Privacy & Data Protection Policy
in accordance with the EU General Data Protection Regulation (GDPR)
Who we are and what we do
We are a Board and Senior level executive search firm which provides executive and non-executive search, succession planning and mentoring services, including bespoke assessment services to both individuals and companies.
What does this Policy cover?
This policy describes how personal data must be collected, handled and stored in order to meet out data protection standards and comply with GDPR. We take the privacy rights of individuals, whether members of staff, candidates or clients, seriously and aim to protect them and act with transparency at all times.
Sets out the types of personal data that we collect about you
Which categories of data we collect and the sources we use
Explains how we store and access your personal data
Explains how and why we collect and use your personal data
Explains how long we keep your personal data for
Explains when, why and with whom we will share your personal data
Sets out the legal basis we have for using your personal data
Explains the effect of refusing to provide the personal data requested
Explains the different rights and choices you have when it comes to your personal data
Explains how we may contact you and how you can contact us.
What personal data do we collect about you?
We collect the information necessary to be able to identify appropriate opportunities for you and also any further information needed to assess your eligibility through the different stages of the search process. This information may include:
Identification and visa documents
CVs and work history
Educational records and checks
Ivy Street commentary on fit to role
Commentary on progress in role once placed.
Categories of Data
The personal data we collect in order to carry out our legitimate business interests includes:
Date of birth
Performance and suitability assessments
Telephone, email, Skype and other relevant contact information
Formal and informal references
Profile picture (most likely sources online)
We do not typically process sensitive personal data such as ethnic origin, political opinions, religious beliefs or physical or mental health information. If a client asks to see the diversity statistics for a search, we will always seek a candidate’s permission to store this information. Diversity statistics on areas of sensitive personal data will be kept anonymous when shared with the clients and will not be attributable to an individual candidate.
Sources of Data
The personal data used by Ivy Street is sourced from one or more of the following methods:
Directly from you either by direct telephone, email, online and in person contact
From an agent/third party acting on your behalf, such as an Interim Management Company
By reference or word of mouth. For example, you may be recommended by a friend, a former employer, a former colleague or even a present employer
Through publicly available sources including company records, websites and press releases
Other online sources including but not limited to, LinkedIn, Boardex, Hoovers, Factiva
How we store and access your data
We store your personal data as follows:
Filefinder – A licensed internal database to which only Ivy Street employees have access to and that access is password protected
Typed or hand written records taken from calls or face to face meetings which are then uploaded onto our internal database and shredded or stored in a locked cupboard
Other data (documents, emails and contacts) is stored on our IT system which includes outlook and OneDrive, again both password protected
How and why do we use your personal data?
We use your personal data to match your skills, experience and education with a potential employer. We will initially collect basic information on you such as contact details, job role and experience and pass this on to the client in search of candidates. If you are suitably qualified and interested in proceeding, we will, with your agreement, collect more information from you as you progress through the process e.g. to our interview stage and then to client interview stage.
How long do we keep your personal data for?
For our legitimate business interests, personal data about clients and candidates is stored indefinitely, unless you request otherwise. Retaining contact with clients and candidates (both actual and prospective) and understanding the path of an individual’s career and their relevant experiences and personal progression is a critical factor in our ability to carry out our legitimate business interests.
Who do we share your personal data with?
Your personal data is shared with the client who initiates a search for an individual, to ascertain whether you might be a fit for the position. We may also conduct checks on you to verify the information you have provided and we may be required to share details with specific third parties in those circumstances.
What legal basis do we have for using your information?
We will only collect and use personal data for the legitimate purposes of:
Executing an executive or non-executive search
Providing mentoring services
Conducting succession planning or other research projects concerned with the executive search process
Business development activities pursuant to winning search, succession planning or mentoring assignments
For clients specifically, we may also rely on collecting and using personal data to enable us to fulfil a contractual obligation
What happens if you do not provide us with the information we request or ask that we stop processing your information?
If you do not provide the personal data necessary, or request that we stop processing your personal data, we will not be able to match you with suitable search mandates. At your request, you will be removed from the database and will not be contacted by us again.
Do we make automated decisions concerning you?
No, we do not carry out any form of automated exercise or process to determine suitability.
Do we share your data outside of the EU?
To better match your employee profile with current opportunities we may transfer your personal data to clients and partners in countries outside the EEA. These countries privacy laws may be different from those in your home country. Where we transfer data to a country which has not been deemed to provide adequate data protection standards we always have security measures and approved model clauses in place to protect your personal data.
What rights do you have in relation to the data we hold on you?
By law, you have a number of rights when it comes to your personal data. Further information and advice about your rights can be obtained from the data protection regulator in your country.
What does this mean?
The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we are providing you with the information in this Policy.
The right to rectification. You are entitled to have your information corrected if it’s inaccurate or incomplete.
The right to erasure. This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.
The right to restrict. You have rights to ‘block’ or suppress further use of your processing information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
The right to data portability. You have rights to obtain and reuse your personal data for your own purposes across different services. For example, if you decide to switch to a new provider, this enables you to move, copy or transfer your information easily between our IT systems and theirs safely and securely, without affecting its usability.
The right to object to processing. You have the right to object to certain types of processing, including processing for direct marketing (i.e. if you no longer want to be contacted in regard to potential opportunities).
The right to lodge a complaint. You have the right to lodge a complaint about the way we handle or process your personal data with your national data protection regulator.
The right to withdraw consent. If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent from us to use your personal data for marketing purposes.
We usually act on requests and provide information free of charge, but may charge a reasonable fee to cover our administrative costs of providing the information for:
Baseless or excessive/repeated requests, or
Further copies of the same information
Alternatively, we may be entitled to refuse to act on the request.
Please consider your request responsibly before submitting it. We will respond as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we’ll come back to you and let you know.
How will we contact you?
We may contact you by phone, email or social media. If you prefer a particular contact means over another, please let us know.
How can you contact us?
If you are unhappy with how we’ve handled your information, or have further questions on the processing of your personal data, contact us here: firstname.lastname@example.org