Privacy Notice – Candidates and Clients
Welcome to Harrison Clarke’s Privacy Notice.
This Privacy Notice is aimed at Candidates and Clients who benefit from Harrison Clarke’s recruitment and staffing services within the United States (US) and within the United Kingdom (UK) and the European Union (EU). We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
Who we are
We are Harrison Clarke.
Harrison Clarke International Ltd is a UK company registered under Company Number: 10541771 and has its registered office at 30th Floor, 40 Bank Street, Canary Wharf, London, E14 5NR, United Kingdom (HCI UK).
Harrison Clarke International Inc, is registered in the State of California and has its registered office at 10100 Venice Blvd., Culver City, CA 90232, US (HCI US). HCI US also has an office at 600 Third Avenue, 2nd Floor, Manhattan, New York, NY 10016, US.
In this Privacy Notice, HCI UK and HCI US, and “we”, “us”, “our” shall collectively be referred to as HCI or Harrison Clarke.
We have nominated a Data Protection Counsel, Charlotte Gerrish. You can contact her via our dedicated data protection email address: email@example.com.
HCI’s Staffing Activities
Our business is primarily focused in the US, and HCI’s client and candidate base comprises solely companies and citizens based or residing in the US. HCI therefore respects US data protection rules in respect of any processing carried out in the US. As HCI UK is a key entity of the HCI Group and is based in the UK, HCI is also committed to respecting European data protection rules when they are applicable to our activities.
As part of its staffing activities, HCI collects, uses and is responsible for certain personal information about candidates and clients. When we do this within the EU or UK or when we provide services to EU or UK residents, we are regulated under the General Data Protection Regulation or “GDPR” which applies across the EU (including in the UK due to national laws such as the Data Protection Act 2018). In this respect, we are a ‘controller’ of personal data for the purposes of those laws. HCI UK therefore has strict privacy rules and standards in force pursuant to the GDPR.
Whilst the processing of personal data taking place outside of the EU or UK, in respect of services aimed at individuals residing outside of the EU or UK (such as US residents) falls outside the scope of European data protection rules, we still take protection of our US candidate and client’s privacy rights seriously meaning that in some instances, our US candidates and clients benefit from the EU standards of data protection, which are not ordinarily available in the US.
HCI US’s appointed representative in the European Economic Area (EEA)
As HCI US is based in the US, HCI US has appointed HCI UK to be its representative within the EEA. We will review this appointment depending on the outcome of Brexit transition period, which is due to expire on 31st December 2020.
HCI complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from EU and the UK to the US. HCI has certified to the US Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If you want to learn more about the Privacy Shield program, and view our certification, please visit https://www.privacyshield.gov/.
However, whilst HCI US adheres to the Privacy Shield Principles and it remains in compliance with the requirements of such certification, any transfers of personal data from the UK and the EEA to HCI in the US are conducted by relying on the European Commission’s Standard Contractual Clauses for Controller-to-Controller transfers in compliance with Chapter V of the GDPR.
If there is any conflict between the terms in this Privacy Notice and the Standard Contractual Clauses, the Standard Contractual Clauses shall govern. Further information about our personal data transfers outside of the EEA are also set out below in this privacy notice.
The personal information we collect and use
Information collected by us
In the course of our activities as a recruitment and staffing specialist, we collect different kinds of information depending on whether you are a job seeker or a candidate wishing to utilise our recruitment services to find your next employer, or whether you are a client who has contacted us to help you to find your next employee.
When we refer to clients in this policy, we also refer to our commercial business suppliers, partners and vendors.
For our clients, we store the following personal information when you provide it to us:
- Your name, your job title and role within your organisation;
- Your office or head office address; and
- Your professional contact details (such as telephone numbers, fax numbers and email addresses).
For our candidates, examples of the information we store about you may include:
- Your name and contact details (i.e. address, home and mobile phone numbers, email address);
- Details of your qualifications, experience, employment history (including job titles, salary and working hours) and interests;
- Details of your referees;
- Information about your previous academic and/or employment history;
- Information from references obtained about you from previous employers and/or education providers; and
- Information regarding your academic and professional qualifications.
We do not directly collect any sensitive data (also known as special categories of personal data) about you but sometimes this might be incidental to information we require to carry out our recruitment services. Examples of sensitive data include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, or information about your health which might be collected if our clients require evidence of nationality for visa or work permit requirements or if you need assistance or adjustments to attend an interview. We do not collect any information about criminal convictions and offences. If the need for such information arises, we will always contact you to discuss this.
