GDPR Statement
GDPR Policy, Privacy Policy & Cookies
This policy explains how we process personal data within our global businesses delivering search, consulting and assessment services, including how it affects our website
NinetyThousandHours Ltd is committed to keeping your information secure and managing it in accordance with our legal responsibilities, under the General Data Protection Regulation (Regulation (EC) 2016/679 (“GDPR”) in the European Union (“EU”) which took effect on the 25th May 2018.
We keep this Privacy Policy under regular review and update it from time to time.
This policy was last updated in July 2022. Please review this policy periodically for any changes.
Who this policy applies to:
This policy applies to you whether you are a candidate for one of our clients, an individual we are assessing as an employee of one of our clients, a client or whether you are a source or a referee in respect of a candidate or an employee of one of our clients.
For the purposes of this policy:
candidate(s) means an individual who is a candidate, applicant, potential candidate, employee of a client;
client(s) means any, business, firm, organisation, government body or individual that mandates us to perform any of our services;
referee is a person who provides a personal or work reference in respect of a candidate and;
source is a person who provides us with information or intelligence about a candidate.
Gathering information
The GDPR regulation outlines six key points for organisations that process individuals’ personal information. Data must be:
A) Processed lawfully, fairly and in a transparent manner in relation to individuals;
B) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
C) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
D) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
E) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
F) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
G) The controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
We collect information from candidates directly when you upload your CV or resume into our candidate portal or when you send this to us via email or social media platform. We also collect information from you when you speak with a consultant working for NinetyThousandHours Ltd.
A) Processing of data
- We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
- We are satisfied that our third party suppliers are compliant with GDPR
- We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.
- We have documented our decision on which lawful basis applies to help us demonstrate compliance.
- We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.
B) Data collection
- We have checked that consent is the most appropriate lawful basis for processing.
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in.
- We don’t use pre-ticked boxes or any other type of default consent.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it. (i.e to send you relevant roles)
- We name our organisation and any third party controllers who will be relying on the consent.
- We tell individuals they can withdraw their consent.
- We ensure that individuals can refuse to consent without detriment.
- We avoid making consent a precondition of a service.
C) Adequate and relevant data
- We have checked that legitimate interests is the most appropriate basis.
- We understand our responsibility to protect the individual’s interests.
- We have identified the relevant legitimate interests.
- We only use individuals’ data in ways they would reasonably expect without exceptions
- We are not using people’s data in ways they would find intrusive or which could cause them harm.
- We keep our LIA under review, and repeat it if circumstances change.
- We include information about our legitimate interests in our privacy information
D) Accurate data
- We take reasonable steps to ensure the accuracy of any personal data the company obtains.
- We ensure that the source of any personal data is clear.
- We carefully consider any challenges to the accuracy of information; and We consider whether it is necessary to update the information.
E) Retention
- We review the length of time we keep personal data;
- We consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- We securely delete information that is no longer needed for this purpose or these purposes; and
- We update, archive or securely delete information if it goes out of date.
F) Security
- We ensure that only authorised people can access, alter, disclose or destroy personal data;
- those people only act within the scope of their authority; and
- if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned
- We do not share data with 3rd parties unless we have individual and specific consent to do so (i.e our clients, only with consent by the candidate)
- We use TrackerRMS to process our data.
- Through TrackerRMS all customer data is backed up at regular intervals and stored in two alternative locations within the EU at all times, as per AWS recommended guidelines. Finally, security and performance tests are carried out at regular intervals to ensure the smooth running of the service.
G) Principal Controller
- We have appointed a head of data to take responsibility for matters relating to compliance with GDPR
How we use your personal data
Candidate
We use the personal data we collect from you for a number of purposes:
- Processing job applications, in partnership with our clients, on whose behalf we are instructed to help fill a job vacancy. This means that if you apply for a specific job, we may pass your details to the relevant client to proceed with the application.
- From time to time, we conduct mapping or research exercises on behalf of our clients. This is to enable them to understand a particular market. Here, we may include certain aspects of your personal data. You will not be contacted by any third party about this unless we first obtain your consent.
- Improving the service we offer. For example, you may be asked to complete one of our online satisfaction surveys.
- For marketing purposes to send you information on our services, white papers, newsletters, events and so forth. Please note you may opt out from receipt of marketing materials at any time by writing to us.
We will only use your information in accordance with this Policy, or where we are required or authorised by law to disclose your information to others or, have your permission to do so.
Please be aware that we are not responsible for the data processing activities of others, such as our clients.
Client
We will use client data to perform our services to you and other legitimate business purposes such as marketing.
Source and Referee
We will use source and referee data to perform our services, in particular to enable us to obtain your opinions on a candidate.
