Data Protection Policy
Rev. 1: 16.04.18
Data protection, and particularly the protection of personal data, is of paramount importance to Danos Associates as a company whose business is executive search and consulting, and this policy covers the handling, control and protection of data in accordance with existing and developing legislation and regulation.
As a UK-based company with global regional offices, this policy is primarily determined by UK and EU legislation, reinforced by local legislation in non-UK geographies as appropriate1. The EU’s General Data Protection Regulation (GDPR) is effective from 25 May 2018 and applies to the UK. It supersedes and strengthens the UK’s Data Protection Act 1998 (DPA 98).
DPA 98 was designed to regulate the use of data, particularly personal data, and to prevent its misuse, abuse or unauthorized disclosure. Personal data is defined as information that relates to a living individual who can be identified from that information. The Act imposes specific duties on everyone who is responsible for the storage of personal information on computer (referred to as a data-owner). It also gives rights to individuals to have access to information that is held and related to them.
The GDPR defines personal data as data which refers to the data subject who can be identified from those data and other information which is in the possession of, or likely to come into the possession of the data controller (in this case, Danos Associates), and includes any expression of opinion about the individual and any indication of intentions of the data controller or any other person in respect of the individual. It includes:
- An individual’s name.
- An individual’s identification number.
- An individual’s location data (i.e. address).
- An individual’s online identifier (including an individual’s IP address or cookie identifier).
- Factors relating to the psychological, economic, cultural, social or physical identity of an individual.
In addition, ‘sensitive personal data’ is defined as data which relates to racial or ethnic origin, political and religious beliefs, trade union membership, health, sex life or criminal record, and must be given a higher level of protection. Danos Associates does not hold nor process any such information. Nor does it hold or process any information relating to minors.
In accordance with DPA 98 and GDPR, personal data must be obtained and processed lawfully and fairly; be held for a specific purpose; not used for any reason incompatible with its original purpose; be relevant and adequate; be accurate and up to date; not kept longer than necessary; be made available to the individual on application; and provision made for any correction; be safeguarded and secure to prevent disclosure, alterations, loss or destruction of the information held.
Data subject rights under GDPR are reinforced or extended, and the Company’s policy is detailed under Principle and Practice below.
Danos Associates Limited, Danos Associates US Inc., Danos Associates APAC Ltd. and Danos Associates (Singapore) Pte. Ltd. are committed to a policy of protecting the rights and privacy of individuals including employees, consultants, contractors, candidates, clients and others in accordance with the Data Protection Act 1998 and the General Data Protection Regulation (GDPR), and locally in accordance with any other legislation or regulation applying outside the UK and EU. Any breach of relevant data protection law or regulation, or of this policy, by any of Danos Associates’ employees is potentially subject to disciplinary procedure.
As a matter of good practice, other organisations and individuals working in partnership with the company, and who have access to personal information, will be expected to have read and to comply with this policy. In conducting due diligence, Danos Associates will seek appropriate data protection assurance from its providers.
Registration with Relevant Authority
The purpose of the Data Protection Act 1998 which came into effect on 1 March 2000 and the GDPR from 25 May 2018 is to protect the rights and privacy of individuals, and to ensure that their personal data is not processed without their knowledge or consent. Danos Associates is required to register the fact that it holds personal data with the UK Information Commissioner’s Office on an annual basis, and its data protection registration number is ZA193157.
Danos Associates, in accordance with relevant definitions, is a ‘data controller’, and accepts responsibility as such.
The lawful basis for Danos Associates processing personal data is as a company whose business is the provision of recruitment and consulting services. Personal data is principally in the form of candidate information and is held on the basis of minimum and as long as necessary.
- In the case of candidates this includes personal data as agreed by the candidate for the purpose of being processed for roles and for career development. ‘As long as necessary’ is determined by the candidate’s wishes for his/her information to be processed both in respect of particular appointments and in respect of his/her career development for future opportunities. Danos will confirm candidate’s wishes on this point, and record that information, updating as required.
- Additionally, Danos Associates holds personal data relating to employees in accordance with legal requirements.
All employees are made aware that during their employment they could be party to confidential information concerning the Company and the Company’s business. They agree that they will not during the term of their employment, or any notice period, or after termination, disclose or allow the disclosure of any confidential information (except with the written consent of the Management), or in the proper course of their employment, or as required by law. Any disclosure of such information to any outside bodies or any personal use of such information will potentially be grounds for disciplinary procedures.
Candidate and client information, and the safeguarding of it, is particularly important. No candidate or customer information will be divulged to a third party without the express permission of the candidate or client, and as required by the law.
