Your privacy is very important to us. This notice (“Privacy Notice”) is provided by TalFlow OÜ, trading as Gerold & Partners (“we” or “us”), and sets out our policies with respect to the collection, sharing and use of personal information in connection with our headhunting and recruitment activities. It applies globally as we deliver search and recruitment services in the EU, the UK and beyond, and is written to meet the requirements of the EU General Data Protection Regulation (Regulation 2016/679), the UK GDPR, the UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR).
| What we hold | Why we hold it | Legal basis | How long |
|---|---|---|---|
| Candidate profile: name, contact details, CV, employment history, references, right-to-work | To identify, assess and introduce you to relevant roles | Legitimate interests; contract once we are actively representing you | For the duration of our relationship and at least 5 years thereafter, or upon request of data deletion; see section 9 |
| Client contact details and engagement records | To deliver search mandates and manage the client relationship | Contract and legitimate interests for business contacts | Duration of relationship and at least 5 years thereafter |
| Referee notes | To verify candidate experience before introduction | Legitimate interests | Linked to candidate or mandate record; deleted with it |
| Newsletter and market-colour mailing list | To send sector updates and role alerts you have asked for | Consent / soft opt-in under PECR for existing contacts | Until you unsubscribe, plus a minimal suppression record |
| Website analytics and security logs | To run the site, prevent abuse and improve content | Legitimate interests | Up to 13 months |
Gerold & Partners is an executive search and recruitment firm. The data controller is TalFlow OÜ, an Estonian private limited company (registration number 17250215) trading as Gerold & Partners.
The primary purpose of our website is to provide you with information about our services. Where we run searches or recruitment mandates for clients, we act as a data controller for candidate, client-contact and referee personal data — we decide what to collect, how to assess it and when to introduce a candidate.
This notice applies to you whether you are:
It also applies if you meet one of our consultants in person where data is collected, attend one of our events, or have subscribed to receive our materials.
We collect personal information about you in the following ways:
We may collect and use your personal information to administer the relationship between us, to deliver our headhunting and recruitment services, to evaluate candidate qualifications, to contact potential candidates for further information, to contact named referees, to communicate with clients about potential candidates, to market our services to you or to the business with which you are associated, to monitor and analyse our activities, and to comply with applicable legal or regulatory requirements.
We may also use personal information for the purposes of testing and maintaining our databases, networks and computer systems, and for training and other internal purposes.
We will rely on one of the permitted grounds under applicable law to process your information. Such grounds include cases where you have given your consent, and cases where consent is not required — such as where we are required to comply with a legal obligation, where processing is necessary to enter into or perform a contract with you, or where we or a third party determine that it is necessary for our legitimate interests.
Our legitimate interests include any of the purposes identified above, and any other purpose where we or a third party have determined that you have a reasonable expectation for us or a third party to collect or use your personal information for such purpose. Executive search at senior levels is, by its nature, often conducted on a confidential basis with passive candidates; identifying and approaching suitable individuals in our sector is an established activity and a recognised legitimate interest of both clients and candidates. You have the right to object to the use of your personal data for direct marketing or for our legitimate interests at any time (see section 10).
You are not obliged to provide any personal data to us. However, please note that this may mean that we will not be able to consider you in respect of any of our services, that we will be unable to communicate with you, or that any service or other contractual arrangement between us may need to be terminated.
We may also be subject to legal or regulatory obligations that require us to collect and retain certain personal information — for example, in relation to tax and accounting, or where a hiring client’s role is subject to regulatory requirements that flow through to the recruitment process.
The categories of personal data we collect will depend on the nature of our relationship with you and the purpose for which it is collected. They may include:
We do not seek special category data (such as health, racial or ethnic origin, religion, trade union membership, sexual orientation, biometric or genetic data) and we ask candidates not to send it to us. Where such information reaches us incidentally — for example through a CV — we limit access to the smallest necessary group of people, retain it only where there is a clear lawful basis, and delete it on request or as part of our standard retention review.
We may, to the extent relevant to the purpose for which we collect your information, share your personal data with third parties, such as:
Unlike some search firms, we do not provide candidate personal data to clients on our website, and we do not let clients see how posted vacancies are viewed. Website-side data is collected, stored and analysed for our internal business-development purposes only.