We may also use this information to enable us to market our services to you as a potential client. We may as well invite you to become a candidate in respect of the provision of our services.
The type of personal data we collect and process
In all cases we collect and process personal data about you, including your name, address, telephone number and email address.
Candidate
If you proceed with a job application, or should we consult you about a role, you may be required to submit additional personal data. For example, date of birth, education and career history and curriculum vitae (CV), or resume. Your CV or resume may contain employment history, education, professional qualifications, memberships, details of papers written, references and referees, amongst other things.
Based on your explicit consent, we will also process any relevant psychometric assessments, psychological tests, or results from such assessments or tests.
From time to time, we may ask you to provide information relating to protected characteristics, such as your race or marital status. We do this for equal opportunity monitoring purposes and from time to time online, but only if that’s admissible under local law. This information is always anonymised and aggregated and will not be revealed to third parties without your specific consent.
We might also collect personal data from third-party databases and other public sources.
Client
As well as basic contact information we will also collect information about your role and other information provided to us by your organisation.
Sensitive data
From time to time, we will seek your consent to process personal data in respect of certain specific and limited purposes. We will always do this before processing any sensitive personal data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and sexual orientation, genetic and / or biometric data. We encourage you not to provide us with sensitive personal data, unless it is specifically requested, and we have your consent.
Your right to object and to have your data erased
You are not obliged to provide any personal data to us. However, please note that this may mean we will not be able to consider you in respect of any of our services.
Remember, you may withdraw any consent you have previously given, at any time. Also, you have the right to ask us to stop processing any personal data and to have it erased.
In these circumstances, we reserve the right to maintain basic personal data such as your name and address. This is to ensure your personal data isn’t processed by us in the future.
Please note that no automated decisions, such as computerised candidate profiling, are made on the basis of the information we collect.
Newsletters and other communications
If you would like to receive one of our newsletters, we will ask you to provide us with your name, email address, job title, company name and country of residence.
When you have indicated you would like to receive newsletter(s) from us, we may send email alerts and bulletins about our services and any roles that might interest you.
You can unsubscribe from our electronic marketing messages by following the “unsubscribe” instructions included in our communications. Also, you may change your preferences and cease receiving direct marketing from us through your email account settings.
From time to time, we may contact you with updates on our services, terms of business or simply to ensure that the data we hold is current, relevant and up to date.
Satisfaction surveys
If you take part in a user satisfaction survey, we may ask you to provide us with personal data, including your name, email address, and your views and opinions.
Keeping information secure
We invest significant resources to protect your personal data, from loss, misuse, unauthorised access, modification or disclosure. However, no system can be 100% secure, and so we cannot be held responsible for unauthorised or unintended access that is beyond our reasonable control.
Keeping your records
We keep your personal data for as long as required to provide our services, and in accordance with legal, tax and accounting requirements. Where your personal data is no longer required, we will ensure it is disposed of in a secure manner. Where required by law, we will notify you when this has happened.
About this website
This Privacy Policy applies to our websites too, where we process personal data within and through this website
The primary purpose of this websites is to provide you with information regarding the services provided by NinetyThousandHours Ltd
We use the personal data we collect from you on our website for additional purposes such as personalising the look and feel of the website to fit the personal preferences inferred from how you’ve used the site. (See the “Cookies” sections for more information.)
We may disclose or share personal data with third parties as outlined above to operate the website and provide our executive search services, as well as assessment services in certain countries. If you are concerned about these arrangements, you should not use the website and contact us to ask us not to process your personal data.
Finally, we might also use your data, to help our clients understand who is making use of our website and how their job vacancies are being viewed.
Updating your account and preferences
If you register an account with us, or with a local partner who provides a job application portal on our behalf, please do keep your details up to date, and notify us of any changes to your personal data.
Liability
We accept no liability for any loss (whether direct or indirect, for loss of business, revenue or profits, wasted expenditure, corruption or destruction of data or for any other indirect or consequential loss whatsoever) arising from your use of the site and we hereby exclude any such liability, whether in contract, tort (including for negligence) or otherwise. We hereby exclude all representations, warranties and conditions relating to this website and your use of it to the maximum extent permitted by law.
You agree to indemnify us and keep us indemnified against all costs, expenses, claims, losses, liabilities or proceedings arising from use or misuse by you of this site.
You must notify us immediately if anyone makes or threatens to make any claim against you relating to your use of this site.
PRIVACY POLICY
Note: ‘Us’ refers to Ninety Thousand Hours ‘You’, ‘User(s)’, ‘Visitor’ refers to any person who uses this website.
