Privacy Policy

Policy for candidates
Policy for clients

Candidate Privacy Policy

Interpretation

1.1 Definitions:

Automated Decision-Making (ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The UK GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.

Edvance Recruitment Edvance Recruitment Limited [registered in England under company number 16917899)

Company Personnel: all employees, workers, contractors, agency workers, consultants, directors, members and others.

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.

Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the UK GDPR. We are the Data Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes.

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.

Data Protection Officer: the person required to be appointed in specific circumstances 19 January 2026 under the UK GDPR. Where a mandatory Data Protection Officer has not been appointed, this term means a data protection Representative or other voluntary appointment of a nominated representative or refers to the Company data privacy team with responsibility for data protection compliance.

EEA: the 28 countries in the EU, Iceland, Liechtenstein and Norway.Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).

UK General Data Protection Regulation (UK GDPR): the UK General Data Protection Regulation ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the UK GDPR.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

Privacy by Design: implementing appropriate technical and organisational measures in aneffective manner to ensure compliance with the UK GDPR.

Privacy Guidelines: the Company Data Management and Retention Policy provided to assist in interpreting and implementing this Privacy Policy and Related Policies.

Privacy Notices: separate notices setting out information that may be provided to Data Subjects when the Company collects information about them.

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Related Policies: the Company’s policies, operating procedures or processes related to this Privacy Policy are designed to protect Personal Data, available in the Company Handbook.

Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

2. Introduction

This Privacy Policy sets out how Edvance Recruitment Limited (”we”, “our”, “us”, “the”Company”) handle the Personal Data of our customers, suppliers, employees, workers and other third parties.

This Privacy Policy applies to all Personal Data we Process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject.

This Privacy Policy applies to all Company Personnel (”you”, “your”). You must read, understand and comply with this Privacy Policy when Processing Personal Data on our behalf and attend training on its requirements. This Privacy Policy sets out what we expect from you in order for the Company to comply with applicable law. Your compliance with this Privacy Policy is mandatory. Related Policies and Privacy Guidelines are available to help you interpret and act in accordance with this Privacy Policy. You must also comply with all such Related Policies and Privacy Guidelines. Any breach of this Privacy Policy may result in disciplinary action.

The Data Protection Representative is Amanda Mugnier.

3. Scope

We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. The Company is exposed to potential fines of up to EUR20 million (approximately £17.5 million) or 4% of total worldwide annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of the UK GDPR.

All directors and managers are responsible for ensuring all Company Personnel comply with this Privacy Policy and need to implement appropriate practices, processes, controls and training to ensure such compliance.

The Data Protection Representative is responsible for overseeing this Privacy Policy.Please contact the Data Protection Representative with any questions about the operation of this Privacy Policy or the UK GDPR or if you have any concerns that there may have been a data breach. Please refer to the Data Management and Retention Policy for details on how to handle individual rights requests.

4. Personal Data Protection Principles

We adhere to the principles relating to Processing of Personal Data set out in the UK GDPR which require Personal Data to be:

(a) Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).

(b) Collected only for specified, explicit and legitimate purposes (Purpose Limitation).

(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).

(d) Accurate and where necessary kept up to date (Accuracy).

(e) Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).

(f) Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).

(g) Not transferred to another country without appropriate safeguards being in place

(Transfer Limitation).

(h) Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject’s Rights and Requests). We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).

Lawfulness, Fairness, Transparency

5.1 Lawfulness and Fairness

Personal data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

You may only collect, Process and share Personal Data fairly and lawfully and for specified purposes. The UK GDPR restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing, but ensure that we Process Personal Data fairly and without adversely affecting the

Data Subject. The UK GDPR allows Processing for specific purposes, some of which are set out below:

(a) the Data Subject has given his or her Consent;

(b) the Processing is necessary for the performance of a contract with the Data

Subject;

(c) to meet our legal compliance obligations;

(d) to protect the Data Subject’s vital interests; or

(e) to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices or Fair Processing Notices;

The legal grounds being relied on for each Processing activity are set out in our

Company Privacy Notices.

5.2 Consent

A Data Controller must only process Personal Data on the basis of one or more of the lawful bases set out in the UK GDPR, which include Consent.

A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If Consent is given in a document which deals with other matters, the Consent must be kept separate from those other matters.

Data Subjects must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if you intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented.

5.3 Transparency (notifying data subjects)

The UK GDPR requires Data Controllers to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. Such information must be provided through appropriate Privacy Notices or Fair Processing Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.