Information collected from other sources
We do not generally obtain personal information about our clients from other sources, but this can occur on occasion, such as information gained from:
- Professional social media sites where such information is in the public domain;
- Any professional marketing materials or other publications (including your company’s website) which have been issued and maintained by your company;
- Information that may have been gained or exchanged from trade fairs, industry talks or networking forums (in respect of this information we will always seek your consent before adding you to our database);
- Your company itself, where we have initially been dealing with another department or another group entity.
In respect of our candidates, sometimes we will collect information from third parties such as previous employers, your school, university or college, professional regulators or government bodies based on information that has been provided by the candidates themselves. Here are examples of some of the categories of information collected and organisations who might provide us with that information:
- Your previous academic institution and/or employers;
- Professional bodies or regulators regarding your professional qualifications or certifications
- Job Boards or CV Banks or a profile on a social networking website designed specifically for professional networking.
How we use your personal information
For both our clients and candidates, we use any information we collect about you to:
- best provide our recruitment services, tailor-made to suit your needs;
- to contact you in order to provide our recruitment services;
- to negotiate and enter into agreements with our clients which govern the provision of our recruitment services to you and sets out your (and our) rights and obligations, such as dealing with payment, and sending related correspondence.
Who we share your personal information with
Typically, for our candidates, the types of organisations with whom we share your information include our clients to whom we provide recruitment services, who are seeking individuals with a profile similar to yours in order to offer employment opportunities. The purpose is so that we can help you find a new job and fulfil our clients’ recruitment needs. This data sharing enables us to best help you in your job search, and also allows us to fulfil our sourcing obligations to our clients.
However, candidates, please rest assured! We take our data protection obligations seriously and do not share your personal information with any other third party, unless we have your express consent to do so. As we are committed to providing high quality recruitment services, will never forward on your CV to any third party without first having obtained your approval to do so.
Similarly, we share client data with our candidates when we think that we have found a good fit. This data is limited to information about the role, the company, any specific requirements or details. If the candidate is offered an interview with you, we will also provide the candidate with the hiring manager’s name, professional contact details and office address. The reason for this is so that we can introduce candidates to our clients so that we can fulfil our obligation to provide staffing services to all parties concerned. Again, we will only ever share such information provided that our client contact has confirmed to us that we can do so, and that they are happy to meet with the candidate.
We also share data to external IT servers or on cloud-based storage to ensure that we have high quality and efficient IT management. We also give your details to our third-party providers, such as external finance, external marketing managers or external lawyers to make sure that we are able to complete our contractual obligations to you and ensure the smooth running of our business.
If any transfers of your personal data with third parties constitutes a controller-processor relationship, we ensure that both parties are responsible for your personal data within the limits of that law, including by entering into a data processing agreement where this is necessary. For all other transfers we remain responsible for third parties’ use of your personal data. We ensure that we have appropriate indemnities in place with these third parties. Whenever we share your personal information with third parties, we always ensure that the transfers are governed by contractual obligations (pursuant to a data processing agreement or other contractual mechanisms). In any case, we always make sure that we have appropriate technical, security and organisational methods in place to secure the confidentiality and proper processing of your data, and we require that our third-party providers adhere to these guarantees too. A list of our third-party suppliers with whom we may share your personal data is available on request by contacting our Data Protection Counsel at: firstname.lastname@example.org.
Some of those third-party recipients may be based outside the European Economic Area (EEA) — for further information including on how we safeguard personal data of EU or UK residents when this occurs, see ‘Transfer of your information out of the EEA’ below.
Please note: HCI may also share personal information with law enforcement or other authorities if required by applicable law or for the purposes of litigation. This specifically includes the requirement for HCI to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements in force across the US, UK and/or EU.
Whether information has to be provided by you, and if so why
Sometimes we require specific information about you in order to properly provide you with our services. If you do not wish to provide us with certain information, then we will contact you on a case-by-case basis to explain the situation and to see how we can continue to provide you with our services in the absence of such information.
How long your personal information will be kept
As a general rule, we will keep your personal data on file for a period of 4 years following our last meaningful contact with you, unless you expressly tell us otherwise. Before we delete your data, we will check with you to see whether our recruitment services are still of interest, unless you tell us otherwise. We consider that 4 years is a reasonable timeframe, as this is usually the length of time an individual remains in a role, and you may need our services again towards the end of this period, either to find a new employee or to look for a new job.