This Web site is owned and controlled by Ninety Thousand Hours Ltd
Ninety Thousand Hours Ltd is committed to implementing measures designed to protect the privacy of those using our services. Ninety Thousand Hours Ltd respects the privacy of all those who visit our Site and use our online services and we collect information from and about our users to be used to improve the service we offer. Except as set forth within this Privacy Policy, our Terms & Conditions, and other published guidelines, we do not release personally identifiable information (as described below) about users of this Site without their permission.
Effect of This and Related Documents: This Privacy Policy, together with our Terms & Conditions and other published guidelines, governs your interaction with this Site, and your registration for and use of Ninety Thousand Hours Ltd’s online services.
NinetyThousandHours prides ourselves on doing our utmost to protect your personal data. We have updated our Privacy Policy With effect from 25 May 2018, the General Data Protection Regulations (“GDPR”) will come into force, which will change the law.
NinetyThousandHours Ltd
4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London, W1T 6EB, UK
Data Protection Office appointed Gemma Butler, Company Director
Type of information we hold
We will retain information including your Name, Email Address and home address as well as NI number and anything else relating to your appointment. Any other information that you freely give and which may constitute sensitive information is not retained by us.
Why do we collect your data?
Any data we collect is for specified, explicit and legitimate purposes of assisting the candidate in finding permanent or contract employment. NinetyThousandHours processes your data when it is in our legitimate interests to do this and when these interests are not overridden by your data protection rights.The main reason for using your personal details is to help you find employment or other work roles that might be suitable for you. The more information we have about you, your skillset and your ambitions, the more bespoke we can make our service.
Where do we store your data?
We use TrackerRMS cloud based secure GDPR compliant Recruitment software. For more information please get in touch.
Who will we share your data with?
It is our policy to share your CV and personal information with our clients, only with your consent to do so. Unless explicitly requested by you in writing we will not transfer in part or whole any of your personal information to any other party. Once we forward your personal data (CV) as part of the job application process to our clients you should be aware that our clients may then store your data (CV) for a period of time in-line with their GDPR policy.
Where do we find candidate data?
There are a number of methods we obtain your data:
– Job boards – CV databases
– Job board – advertising
– Directly from you – to an individual consultant or via our company website
– Referred to us by a mutual source
How long do we store your data for?
We review the length of time we keep personal data.
We consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it.
We contact you every 24 months to confirm your ongoing consent to hold your data.
What are your rights?
You have the right to contact us at any time to request us to remove personal information about you, to withdraw your consent and to restrict processing. We will action any request within a reasonable timeframe and confirm deletion by email.
How can you access your data or withdraw consent?
You may contact the company data office above by email with a request to access your data or withdraw your consent.
How do we keep your data secure?
We take the security of your data very seriously. All our consultants are trained in GDPR and we have adopted processes which a specifically designed to protect the security of our candidates data.
This privacy policy may be changed by NinetyThousandHours at any time.
COOKIE POLICY
WHAT ARE COOKIES?
Cookies are small files which are stored on your computer. They are designed to hold a modest amount of data specific to your website visit on our site.
Cookies help to improve your visit to our website by helping with the following:
- Remembering settings, so you don’t have to keep re-entering them whenever you visit a new page
- Remembering information you’ve given (e.g. your postcode) so you don’t need to keep entering it
- Measuring how you use the website so we can make sure it meets your needs
Please note that cookies can’t harm your computer and we do not store personally identifiable information in cookies we use on this website.
We’re giving you this information as part of our initiative to comply with UK legislation, and to make sure we’re honest and clear about your privacy when using our website.
THE COOKIES WE USE
General website cookies
This website is built using PHP web technologies, as part of that we use the built in session cookie (PHPSESSID) to manage your session. When you navigate to the site, the server establishes a unique session that last for the duration of your visit.
Measuring website usage – Google Analytics
Google Analytics uses cookies to define user sessions, as well as to provide a number of key features in the Google Analytics reports. Google Analytics sets or updates cookies only to collect data required for the reports. Additionally, Google Analytics uses only first-party cookies. This means that all cookies set by Google Analytics for your domain send data only to the servers for your domain. This effectively makes Google Analytics cookies the personal property of this website domain, and the data cannot be altered or retrieved by any service on another domain.
The following table lists the type of information that is obtained via Google Analytics cookies and used in Analytics reports.