Whenever we collect Personal Data directly from Data Subjects, including for human resources or employment purposes, we must provide the Data Subject with all the information required by the UK GDPR including the identity of the Data Controller and how and why we will use, Process, disclose, protect and retain that Personal Data through a Privacy Notice which must be presented when the Data Subject first provides the Personal Data.

When Personal Data is collected indirectly (for example, from a third party or publicly available source), you must provide the Data Subject with all the information required by the UK GDPR as soon as possible after collecting/receiving the data. We should also check that the Personal Data was collected by the third party in accordance with the UK GDPR and on a basis which contemplates our proposed Processing of that

Personal Data.

6. Purpose Limitation

Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.

You cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes and they have Consented where necessary.

7. Data Minimisation

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. You may only Process Personal Data when performing your job duties requires it. You cannot

Process Personal Data for any reason unrelated to your job duties. You may only collect Personal Data that you require for your job duties; do not collect excessive data. Ensure any Personal Data collected is adequate and relevant for the intended purposes.

You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Company’s data retention guidelines.

8. Accuracy

Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

You will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

9. Storage Limitation

Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.

The Company will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time.

You will take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with all the Company’s applicable records retention schedules and policies. This includes requiring third parties to delete such data where applicable.

You will ensure Data Subjects are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice or Fair Processing Notice.

10. Security Integrity and Confidentiality

10.1 Protecting Personal Data

Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.

We develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable). We regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data. You are responsible for protecting the Personal Data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. You must exercise particular care in protecting Sensitive Personal Data from loss and unauthorised access, use or disclosure.

You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction.

You may only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:

(a) Confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it.

(b) Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed.

(c) Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes.

You must comply with all applicable aspects of our IT and security and social media policies.

10.2 Reporting a Personal Data Breach

The UK GDPR requires Data Controllers to notify any Personal Data Breach to the applicable regulator and, in certain instances, the Data Subject.

We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.

If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the person or team designated as the key point of contact for Personal Data Breaches, the Data Protection Representative and the Operations Director. You should preserve all evidence relating to the potential Personal Data Breach.

11. Transfer Limitation

The UK GDPR restricts data transfers to countries outside the UK or EEA in order to ensure that the level of data protection afforded to individuals by the UK GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country. We have appropriate safeguards in place through the use of model terms.

12. Data Subject’s Rights and Requests

Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:

(a) withdraw Consent to Processing at any time;

(b) receive certain information about the Data Controller’s Processing activities;

(c) request access to their Personal Data that we hold;

(d) prevent our use of their Personal Data for direct marketing purposes;

(e) ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;

(f) restrict Processing in specific circumstances;

(g) challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;

(h) request a copy of an agreement under which Personal Data is transferred outside of the EEA;

(i) object to decisions based solely on Automated Processing, including profiling (ADM);

(j) prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;

(k) be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;

(l) make a complaint to the supervisory authority; and

(m) in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format. You must verify the identity of an individual requesting data under any of the rights listed above and do not allow third parties to persuade you into disclosing Personal Data without proper authorisation.

You must immediately forward any Data Subject request you receive to amanda@edvancerecruitment.co.uk.

13. Training and Audit

We are required to ensure all Company Personnel have undergone adequate training to enable them to comply with data privacy laws. We must also regularly test our systems and processes to assess compliance.

You must regularly review all the systems and processes under your control to ensure they comply with this Privacy Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.

14. Direct Marketing

We are subject to certain rules and privacy laws when marketing to our customers.For example, a Data Subject’s prior consent is required for electronic direct marketing (for example, by email, text or automated calls) to an individual. The limited exception for existing customers known as “soft opt in” allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar products or services and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message. Currently, consent is not required to market to individuals at their corporate address but this is subject to change with revised e-privacy regulations.

You must comply with the company’s policy on direct marketing and in particular what constitutes direct marketing.

The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.

A Data Subject’s objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

15. Sharing Personal Data

Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place or we have consent from the individual.

You may only share the Personal Data we hold with another employee, agent or representative of our group (which includes our subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.

You may only share the Personal Data we hold with third parties, such as our service providers if:

(a) They have a need to know the information for the purposes of providing the contracted services;

(b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;

(c) the third party has agreed to comply with the required data security policies and procedures and put adequate security measures in place;

(d) the transfer complies with any applicable cross border transfer restrictions; and

(e) a fully executed written contract that contains UK GDPR approved third party clauses has been obtained.