Due to the international nature of our business, your personal data may be transferred to or accessed from countries outside the European Economic Area (EEA) and the United Kingdom, including jurisdictions where we, our clients or our service providers operate. Some of these jurisdictions may not have the same level of data protection as that afforded by the EU GDPR, the UK GDPR and other data protection rules applicable to us (collectively, “Data Protection Law”).
In these circumstances we take steps to ensure that the recipient agrees to keep your information confidential and that it is held securely in accordance with Data Protection Law. Depending on the destination, this will include:
We will generally keep personal information about you for as long as necessary in relation to the purpose for which it was collected, or for such longer period as is required under applicable law or necessary for our other legitimate interests.
The applicable retention period will depend on factors including any legal obligation to which we or our service providers are subject, and on whether you decide to exercise your right to request the deletion of your information from our systems. As a minimum, information about you will be retained for the entire duration of any business relationship we may have with you, and for a minimum period of five years after the termination of any such relationship.
Specific defaults we apply:
We will, from time to time, review the purposes for which we have collected information about you and decide whether to retain it, update it or securely delete it where it is no longer required.
You have certain rights under Data Protection Law in respect of the personal data we hold about you, which you may exercise. These rights are:
No automated decision-making. We do not make hiring, shortlisting or similar decisions by purely automated means, and we do not carry out computerised candidate profiling on the basis of the information we collect.
When you have indicated that you would like to receive our market-colour and roles newsletter, we may send you email updates and alerts. Under PECR (and the equivalent ePrivacy rules in the EU) we will only email an individual subscriber where they have opted in on our website, where they are an existing contact whose details we obtained in the course of a related service and who was given a clear opportunity to refuse marketing at the point of collection and in each message thereafter (a “soft opt-in”), or where the contact is a corporate addressee.
You can unsubscribe at any time by following the “unsubscribe” instructions included in each of our messages, or by contacting us as set out in section 12.
From time to time, we may also contact you with updates on our services or terms of business, or simply to ensure that the data we hold about you is current, relevant and up to date.
If you have any questions about this Privacy Notice, or requests with regard to the personal data we hold about you, you may contact us by email to contact@geroldpartners.com (marked “Data Protection”) or in writing at our registered office. We will respond within the timeframes required by Data Protection Law (generally within one month of receiving a valid request, extendable by a further two months for complex or numerous requests).
You have the right to complain to a competent supervisory authority. As an Estonian-established controller, our lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee). UK data subjects also have the right to complain to the Information Commissioner’s Office (ico.org.uk). Further information is available from the relevant authority’s website.
We maintain reasonable technical and organisational measures to protect personal information from loss, misuse and unauthorised access, disclosure, alteration and destruction. Personal data we hold is stored on servers located in the European Union and is encrypted at rest. To the extent that we disclose personal information to third-party sub-processors, we require that they also maintain reasonable security and confidentiality measures and use the information in accordance with our instructions. Where we disclose personal information to clients and other third parties, we will request that they properly protect the security and confidentiality of such information, and otherwise process it in accordance with applicable law.
Our employees, agents and contractors who have access to personally identifiable information are required to protect it in a manner consistent with this Privacy Notice. However, no data transmission over the internet can be guaranteed to be completely secure; accordingly, we cannot ensure or warrant the security of any information that you transmit to us, and you do so at your own risk.
If a personal data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, and we will notify affected individuals where the breach is likely to result in a high risk to them.
If you provide us with information about other individuals (for example, when you nominate a referee or pass on the details of a candidate), we would ask you to keep a record of their agreement and to provide them with a copy of, or link to, this Privacy Notice.
To make this site work properly, we sometimes place small data files called cookies on your device. Most websites do this. A cookie is a small text file that a website saves on your computer or mobile device when you visit. It enables the website to remember your actions and preferences (such as login, language and display preferences) so you don’t have to keep re-entering them.
We use cookies only for basic functions, such as making the site work, preventing abuse, and limited analytics to understand how the site is used. Your internet browser can delete cookies that are already on your computer, and you can set most browsers to prevent them from being placed — however, if you do this, some services and functionality may not work.
We reserve the right to change or amend our privacy practices as described here and to issue amended versions of this Privacy Notice from time to time, as permitted by applicable law. The “last updated” date at the top of the page will change accordingly. Nothing in this Privacy Notice is intended to create an agreement or contract between Gerold & Partners and any person or entity using this website or providing any personal information.