We use cookies on this website to give you a better browsing experience. By using the site you agree to our use of cookies. close message

Privacy Policy

Privacy Policy

This Policy may be amended or updated from time to time to reflect changes in our practices with respect to the processing of Personal Data, or changes in applicable law. We ask you to read this Policy carefully, and check back regularly to view any changes or updates we might make in accordance with the terms of this Policy. We will notify you of any significant changes.


All organisations that process personal data are required to comply with data protection legislation.  This includes in particular the Data Protection Act 1998 (or its successor) and the EU General Data Protection Regulation (together the ‘Data Protection Laws’).  The Data Protection Laws give individuals (known as ‘data subjects’) certain rights over their personal data whilst imposing certain obligations on the organisations that process their data. All organisations that process Personal Data have a legal duty to ensure that this personal information is collected and used fairly, stored safely and not disclosed to any other person or organisation unlawfully.

This Privacy Policy is provided by Richmond Associates (“we”, “our” and “us”) and is for individuals outside our organisation with whom we interact. This includes, but is not limited to, Candidates, Clients, Sources and visitors to our website (“you”). Defined terms used in this Policy are explained further in Section 2 below.

As an Employment Agency, we collect, process and store certain Personal Data and Sensitive Personal Data, for example about Clients and Candidates, in order to fulfil our commercial purposes.  We are required to do so to comply with other legislation.  We are also required to keep this data for different periods depending on the nature of the data.   

This Privacy Policy sets out how we collect and process your Personal Data in our dealings with you, and implement the Data Protection Laws. It should be read in conjunction with any other privacy statements or fair processing notices we may provide on specific occasions when we are collecting or processing Personal Data about you.

You have control over the data we collect on you and are free to decline to provide Personal Data. If you choose not to provide data that we deem necessary, however, we may not be able to assist you in work-finding services (if you are a candidate), or we may not be able to fulfill our obligations to you (if you are a client).  We will be clear on what information we require and why, so that you can choose accordingly.

This website may include links to third-party websites (e.g. belonging to our Clients). Clicking on those links or enabling those connections may allow these third parties to collect or share data about you. We do not control these third-party websites, nor are we responsible for their privacy statements and activities.  We recommend that you read the individual third-party websites’ privacy statements if you are concerned.

1) Scope

This Policy does not apply to our processing of Personal Data of our employees, contractors, temporary workers or other staff in connection with the roles they undertake for us. A separate internal privacy policy is provided.

Except as otherwise specified below, Richmond Associates is the Controller and is responsible for your Personal Data.  Richmond Associates is made up of Richmond Associates UK Limited, Richmond Associates Australia PTY Ltd, and Richmond Associates Asia Pte Ltd.  We are all Controllers and responsible for your Personal Data. 

We share candidate application materials with their permission with our Clients.   In these instances, we may also be joint Controllers of Personal Data with our Clients.  Further information about how we share data with our Clients is provided below in Section 4.

2) Definitions

In this policy the following terms have the following meanings:

  • ‘Candidate’ means an active or potentially work-seeking individual, for a position with a Client.
  • ‘Client’ means a client of Richmond Associates.
  • ‘Consent’ means any freely given, specific, informed and unambiguous indication of an individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • Data Controller’ or ‘ Controller’ means an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  •  ‘Data Protection Authority’ means an independent public authority which is responsible for monitoring the application of data protection. In the UK the supervisory authority is the Information Commissioner’s Office (ICO).
  • ‘Data Sharing Agreement’ means an agreement between Richmond Associates and a Client for the sharing of Personal Data under which Richmond Associates and the other party are joint Controllers.
  • ‘Data Processing Agreement’ means an agreement between Richmond Associates and a Processor.
  •  ‘Data Subject’ means the individual whose Personal Data is processed.
  • ‘Personal Data’ means any information relating to an individual who can be identified, such as by a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;
  • ‘Personnel’ means any current, former or prospective employee, consultant, temporary worker, intern, other non-permanent employee, contractor, secondee or other personnel of Richmond Associates.
  • ‘Process’, ‘processing’ or ‘processed’ means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • ‘Processor’ means any person or entity that processes Personal Data on behalf of the Controller (other than employees of the Controller).  In this instance, our data processor is Dillistone Systems who provide our CRM system, FileFinder;
  • Profile’ means a narrative developed on a Candidate, through the evaluation of certain aspects of Personal Data relating to an individual, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  • Pseudonymisation’ means the processing of Personal Data in such a manner that the information can no longer be attributed to an individual without the use of additional details, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data is not attributed to an identified or identifiable individual;
  • Sensitive Personal Data*’ means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, data concerning health, an individual’s sex life or sexual orientation and an individual’s criminal convictions, or any other information that may be deemed to be sensitive under Data Protection Legislation.
  • ‘Source’ means any person that provides any view or opinion regarding the qualities of any Candidate or Participant, for any purpose, including but not limited to the suitability of a Candidate or Participant for a particular role.