16. Changes to this Privacy Policy

We reserve the right to change this Privacy Policy at any time without notice to you so please check back regularly to obtain the latest copy of this Privacy Policy.

This Privacy Policy does not override any applicable national data privacy laws and regulations in countries where the Company operates.

Client Privacy Notice

Edvance Recruitment (“We”) are committed to protecting and respecting your privacy.Any mention of “Our Group” means our subsidiaries, our ultimate holding company and its subsidiaries, our associated companies as defined in section 1159 of the UK Companies Act 2006 (our Group).

This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

The UK General Data Protection Regulation (UK GDPR) (Regulation (EU) 2016/679) is a regulation which replaces the Data Protection Regulation (Directive 95/46/EC). The Regulation aims to harmonise data protection legislation across EU member states, enhancing privacy rights for individuals and providing a strict framework within which commercial organisations can legally operate.

The Brexit transition period ended on 31 December 2020 and the UK has now officially left the EU. The UK GDPR has been directly incorporated into UK law sitting alongside the Data Protection Act 2018.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

For the purposes of data protection legislation in force from time to time the data controller Edvance Recruitment Limited.

[Our nominated representative OR Data Protection Officer] is Amanda Mugnier.

Who we are and what we do

We are a recruitment agency and recruitment business as defined in the Employment Agencies and Employment Businesses Regulations 2003 (our business). We collect the personal data of the following types of people to allow us to undertake our business;

• Prospective and placed candidates for permanent or temporary roles;

• Prospective and live client contacts;

• Supplier contacts to support our services;

• Employees, consultants, temporary workers;

• [Other contacts.]

We collect information about you to carry out our core business and ancillary activities.

Information you give to us or we collect about you.

This is information about you that you give us by filling in forms on our site www.edvancerecruitment.co.uk or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you register to use our site, to enter our database, subscribe to our services, attend our events, participate in discussion boards or other social media functions on our site, enter a competition, promotion or survey, and when you report a problem with our site.

The information you give us or we collect about you may include your name, address, private and corporate e-mail address and phone number, financial information, compliance documentation and references verifying your qualifications and experience and your right to work in the United Kingdom, curriculum vitae and photograph, links to your professional profiles available in the public domain e.g. LinkedIn, Twitter, business Facebook or corporate website.

Information we collect about you when you visit our website.

With regard to each of your visits to our site we will automatically collect the following information:

technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information if applicable, browser type and version, [browser plug-in types and versions,] [operating system and platform,] information about your visit, including [the full Uniform Resource Locators (URL),] [clickstream to, through and from our site (including date and time),] [products you viewed or searched for’] [page response times,] [download errors,] [length of visits to certain pages,] [page interaction information (such as scrolling, clicks, and mouse-overs),] [methods used to browse away from the page, and any phone number used to call our customer service number.

Information we obtain from other sources.

This is information we obtain about you from other sources such as [LinkedIn, corporate websites, job board websites, online CV libraries, your business card, personal recommendations, and OTHERS]. In this case we will inform you, by sending you this privacy notice, within a maximum of 30 days of collecting the data of the fact we hold personal data about you, the source the personal data originates from and whether it came from publicly accessible sources, and for what purpose we intend to retain and process your personal data.

We are working closely with third parties including [companies within our Group, business partners, sub-contractors in technical, professional, payment and other services, advertising networks, analytics providers, search information providers, credit reference agencies, professional advisors AND OTHERS.] We may receive information about you from them for the purposes of our recruitment services and ancillary support services.

Purposes of the processing and the legal basis for the processing

We use information held about you in the following ways:

[To carry out our obligations arising from any contracts we intend to enter into or have entered into between you and us and to provide you with the information, products and services that you request from us or we think will be of interest to you because it is relevant to your career or to your organisation.

To provide you with information about other goods and services we offer that are similar to those that you have already purchased, been provided with or enquired about.

The core service we offer to our candidates and clients is the introduction of candidates to our clients for the purpose of temporary or permanent engagement. However, our service expands to supporting individuals throughout their career and to supporting businesses’ resourcing needs and strategies.]

Our legal basis for the processing of personal data is [our legitimate interests, described in more detail below, although we will also rely on contractual obligations to which you are subject, legal obligations and consent for specific uses of data].

[We will rely on contractual obligations if we are negotiating or have entered into a placement agreement with you or your organisation or any other contract to provide services to you or receive services from you or your organisation.]

[We will rely on legal obligation in some cases, where we are required by law or regulation to process your data.]