All employees have been made aware of the changes in the law with regard to GDPR, and what this means. Data protection training is included in the company’s induction processes.
Data may be held by Danos Associates for the purpose of provision of recruitment and consulting services, and is categorised as follows:
- Staff Administration
- Accounts & Records
- Advertising, Marketing & Public Relations
- Candidate Data
- Client Data
Data is held either electronically or in hard copy:
Electronic – All personal data is held on a protected database in the cloud, on secure servers within the UK. This is through a third party which complies with all relevant data protection legislation and regulation, and provides data protection assurance through certification and which meets ISO9001 and ISO27001 compliance standards. The company’s IT includes desktop PC’s within a secure office environment; landline telephones and business mobile telephones are provided by the Company to employees. Danos also operates a secure communications network, which is password-protected. All electronic external and internal communications are provided through the services of Nasstar who meet ISO 27001 standards and are registered with the ICO (Registration Number: Z7879408). All accounts are password protected.
Hard copy – The company also holds certain necessary data in hard copy in secure cabinets in its office locations which may only be accessed only by parties designated by the management team. Examples of such documents include contracts, active CVs on a time limited basis after which time they’re destroyed via confidential shredding service.
Data Protection Principles and Practice
Danos Associates is a ‘data controller’, and as such it determines the purpose for which, and the manner in which, any personal data are, or are to be, processed. Personal data is processed as follows:
- Fairly and lawfully – We will always put our logo on all paperwork, state our intentions on processing the data and state if, and to whom, we intend to give the personal data.
- For limited purpose – We will not use data for a purpose other than that agreed by data subjects. If the data held by us is requested by external organisations for any reason, this will only be passed on with express permission from the data subject, or where the law may require it.
- Adequately, relevantly and not excessively – We will monitor the data held for our purposes, ensuring we hold neither too much nor too little data in respect of individuals about whom the data are held. If data given or obtained are excessive for such purpose, they will be immediately deleted or destroyed by the data controller.
- Accurately and up-to-date – Individuals should notify us of any changes, to enable personnel records to be updated accordingly. It is the responsibility of the Company to act upon notification of changes to personal data, amending them where relevant.
- Securely – Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data. Danos Associates’ database is password and firewall protected, and only authorised staff have access to personal data.
All individuals on whom the Company holds data have the right to:
- Be informed. Privacy notices will be reviewed periodically and as otherwise required to ensure that they contain all necessary information.
- Have access to any and all personal data held on them (requests for personal information are called ‘Subject Access Requests’), details of which will be provided within one month from request, free of charge.
- Have their personal data rectified within one month if it is inaccurate or incomplete (assuming that they have previously notified the Company of any changes).
- Be forgotten. Data subjects can request that their personal be erased and no longer processed.
- Restrict processing of their personal data, including the blocking or suppressing of data in certain circumstances (e.g. inaccuracy).
- Port personal data to a new service provider free of charge and in a machine-readable format.
- Object to processing which is carried out for the legitimate interests of Danos Associates, the performance of a task in the public interest, direct marketing, or for scientific, historical research or statistical purposes unless there are legitimate grounds which override the rights of an individual.
- Port personal data to a new service provider free of charge and in a machine-readable format.
- Safeguards against the risk that a potentially damaging decision is taken without human intervention as a result of automated decision-making and profiling. Danos Associates operates no such automated processes.
Any individual wishing to submit a Subject Access Request, or otherwise exercise their right in accordance with paragraph 5 above, is/is to be requested to contact Danos Associates as follows:
In writing to:
The Data Controller
32 Ludgate Hill
London EC4M 7DR
Or by email to email@example.com
Data Privacy Impact Statements
We have reviewed ICO guidance on Data Privacy Impact Statements and assessed that there is no mandatory requirement for ant Data Privacy Impact Statements. Danos Associates has nonetheless conducted a Data Privacy Impact Assessment in respect of its generic recruitment process.
The potential risk of personal data breach shall be actively and proactively managed at all times. This includes:
- Identification of potential risks.
- Appropriate technical, organisational and procedural measures being routinely monitored and updated as required.
- Training, including refresher training of all employees authorised to handle personal data.
- Assurance from third parties (servers).
All Danos employees shall be appraised of the potential consequences of a data breach, and all possible steps taken to mitigate such a possibility as detailed in induction and routine refresher training.
In the event of a data breach, either real or suspected, the Data Controller is to be informed immediately so that the situation may be controlled in the most effective and timely manner possible.