* For the purposes of this policy we use the term ‘personal data’ to include ‘sensitive personal data’ except where we specifically need to refer to sensitive personal data.

3) Personal Data – what we process and how

We process Personal Data in relation to our own staff, contractors, Candidates and individual Client contacts.  We’re a Data Controller for the purposes of the Data Protection Laws.  We are registered with the ICO and our registration number is Z8038913.


We may hold Personal Data on individuals for the following purposes:

  • Staff administration.
  • Advertising, marketing and public relations, including:
  • Our Website: operating and managing our website; providing content to you; displaying advertising and other information to you; and communicating and interacting with you via our website.
  • Newsletters and other marketing communications: communicating with you via any means (including via email, telephone, text message, social media, post or in-person) news items and possible opportunities in which you may be interested.
  • Accounts and records, including:
  • Financial management: sales; finance; corporate audit; and vendor management.
  • Communications and IT operations: management of our communications and IT systems; operation of IT security; and IT security audits.
  • Health and safety: health and safety assessments and record keeping; and compliance with related legal obligations.
  • Administration and processing of Candidates’ Personal Data for the purposes of providing work-finding services, including processing using software solution providers and back office support.  This includes providing work-finding services to you including our website facilities and other services; attending meetings and/or  telephone/video calls with you; supporting you in preparing for interviews, and otherwise communicating with you in relation to those services.
  • Administration and processing of Clients’ personal data for the purposes of supplying/introducing Candidates.  This includes recruitment activity and providing these services to our Clients; advertising Client opportunities; supporting Clients to understand which Candidates are interested in their opportunities; record-keeping; and performing background checks.
  • Administration and processing of industry contacts’ (such as fundraising consultants, etc.) Personal Data for the purpose of making relevant business introductions as requested by Candidates or Clients, and on agreement of the contact.
  • Improving our services and offerings through identifying issues with existing services; planning improvements to existing services; and creating new services.

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. For an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at info@richmond-associates.com.

If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so or request your express permission.

Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.


We may collect Personal Data about you, such as your name, contact details and work history, from a variety of sources.  Example of these sources include:

  • You – when you share it to us via email, telephone, through our website, or by any other means.  When you visit our website, your device and browser will automatically disclose certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connecting to our website and other technical communications information). Some of this may be classed as Personal Data.
  • Through the course of our relationship with you (e.g. if you are interested in working with us, we may require Personal Data in the form of your CV, details on the organisation you represent, etc.
  • Personal Data that you or your organisation have made available in the public domain.  This includes social media sites and organisational websites.
  • Third parties who provide it to us (e.g. past employers and referees).


We may also create Personal Data about you, e.g. records of any interviews you attend, notes of our briefings on roles with your organisation, etc.  This Personal Data helps us to conduct our operations and fulfil our obligations to you.

Access and storage

Your Personal Data is processed in any location where Richmond Associates staff and third-party contractors involved in the processing are located.  This is primarily in the UK, Australia and Singapore.

Your Personal Data is held on two Pulsant tier 3 datacentres (DC) and they are both in the UK (primary in Croydon, secondary in Maidenhead), and accessed by Richmond Associates staff and third-party contractors via a Citrix hosted platform.

Third-party contractors include our CRM database, IT support, and website providers, as well as our accountants.