[We will in some circumstances rely on consent for particular uses of your data. Where we rely on consent, you will be asked for your express consent. An example of when we will rely on consent as the legal basis for processing your data is when we process your data for marketing purposes.

Our Legitimate Interests

Our legitimate interests in collecting and retaining your personal data is described below:

As a recruitment business and recruitment agency we introduce candidates to clients for permanent employment, temporary worker placements or independent professional contracts.

The exchange of personal data of our candidates and our client contact details is a fundamental part of this process.

In order to support our candidates’ career aspirations and our clients’ resourcing needs, we require a database of candidate and client personal data. The database will contain historical information as well as current resourcing requirements.

To maintain, expand and develop our business we need to record the personal data of prospective candidates and client contacts.

Consent

Should we want or need to rely on consent to lawfully process your data we will request your consent orally, by email or by an online process for the specific activity we require consent for and record your response on our system. Where consent is the lawful basis for our processing you have the right to withdraw your consent to this particular processing at any time.

Other Uses we will make of your data:

We will also use your data:

• To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

• To improve our site to ensure that content is presented in the most effective manner for you when you are using your computer or other devices;

• To notify you about changes to our service;

• To allow you to participate in interactive features of our service, when you choose to do so;

• As part of our efforts to keep our site safe and secure;

• To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;

• To make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.

Do you have to provide us with personal data?

You may refuse to give us your personal and sensitive personal data. Furthermore, you have the right to ask us to delete, change or stop processing your data that we have already received or collected. If you do not provide us with personal or sensitive personal data, or if you request a restriction of processing however, we may not be able to provide you with the services that you have requested and that are stated in this policy.

Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie notice.

Disclosure of your information inside and outside of the UK and the EEA

We will share your personal information with:

Any member of our group both in the UK, the EEA and outside of the EEA.

Selected third parties including:

• Clients for the purpose of introducing candidates to them;

• Candidates for the purpose of arranging interviews and engagements;

• Clients, business partners, suppliers and sub-contractors for the performance and compliance obligations of any contract we enter into with them or you;

• Analytics and search engine providers that assist us in the improvement and optimisation of our site;

We will disclose your personal information to third parties:

• In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets.

• If Edvance Recruitment or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.

• If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of business. [or terms and conditions of supply of services [www.edvancerecruitment.co.uk] and other agreements; or to protect the rights, property, or safety of Edvance Recruitment Ltd our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

The lawful basis for the third party processing will include:

• Their own legitimate interests in processing your personal data, in most cases to fulfil their internal resourcing needs;

• Satisfaction of their contractual obligations to us as our data processor;

• For the purpose of a contract in place or in contemplation;

• To fulfil their legal obligations.

Where we store and process your personal data The data that we collect from you may/will be transferred to, and stored at, a destination outside the UK or European Economic Area (”EEA”). It may be transferred to third parties outside of the UK or the EEA for the purpose of our recruitment services. It may/will also be processed by staff operating outside the UK or the EEA who work for us or for one of our suppliers. This includes staff engaged in, among other things, our recruitment services and the provision of support services. By submitting your personal data, you agree to this processing. Edvance Recruitment Limited will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice.

[All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted [using SSL technology].] Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Retention of your data

We understand our legal duty to retain accurate data and only retain personal data for as long as we need it for our legitimate interests and that you are happy for us to do so. Accordingly, we have a data retention notice [and run data routines to remove data that we no longer have a legitimate interest in maintaining.]

We do the following to try to ensure that the data we hold on you is accurate:

• [our website enables you to manage your data and to review whether the details we hold about

you are accurate];

• [ prior to making an introduction we check that we have accurate information about you];

• [we keep in touch with you so you can let us know of changes to your personal data];

• [OTHERS].

We segregate our data so that we keep different types of data for different time periods. The criteria we use to determine whether we should retain your personal data include:

• the nature of the personal data;

• its perceived accuracy;

• our legal obligations;

• whether an interview or placement has been arranged; and

• our recruitment expertise and knowledge of the industry by country, sector and job role.

We may store and handle your data in the following ways:

• We may archive part or all of your personal data, retain it on our financial systems only or delete all or part of the data from our main Customer Relationship Manager (CRM) system.

• We may pseudonymise parts of your data, particularly following a request for restriction or erasure of your data, to ensure that we do not re-enter your personal data on to our database, unless requested to do so.

For your information, Pseudonymised Data is created by taking identifying fields within a database and replacing them with artificial identifiers, or pseudonyms.

Our current retention notice is available upon request.