Data Privacy Manager (DPM) – Andy Simpson /


About GDPR


The General Data Protection Regulation comes into force on 25th May 2018 and supersede the prior UK Data Protection Act.

The new regulations give customers greater rights with regards to the data they give to businesses they deal with.

In practice, the main areas affecting our clients are the following:

You can

  • Ask for a data subject access request – we will provide you with all electronic communications and data we have on you, wherever possible, for free. We will respond within 1 month
  • You can require us to completely remove all your data from all of our systems (exceptions apply, see below)


How do we store your data?

All of our business uses a secure desktop environment for all candidate and client data processing, and everything is stored in the cloud with providers who meet the necessary standards and criteria set out under GDPR. All our communications are stored on our cloud CRM system.

We do need to make you aware that we use Microsoft Office365 for various business applications and therefore that data may be stored in North America, and not in the EU.

Any system breaches will be reported to the Information Commissioners Office within 72 hours of us becoming aware of the breach.


What data do we get from you?

The reality is that we will hold no personal data on you, with the possible exception that we may have your personal phone number or personal email address, particularly if we have also worked with you as a candidate (whereby we will possibly also have a copy of your CV).

The only information we generally have is any business communications we have had with you or your business.

Exceptions may apply if we have successfully concluded some business with your organisation, whereby we may have the organisations bank details etc for the purposes of invoicing etc, but these will never be your personal data.


How do we get your data?

  • When you apply for an advertised position
  • We already hold it from an historical application
  • Referrals from friends or colleagues of yours
  • From public social networking sites such as Linkedin or Xing


What do we do with client data?

We may, from time to time, market to you with phone calls and/ or email communications with details such as candidates we think may be of interest to you, news items, and details of upcoming events.

Our policy is that any business data is held under legitimate business interests, as such we will hold it indefinitely, unless you choose to opt out of our communications and/ or request for your profile to be deleted. If we have successfully concluded business with your organisation previously, we will not be able to delete our business records.


The best course of action?

Should you no longer wish to receive any communication from our business in the future, the best course of action is to request an opt-out from communications, whereby we will remove all your contact information and place a note on the record which will prevent any further communications.

Requesting a delete could easily result in your details being picked up again at a later date and re-added to our CRM, because the consultant would not be able to see that you had previously requested a removal.


Data retention & deletion – Privacy by design

We will automatically delete all emails that are older than 365 days.

All downloaded CVs and/ or candidate records are held on our database for 2 years minimum (unless you request deletion earlier), before then being deleted.

Any data records held on Energon People’s cloud servers will be checked and deleted on a quarterly basis.