Data Protection Officer
Danos Associates is not required to appoint a Data Protection Officer, as it is not a public authority and its core activities do not consist of regular and systematic monitoring of data subjects on a large scale.
Notwithstanding, Danos Associates shall appoint a designated company officer to be the Data Controller in order to provide a focal point for data protection policy and management.
International Data Protection Authorities:
UK and Europe. The Data Protection Authority for the UK and Europe is the Information Commissioner’s Office (ICO), www.ico.org.uk.
USA. While there is no formally designated authority, the Federal Trade Commission (FTC) is the de facto Data Protection Authority for the USA, www.ftc.gov.
Hong Kong. The Data Protection Authority for Hong Kong is The Office of the Privacy Commissioner for Personal Data, www.pcpd.org.hk.
Singapore. The Data Protection Authority for Singapore is Personal Data Protection Commission (PDPC), www.pdpc.gov.sg.
1 Relevant legislation in the USA, given no over-arching federal legislation or regulation, includes the Financial Services Modernization Act. In Hong Kong, it includes the Personal Data (Privacy) Ordinance (Cap.486) and in Singapore the Personal Data Protection Act 2012 (PDPA).
1.1 We are committed to safeguarding the privacy of our website visitors; in this policy we explain how we will treat your personal information.
2. Collecting personal information
2.1 We may collect, store and use the following kinds of personal information: (a) [information about your computer and about your visits to and use of this website (including [your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths]);] (b) [information that you provide to us when registering with our website (including [your email address]);] (c) [information that you provide when completing your profile on our website (including [your name, profile pictures, gender, date of birth, relationship status, interests and hobbies, educational details and employment details]);] (d) [information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters (including [your name and email address]);] (e) [information that you provide to us when using the services on our website, or that is generated in the course of the use of those services (including [the timing, frequency and pattern of service use]);] (f) [information relating to any purchases you make of our [goods / services / goods and/or services] or any other transactions that you enter into through our website (including [your name, address, telephone number, email address and card details]);] (g) [information that you post to our website for publication on the internet (including [your user name, your profile pictures and the content of your posts]);] (h) [information contained in or relating to any communication that you send to us or send through our website (including [the communication content and metadata associated with the communication]);] (i) [any other personal information that you choose to send to us; and] (j) [[provide details of other personal information collected].]
2.2 Before you disclose to us the personal information of another person, you must obtain that person’s consent to both the disclosure and the processing of that personal information in accordance with this policy.
3. Using personal information
3.1 Personal information submitted to us through our website will be used for the purposes specified in this policy or on the relevant pages of the website.
3.2 We may use your personal information to: (a) [administer our website and business;] (b) [personalise our website for you;] (c) [enable your use of the services available on our website;] (d) [send you goods purchased through our website;] (e) [supply to you services purchased through our website;] (f) [send statements, invoices and payment reminders to you, and collect payments from you;] (g) [send you non-marketing commercial communications;] (h) [send you email notifications that you have specifically requested;] (i) [send you our email newsletter, if you have requested it (you can inform us at any time if you no longer require the newsletter);] (j) [send you marketing communications relating to our business [or the businesses of carefully-selected third parties] which we think may be of interest to you, by post or, where you have specifically agreed to this, by email or similar technology (you can inform us at any time if you no longer require marketing communications);] (k) [provide third parties with statistical information about our users (but those third parties will not be able to identify any individual user from that information);] (l) [deal with enquiries and complaints made by or about you relating to our website;] (m) [keep our website secure and prevent fraud;] (n) [verify compliance with the terms and conditions governing the use of our website [(including monitoring private messages sent through our website private messaging service)]; and] (o) [[other uses].]
3.3 If you submit personal information for publication on our website, we will publish and otherwise use that information in accordance with the licence you grant to us.
3.4 Your privacy settings can be used to limit the publication of your information on our website, and can be adjusted using privacy controls on the website.
3.5 We will not, without your express consent, supply your personal information to any third party for the purpose of their or any other third party’s direct marketing.
4. Disclosing personal information
4.1 We may disclose your personal information to [any of our employees, officers, insurers, professional advisers, agents, suppliers or subcontractors] insofar as reasonably necessary for the purposes set out in this policy.
4.2 We may disclose your personal information to any member of our group of companies (this means our subsidiaries, our ultimate holding company and all its subsidiaries) insofar as reasonably necessary for the purposes set out in this policy.
4.3 We may disclose your personal information: (a) to the extent that we are required to do so by law; (b) in connection with any ongoing or prospective legal proceedings; (c) in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk); (d) [to the purchaser (or prospective purchaser) of any business or asset that we are (or are contemplating) selling; and] (e) [to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.]