Personal Data you provide about other individuals

There may be occasions where you provide us with Personal Data about other people (for example, if you act as a Source and provide comments on or recommendations of other individuals).  Whenever you provide any such Personal Data, we rely on you to ensure that the information is accurate, compliant with this Policy, that you have a lawful basis for providing it to us, and that you have complied with applicable law.  If you are unable to meet these conditions, please abstain from providing the Personal Data of others to us.

Categories of Personal Data: 

The type of Personal Data about you that we may process include:

  • Personal details: your names (given and preferred); gender; date of birth or age; nationality; marital status; job title; employer; department; salary and compensation details; and where applicable, your passport number and photo, visa number, or work authorisation number.
  • Contact details: home address; telephone numbers; personal and/or email address; and social media profile details (e.g. LinkedIn).
  • Employment records: dates and details of current and former positions held; details of current and former employers; dates of employment; job titles; job locations; subject matter experience; and details of any employment disciplinary issues or incidents declared.
  • Details of your referees: details of referees you may provide, including their contact details, how long you’ve known them and in what capacity.
  • Background checks: details revealed by background checks conducted in accordance with applicable law and subject to your prior express consent, including your identity, and details of your previous employment and residence.
  • Views and opinions: your views on Candidates, Clients or other third-parties, where relevant and applicable.

Legal basis for processing Personal Data: 

We may relay on the following legal bases when processing your Personal Data in connection with the purposes we’ve set out in this Policy:

  • we have obtained your prior express consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way);
  • processing is necessary in connection with any contract that you may enter into with us;
  • processing is required by applicable law;
  • processing is necessary to protect the vital interests of any individual; or
  • we have a legitimate interest in carrying out the processing, which is not overridden by your interests, fundamental rights, or freedoms. Where we rely on this legal basis, our legitimate interests are in the:
    • management and operation of our business;
    • promotion of our business; and
    • provision of services to our Clients.

The legal basis for our core data processing (in relation to the Personal Data of Candidates) is that of furthering our and/or our Clients’ legitimate interests.

We will only process Personal Data where we have a legal basis for doing so (see table below). We will review the Personal Data we hold on a regular basis to ensure it’s being lawfully processed, is accurate, relevant and up to date, and those team members listed in in the in Section 13 will be responsible for doing this.

Before transferring Personal Data to any third party (such as past, current or prospective employers, suppliers, customers and clients, intermediaries such as umbrella companies, persons making an enquiry or complaint and any other third party (such as software solutions providers and back office support)), we will establish that we have a legal reason for making the transfer.

Sensitive Personal Data: 

We do not collect or otherwise process your Sensitive Personal Data on our own behalf, except when:

  • the collection and processing is required for the particular role or permitted by applicable law;
  • Clients request that candidates complete Equal Opportunities Monitoring Forms.   This legal basis is only used when the supply of such Sensitive Personal Data is entirely voluntary.

In both instances, we will inform you of the request or requirement, and obtain your consent prior to collecting and processing your Sensitive Personal Data.

If it is not required, please refrain from sharing your Sensitive Personal Data.

What lawful basis are we relying on to process your Personal Data?

The table below describes all of the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so. Where appropriate, we have also identified what our legitimate interests are.

Please note that we may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are using your data. If  you need details about the specific legal ground we are relying on to process your Personal Data where more than one ground has been set out in the table below, please see Section 13 and get in touch.

Register you as a new Candidate or Client

  • Identity
  • Contact details

Lawful basis for processing including basis of legitimate interest:

  • Performance of a contract with you

Process and deliver services including:

(a) Manage payments, fees and charges

(b) Collect and recover money owed to us

  • Identity
  • Contact details
  • Financial
  • Marketing and Communications

Lawful basis for processing including basis of legitimate interest:

  • Performance of a contract with you
  • Necessary for our legitimate interests (to recover debts due to us)

Manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Asking you to leave a review or take a survey

  • Identity
  • Contact details
  • Profile
  • Marketing and Communications

Lawful basis for processing including basis of legitimate interest:

  • - Performance of a contract with you
  • - Necessary to comply with a legal obligation
  • - Necessary for our legitimate interests (to keep our records updated and to study how clients/candidates use our services)

Enable you to complete a survey

  • Identity
  • Contact details
  • Profile
  • Usage
  • Marketing and Communications

