church Walk, Newark, Nottinghamshire NG24 1JS and by phone on +44 (0)1636 610000.