4.4 Except as provided in this policy, we will not provide your personal information to third parties.
5. International data transfers
5.1 Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this policy.
5.2 Information that we collect may be transferred to the following countries which do not have data protection laws equivalent to those in force in the European Economic Area: [the United States of America, Russia, Japan, China and India].
5.3 Personal information that you publish on our website or submit for publication on our website may be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others.
5.4 You expressly agree to the transfers of personal information described in this Section 6.
6. Retaining personal information
6.1 This Section 7 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal information.
6.2 Personal information that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6.3 Without prejudice to Section 7.2, we will usually delete personal data falling within the categories set out below at the date/time set out below: (a) [personal data type] will be deleted [date/time; and] (b) [repeat as necessary.]
6.4 Notwithstanding the other provisions of this Section 7, we will retain documents (including electronic documents) containing personal data: (a) to the extent that we are required to do so by law; (b) if we believe that the documents may be relevant to any ongoing or prospective legal proceedings; and (c) in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk).
7. Security of personal information
7.1 We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.
7.2 We will store all the personal information you provide on our secure (password- and firewall-protected) servers.
7.3 All electronic financial transactions entered into through our website will be protected by encryption technology.
7.4 You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
8.1 We may update this policy from time to time by publishing a new version on our website.
8.2 You should check this page occasionally to ensure you are happy with any changes to this policy.
8.3 We may notify you of changes to this policy [by email or through the private messaging system on our website].
9. Your rights
9.1 You may instruct us to provide you with any personal information we hold about you; provision of such information will be subject to: (a) the payment of a fee (currently fixed at GBP 10); and (b) the supply of appropriate evidence of your identity [(for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address)].
9.2 We may withhold personal information that you request to the extent permitted by law.
9.3 You may instruct us at any time not to process your personal information for marketing purposes.
9.4 In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt out of the use of your personal information for marketing purposes.
10. Third party websites
10.1 Our website may include hyperlinks to, and details of, third party websites.
10.2 We have no control over, and are not responsible for, the privacy policies and practices of third parties.
11. Updating information
11.1 Please let us know if the personal information that we hold about you needs to be corrected or updated.
12.2 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
12.3 Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
12.4 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
12.5 We use [only session cookies / only persistent cookies / both session and persistent cookies] on our website.
12.6 Most browsers allow you to refuse to accept cookies; for example: (a) in Internet Explorer (version 11) you can block cookies using the cookie handling override settings available by clicking “Tools”, “Internet Options”, “Privacy” and then “Advanced”; (b) in Firefox (version 39) you can block all cookies by clicking “Tools”, “Options”, “Privacy”, selecting “Use custom settings for history” from the drop-down menu, and unticking “Accept cookies from sites”; and (c) in Chrome (version 44), you can block all cookies by accessing the “Customise and control” menu, and clicking “Settings”, “Show advanced settings” and “Content settings”, and then selecting “Block sites from setting any data” under the “Cookies” heading.
12.7 Blocking all cookies will have a negative impact upon the usability of many websites.
12.8 If you block cookies, you will not be able to use all the features on our website.
12.9 You can delete cookies already stored on your computer; for example: (a) in Internet Explorer (version 11), you must manually delete cookie files (you can find instructions for doing so at http://windows.microsoft.com/en-gb/internet-explorer/delete-manage-cookies#ie=ie-11); (b) in Firefox (version 39), you can delete cookies by clicking “Tools”, “Options” and “Privacy”, then selecting “Use custom settings for history” from the drop-down menu, clicking “Show Cookies”, and then clicking “Remove All Cookies”; and (c) in Chrome (version 44), you can delete all cookies by accessing the “Customise and control” menu, and clicking “Settings”, “Show advanced settings” and “Clear browsing data”, and then selecting “Cookies and other site and plug-in data” before clicking “Clear browsing data”.
13. Data protection registration
13.1 We are registered as a data controller with the UK Information Commissioner’s Office.
13.2 Our data protection registration number is ZA193157.
14. Our details
14.1 This website is owned and operated by Danos Group.
14.2 We are registered in England and Wales under registration number 07925299, and our registered office is at 1 Vincent Square, Westminster, London SW1P 2PN.
14.3 Our principal place of business is at 32 Ludgate Hill, London, EC4M 7DR.
14.4 You can contact us by writing to the business address given above, by using our website contact form, by email to firstname.lastname@example.org or by telephone on +44 (0) 20 7610 6442.