Lawful basis for processing including basis of legitimate interest:

  • Performance of a contract with you
  • Necessary for our legitimate interests (to study how clients/candidates use our services, to develop them and grow our business)

Administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

  • Identity
  • Contact details
  • Technical

Lawful basis for processing including basis of legitimate interest:

  • Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
  • Necessary to comply with a legal obligation

Deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you

  • Identity
  • Contact details
  • Profile
  • Usage
  • Marketing and Communications
  • Technical

Lawful basis for processing including basis of legitimate interest:

  • Necessary for our legitimate interests (to study how clients/candidates use our services, to develop them, to grow our business and to inform our marketing strategy)

Use data analytics to improve our website, services, marketing, customer relationships and experiences

  • Technical
  • Usage

Lawful basis for processing including basis of legitimate interest:

  • Necessary for our legitimate interests (to define types of clients/candidates for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

Make suggestions and recommendations to you about services that may be of interest to you

  • Identity
  • Contact details
  • Technical
  • Usage
  • Profile
  • Marketing and Communications

Lawful basis for processing including basis of legitimate interest:

  • Necessary for our legitimate interests (to develop our services and grow our business)

Where we indicate above that we are relying on legitimate interests as a basis for processing your Personal Data, you can ask us to stop sending you messages at any time by emailing info@richmond-associates.com.

4) Disclosing your Personal Data to third parties

We share Personal Data (in the form of your covering letter, CV and any additional information you provide when submitting an job application) about Candidates with our Clients for the purposes of providing services to those Clients and Candidates.  We are joint Controllers with our Clients and such transfers are made in accordance with the provisions of this Policy.

Pseudonymisation is sometimes required when sharing Personal Data on Candidates to Clients.  This typically happens where Candidates are requested to complete anonymous equal opportunities or diversity monitoring forms or if the Client’s recruitment policies include blind shortlisting practices.

We will only disclose your Personal Data to other bodies we partner with, with your prior and express consent.  We will explain the purpose, who is involved and what information is required on a case by case basis, and await your consent.

We may also share aggregate demographic information with our Clients or trusted partners for the purposes outlined in this Policy. While we make all reasonable efforts to ensure that such information is anonymised, it is possible that small amounts of your Personal Data may be included.

In addition, we may disclose your Personal Data to:

  • legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
  • accountants, auditors, lawyers and other outside professional advisors, subject to binding contractual obligations of confidentiality;
  • third party processors (such as IT support providers), located anywhere in the world, subject to the requirements noted in this Section 3;
  • any relevant party, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights;
  • any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  • any relevant third party acquirer(s), in the event that we sell or transfer all or any portion of our business or assets (including in the event of a reorganisation, dissolution or liquidation); and
  • our website may use third party plugins or content (e.g Google Maps, Google Fonts). If you choose to interact with any such plugins or content, your Personal Data may be shared with the relevant third party.  We do not control these third-party websites, nor are we responsible for their activities and privacy statements.

Any  third-party processor engaged to process your Personal Data will be subject to binding contractual obligations under a Data Processing Agreement, amongst other obligations, to: (i) only process the Personal Data in accordance with our prior written instructions; and (ii) use appropriate measures to protect the confidentiality and security of the Personal Data.

5) Transferring your Personal Data internationally

Due to the international nature of our business, offices and Candidates’ international career aspirations, we need to share your Personal Data with other members of Richmond Associates as well as third parties as noted in Section 4 above, in connection with the purposes set out in this Policy. For this reason, we may transfer your personal data to other countries that may have different laws and data protection compliance requirements to those that apply in the country in which you are located.

We implement appropriate technological and organisational measures to prevent the unlawful discourse of Personal Data and transfer data as permitted in accordance with the Data Processing Legislation via intra-company transfer.

6) Data Accuracy and Rectification

It is important that the Personal Data that we hold about you and process is kept accurate and up to date.  Please keep us informed if your Personal Data changes during your relationship with us. From time to time we may therefore ask you to confirm the accuracy of your Personal Data.

We take every reasonable step to ensure that any inaccuracies to your Personal Data that we process (having regard to the purposes for which they are processed) is erased or rectified without delay.