Sometimes, we might keep your personal data for longer than the 4-year period, for example, to allow us to keep any data in accordance with legal or fiscal obligations to in pursuit or defence of a claim. It may be that some personal data is retained on these documents, but this is purely incidental to documents which are generally required strictly for commercial, legal or fiscal purposes. Where possible, we will ensure that any personal data is anonymized where it is not strictly necessary.
These timeframes apply to our client contacts who are based within the EU or UK, but where practical, we also use our reasonable efforts ensure that these timeframes apply to our US based contacts, unless HCI US has a business reason for doing otherwise.
Reasons we can collect and use your personal information
As far as our clients are concerned, we process your personal information: (i) with a view to entering into a commercial contract or to perform that commercial contract; (ii) in accordance with our legal obligations (for example, our accounting and HMRC and other tax obligations); and (iii) in our mutual legitimate interests – we both have the same or similar legitimate interests in collaborating together – to find you your next employee.
In respect of our candidates, we collect and use your personal information on the basis of our mutual legitimate interests. We rely on legitimate interests because we consider that our legitimate interests as a recruitment agency are not overridden by your interests or rights as a candidate. In fact, we consider that our mutual legitimate interests are likely to align with your interests in finding a job, especially when you have placed your CV on a job board with the intention of finding work or when you have selected an “Available for Work” option or “Please Notify Recruiters” on professional networking sites.
For EU or UK-based candidates we will nonetheless rely on your consent in instances where you have not selected an “Available for Work” option. In this case, we will contact you to see if you would like to be included in our database or if you would like to benefit from our recruitment services.
If we ever need to process sensitive personal data, we will contact you at this stage and explain why we need certain information about you and obtain your express consent.
You can of course object to us processing your personal data on the basis of legitimate interests at any time and you are also able to withdraw your consent at any time. You may do this by contacting us at email@example.com.
Transfer of your information out of the EEA
We may transfer your personal information to the following locations, which are located outside the EEA and the UK as follows:
- We may transfer your personal information between HCI UK and HCI US in order to share data between the HCI Group which enables us to properly perform recruitment services for clients and candidates based in the US.
- We may transfer personal data about clients within the EEA and the UK to candidates based in the US or elsewhere outside of the EEA or the UK in order to fulfil our obligations to provide clients with staffing services.
- We may transfer personal data about candidates residing within the EEA or the UK to clients based in the US or outside of the EEA or the UK in order to assist those candidates with their job search.
- We may also transfer your personal information to locations outside the EEA or the UK, for example, for storage on servers based in the US or otherwise outside of the EEA or the UK.
- When HCI US provides services to clients and candidates based in the US, the data is always held in the US and is not usually transferred within the EEA or the UK, as generally there is no business need to do so.
Some non-EEA countries do not have the same data protection laws as within the UK and the EEA, but HCI commits to ensuring that EU and UK residence suffer no consequence or impact to their privacy rights in the event of an international transfer.
Our transfers of personal data from HCI UK to HCI US
To ensure that our clients and candidates benefit from the high privacy standards in force in the EEA, any transfer of personal information related to EEA or UK residents from HCI UK to HCI US is carried out pursuant to the obligations set out in the European Commission’s Standard Contractual Clauses (SCCs).
HCI US also adheres to the Privacy Shield Principles, which impose strong obligations on companies in the US to protect personal data and stronger monitoring and enforcement by the US Department of Commerce and the Federal Trade Commission. Following HCI’s self-certification, HCI has been placed on the Privacy Shield List by the US Department of Commerce. However, HCI does not rely on the Privacy Shield for any transfers of personal data from the UK and the EEA to the US – such transfers will always be conducted on the basis of the SCCs. For more information about the SCCs, please visit: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. For more information about the EU-US Privacy Shield, please visit: https://www.privacyshield.gov/PrivacyShield.
Other International Transfers
In the event of other transfers outside of the EEA and the UK, we will only conduct transfers of your personal data outside of the UK and the EEA when we are sure that such transfers are protected by the adequate safeguards set out in the SCCs, or where the receiving territory has been held by the European Commission as providing adequate protection to personal data. We also reserve the right to transfer personal data belonging to EU and UK residents outside of the EEA and the UK in accordance with the legal provisions set out in the GDPR, provided that one of the following grounds are satisfied:
- The individual candidate or client contact has explicitly consented after being informed of the risks of the transfers due to the absence of an adequacy decision and appropriate safeguards.
