Carnelian Search is committed to treating your data with care and respect and to being fully compliant with GDPR. Carnelian Search is a data controller rather than just a processer. This policy applies to the data of clients, candidates, employees and other individuals or organisations Carnelian Search works with.
Lawful Basis for Processing
Carnelian Search processes data lawfully on the basis of legitimate interest (one of the six lawful bases GDPR provides). It can process data on this basis because it passes the three-part test required. We have completed a legitimate interest assessment (LIA) and provide it here for your perusal.
Firstly, the purpose of Carnelian Search’s processing of personal data meets the criteria for legitimate interest. Carnelian Search gathers and processes data on individuals and companies for the purpose of executive search. This furthers their own commercial interests and also the interests of the clients who want their roles filled by the right candidates and candidates who want the right next role for them.
Secondly, the processing of personal data is necessary for this purpose to be fulfilled. In order to assess the needs of clients and the appropriateness of candidates it is essential that personal data be collected and processed. The same results could not reasonably be achieved in another less intrusive way.
Thirdly, when we balance our interests against that of the individual’s we believe our legitimate interest is justifiable. Clients, candidates and staff would reasonably expect the processing of their data and it would not cause unjustified harm, indeed it should not cause any harm for us to do so.
As we choose to rely on legitimate interests as our lawful basis for processing data, we take on extra responsibility for considering and protecting people’s rights and interests when it comes to their data.
It is possible that we might process some special category data. If we do this then either we will only process data which is manifestly made public by the data subject (Article 9 (2) (e)) or gain explicit consent (Article 9 (2) (a)).
On occasions we might use automated decision-making, including profiling. This would be rare and only used in the very early stages of a search as we are committed to a very high level of human involvement in our decision making. This type of decision making will only be used when it is necessary for the performance of a contract. If you wanted to request human intervention or challenge a decision then please do so by contacting the data protection officer using the details at the end of this document.
You have the right to update your personal data. Please just contact the data protection officer using the details at the end of this document and we will do so.
You have the right to request that we do not use your personal data for the purposes of direct marketing. This is not something we routinely do but you are welcome to request to be removed from any direct marketing we might do. Please just contact the data protection officer using the details at the end of this document and we will do so.
You have the right to request the restriction or suppression of your personal data. When processing is restricted, we are permitted to store your personal data, but not use it. This is not an absolute right and only applies in certain circumstances. If you would like to withdraw your consent in this area please contact the data protection officer using the details at the end of this document, and we will discuss the situation and your rights of withdrawal.
You have the right to withdraw your consent to our retention of your data. This is not an absolute right and only applies in certain circumstances. If you would like to withdraw your consent in this area please contact the data protection officer and we will discuss the situation and your rights of withdrawal.
You have the right to lodge a complaint with a supervisory authority. We would be keen to resolve any complaints ourselves but if you did wish to do this then the please contact the Information Commissioner’s Office. Carnelian Search is registered with them and our reference number is ZA431013.
Personal data would generally be sourced from the individual the data pertains to. However, sometimes data will be sourced from third parties. The categories of personal data obtained from third parties might include:
- Address- professional and personal
- Telephone and email
- Date of birth
- Education and work history
- Formal and informal references
Personal data would generally be sourced from the individual the data pertains to. However, sometimes data will be sourced from third parties. Such external sources of data are:
- Third party individuals, such as referees
- Online public domain sources such as company websites, public company records and press releases
- Subscription databases
Personal data will only be shared on a need-to-know basis with the following categories of recipients:
- Potential and actual candidates
- Potential and actual clients
- Individuals employed by Carnelian Search
- In the very rare event that another body justifiably asks us for access to our stored personal data for national security or law enforcement reasons.
The transfer of personal data to a client outside the EU will only be carried out with the explicit consent of the individual.
Our default position is that your data is retained securely indefinitely. This is because it is essential for our legitimate business interests to maintain contact with clients and candidates over time.
All reasonable care is taken to store your personal data with great care. Data is stored under password protection and third party software suppliers are asked to provide us with assurance of their compliance with GDPR.
We provide individuals with privacy information at the time we collect their personal data from them.
If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information: within a reasonable of period of obtaining the personal data and no later than one month; if we plan to communicate with the individual, at the latest, when the first communication takes place; or if we plan to disclose the data to someone else, at the latest, when the data is disclosed. In each of these cases there are legitimate exemptions which we would use where appropriate.
In line with GDPR we provide the privacy information in a way that is: concise; transparent; intelligible; easily accessible; and uses clear and plain language.
We regularly review and, where necessary, update our privacy information.
If we plan to use personal data for a new purpose, we would update our privacy information and communicate the changes to individuals before starting any new processing.
How to Contact Us
If you have a concern about our handling of personal data, then please contact us at the address below, so that we can discuss this with you and rectify the situation.
Data Protection Officer
51, Romney Street