7) Data Minimisation

We take every reasonable step to ensure that your Personal Data that we process is limited to the Personal Data reasonably required in connection with the purposes set out in this Policy.

8) Data Retention

As an executive search firm, we rely heavily on the personal relationships we build with Candidates, Clients and third parties.  We will therefore hold personal data relating to Candidates and Clients for a certain period of time in order to remember you and the nature of your previous interactions with our firm.

We will hold your personal data for eight (8) years following your last contact with us. We have determined that this is a reasonable period, given the average job tenure and movement for individuals.  Please note that if we have assisted you by providing work-finding services in the last twelve (12) months, we are obligated to retain your records for at least a year from when we last assisted you, by the Conduct Regulations of the Recruitment & Employment Confederation (our industry body).

9) Erasure of your Personal Data

If you ask us to remove your Personal Data, we will contact you first to confirm this request.  If we delete your record, we will not be able to keep a note of the request and, without realising, may be in touch again in the future if we find your details somewhere in the public domain (e.g. on LinkedIn).  We will offer a promise to remove your contact details from the relevant fields of our database and alert our team to respect your request to be left alone.  If you still wish to have your Personal Data removed, we will take the following steps:

  • remove you in the next monthly database clean up operation; or
  • if we have assisted you with work-finding services in the last twelve (12) months, we will remove your contact details so that we don’t accidentally get in touch, and remove your Personal Data twelve (12) months after our last contact.

In some circumstances we use pseudonymisation of your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

10) Data Security

You are responsible for ensuring that any Personal Data that you send to us is done so securely.

We have built in appropriate technical and organisational security measures to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised forms of processing, in accordance with applicable law.

We also limit access to your Personal Data to our employees, contractors and other third parties as listed in Section 4. They will only process your Personal Data on our instructions and are all subject to a strict duty of confidentiality.

We have procedures in place to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

11) Your legal rights

Subject to Data Protection Legislation, you as a Data Subject may have a number of rights regarding the processing of your Personal Data, including:

  • the right to request access to, or copies of, your Personal Data that we process or control;
  • and on our 'Host1' server ( https://richmond-associates.com/admin
  • the right to request rectification of any inaccuracies in your Personal Data;
  • the right to request, on legitimate grounds:
    • erasure of your Personal Data that we process or control; or
    • restriction of processing of your Personal Data that we process or control;
  • the right to object, on legitimate grounds, to the processing of your Personal Data;
  • the right to have your Personal Data transferred to another Controller, to the extent applicable;
  • where we process your Personal Data on the basis of your consent, the right to withdraw that consent; and
  • the right to lodge complaints regarding the processing of your Personal Data with a Data Protection Authority.

To exercise or ask a question about any of these rights, please contact us on info@richmond-associates.com.

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.

As a security measure, we may need to request specific information from you to help us confirm your identity and ensure your right to access the Personal Data requested.  We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within 30 days. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

12) Cookies

Cookies are text files containing small amounts of information that are downloaded to your device whenever you visit any website (including ours) that makes use of them. This information is then sent back to the originating website on each subsequent visit, or to another website that recognises those cookies. They are used for multiple purposes, such as letting you navigate between pages efficiently, remembering your preferences, and generally improving your web site experience. They can also help to ensure that adverts you see online are more relevant to you and your interests.  We may process your Personal Data through cookie technology, in accordance with our cookie policy which is available here https://richmond-associates.com/cookies-policy.

13) Contact details

The Managing Director of Richmond Associates UK Limited is our designated Data Compliance Officer.

Richmond Associates staff members responsible for:

  • adding, amending personal data
    • All Richmond Associates staff members
  • deleting personal data
    • Business Support Assistant
  • responding to subject access requests/requests for rectification, erasure, restriction data portability, objection and automated decision making processes and profiling
    • Business Support Assistant
  • reporting data breaches/dealing with complaints
    • Managing Director, Richmond Associates UK Limited

If you have any questions about the information contained in this Policy, or any other issues relating to the processing of Personal Data by Richmond Associates, please contact info@richmond-associates.com. This mailbox is monitored regularly by the team and your request will be acknowledged within 24 working hours.