- The transfer is necessary for the performance of a contract between the individual candidate or client contact, and the organisation or for pre-contractual steps taken at the candidate or client contact’s request.
- The transfer is necessary for the performance of a contract made in the interests of the individual candidate or client contact between HCI and another person.
- The transfer is necessary for important reasons of public interest or to establish, exercise or defend legal claims.
- The transfer is made from a public register which is intended to provide information to the public and specific conditions are fulfilled.
- The transfer is in HCI’s legitimate interests if no other grounds apply and providing that the transfer is occasional, concerns only a limited number of candidates or client contacts, and which are necessary for HCI’s legitimate interests. In this case, HCI shall also provide appropriate safeguards for the personal data and shall inform both the applicable supervisory authority (such as the ICO) and the candidates or client contacts of the transfer.
We understand that Brexit is an uncertain time for both our clients and candidates. We have been monitoring the best practices to ensure continued protection of your personal data. The UK has now left the EU and is currently in a transition period which at the time of updating this policy is set to expire on 31st December 2020. This means that during the current transition period, EU data protection law, including the GDPR, continues to apply to and in the UK. This also means that any transfers of personal data from the UK to the US shall rely on the SCCs or such approved mechanism under the GDPR.
In relation to UK-EU transfers of personal data after the end of the transition period, the UK will hopefully be awarded an adequacy decision by the European Commission, meaning that the UK will be deemed to provide a level of protection to personal data which is the same as the level afforded by the GDPR and that no further action for UK-EU personal data transfers will be required after the end of the transition period. However, in the event that the UK is not awarded an adequacy decision, HCI shall rely and enter into the SCCs or any other such approved mechanism as described in Chapter V of the GDPR for any personal data transfers between the UK and the EU.
We will continue to closely monitor the developments in this area and will update this privacy notice accordingly, so please check back regularly.
Finally, please rest assured that for EU and UK residents, we will not otherwise transfer your personal data outside of the UK or EEA or to any organisation (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.
Under the GDPR both our candidates and clients residing within the EU or UK have a number of important rights free of charge. We also extend those rights to our US contacts. In summary, those include rights to:
- fair processing of information and transparency over how we use your use personal information;
- access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address;
- require us to correct any mistakes in your information which we hold;
- require the erasure of personal information concerning you in certain situations;
- receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
- object at any time to processing of personal information concerning you for direct marketing;
- object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
- object in certain other situations to our continued processing of your personal information;
- otherwise restrict our processing of your personal information in certain circumstances; and
- for transfers pursuant to the EU-US Privacy Shield (including transfers from the UK), the possibility, under certain conditions, to invoke binding arbitration.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please contact us at firstname.lastname@example.org with enough information to allow us to identify you (by providing proof of your identity and address) and let us know the information to which your request relates.
Receiving emails from us
We will only ever contact you in accordance with established marketing rules and practices, including the Privacy and Electronic Communications Regulations. If you would like to unsubscribe from any email communications not related to the services we are providing you, or you no longer wish to receive marketing emails or if you simply wish to be removed from our database, you can contact us at any time at: email@example.com or click on the ‘unsubscribe’ button at the bottom of our emails to you. It may take up to seven days for this to take place.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We also ensure that you are able to limit the use and disclosure of your data by practical or technical means, such as by seeking your consent for transfers to third parties (where appropriate) and ensuring that we have appropriate technical mechanisms in place, such as IT security involving the encryption of our database and data, and also the possibility to anonymise your personal data at your request, and where appropriate.
For California residents, in order to comply with applicable law (Assembly Bill No.1130 which came in to force 1 January 2020), we will notify you without unreasonable delay in the event of any breach of the security of the system following discovery or notification of the breach where we are legally required to do so, either via email or via a notice on our website. We will take all steps to mitigate the breach as set out in the applicable law.
How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The GDPR also gives EU and UK residents the right to lodge a complaint with a supervisory authority, in particular in the UK, or within the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred.
The supervisory authority governing HCI’s data activities in the UK is the Information Commissioner who may be contacted at http://ico.org.uk/concerns.
HCI US is also subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Changes to this privacy notice
We may change this privacy notice from time to time and when we provide the latest version on this website. This privacy notice was published on 24th May 2018 and last updated on 4th August 2020.
How to contact us
If you wish to contact us, please send an email to our Data Protection Counsel at: firstname.lastname@example.org.