Functionality | Description of Cookie | Cookie Used |
Setting the scope of your site content | Because any cookie read/write access is restricted by a combination of the cookie name and its domain, default visitor tracking via Google Analytics is confined to the domain of the page on which the tracking code is installed. For the most common scenario where the tracking code is installed on a single domain (and no other sub-domains), the generic setup is correct. In other situations where you wish to track content across domains or sub-domains, or restrict tracking to a smaller section of a single domain, you use additional methods in the ga.js tracking code to define content scope. See Domains & Directories in the Collection API document for details. | All Cookies |
Determining visitor session | The Google Analytics tracking for ga.js uses two cookies to establish a session. If either of these two cookies are absent, further activity by the user initiates the start of a new session. See the Session article in the Help Center for a detailed definition and a list of scenarios that end a session. You can customize the length of the default session time using the _setSessionCookieTimeout() method. This description is specific to the ga.js tracking code for web pages. If you use Analytics tracking for other environments – such as Flash or mobile – you should check the documentation for those environments to learn how sessions are calculated or established. | __utmb |
Identifying unique visitors | Each unique browser that visits a page on your site is provided with a unique ID via the __utma cookie. In this way, subsequent visits to your website via the same browser are recorded as belonging to the same (unique) visitor. Thus, if a person interacted with your website using both Firefox and Internet Explorer, the Analytics reports would track this activity under two unique visitors. Similarly if the same browser were used by two different visitors, but with a separate computer account for each, the activity would be recorded under two unique visitor IDs. On the other hand, if the browser happens to be used by two different people sharing the same computer account, one unique visitor ID is recorded, even though two unique individuals accessed the site. | __utma |
Tracking traffic sources & navigation | When visitors reach your site via a search engine result, a direct link, or an ad that links to your page, Google Analytics stores the type of referral information in a cookie. The parameters in the cookie value string are parsed and sent in the GIF Request (in the utmcc variable). The expiration date for the cookie is set as 6 months into the future. This cookie gets updated with each subsequent page view to your site; thus it is used to determine visitor navigation within your site. | __utmz |
Custom variables | You can define your own segments for reporting on your particular data. When you use the _setCustomVar() method in your tracking code to define custom variables, Google Analytics uses this cookie to track and report on that information. In a typical use case, you might use this method to segment your website visitors by a custom demographic that they select on your website (income, age range, product preferences). | __utmv |
Website optimizer | You can use Google Analytics with Google Website Optimizer (GWO), which is a tool that helps determine the most effective design for your site. When a website optimizer script executes on your page, a _utmx cookie is written to the browser and its value is sent to Google Analytics. See the Website Optimizer Help Center for more information. | __utmx |
Once the cookies are set/updated on the web browser, the data they contain that is required for reporting purposes is sent to the Analytics servers in the GIF Request URL via the utmcc parameter.
COOKIES SET BY GOOGLE ANALYTICS
Google Analytics sets the following cookies as described in the table below. A default configuration and use of Google Analytics sets only the first 4 cookies in the table.
Name | Description of Cookie | Expiration |
__utma | This cookie is typically written to the browser upon the first visit to your site from that web browser. If the cookie has been deleted by the browser operator, and the browser subsequently visits your site, a new __utma cookie is written with a different unique ID. This cookie is used to determine unique visitors to your site and it is updated with each page view. Additionally, this cookie is provided with a unique ID that Google Analytics uses to ensure both the validity and accessibility of the cookie as an extra security measure. | 2 years from set/update. |
__utmb | This cookie is used to establish and continue a user session with your site. When a user views a page on your site, the Google Analytics code attempts to update this cookie. If it does not find the cookie, a new one is written and a new session is established. Each time a user visits a different page on your site, this cookie is updated to expire in 30 minutes, thus continuing a single session for as long as user activity continues within 30-minute intervals. This cookie expires when a user pauses on a page on your site for longer than 30 minutes. You can modify the default length of a user session with the _setSessionCookieTimeout() method. | 30 minutes from set/update. |
__utmc | This cookie is no longer used by the ga.js tracking code to determine session status. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether or not to establish a new session for the user. For backwards compatibility purposes with sites still using the urchin.js tracking code, this cookie will continue to be written and will expire when the user exits the browser. However, if you are debugging your site tracking and you use the ga.js tracking code, you should not interpret the existence of this cookie in relation to a new or expired session. | Not set. |
__utmz | This cookie stores the type of referral used by the visitor to reach your site, whether via a direct method, a referring link, a website search, or a campaign such as an ad or an email link. It is used to calculate search engine traffic, ad campaigns and page navigation within your own site. The cookie is updated with each page view to your site. | 6 months from set/update. |
__utmv | This cookie is not normally present in a default configuration of the tracking code. The __utmv cookie passes the information provided via the _setVar() method, which you use to create a custom user segment. This string is then passed to the Analytics servers in the GIF request URL via the utmcc parameter. This cookie is only written if you have added the _setVar() method for the tracking code on your website page. | 2 years from set/update. |
__utmx | This cookie is used by Website Optimizer and only set when the Website Optimizer tracking code is installed and correctly configured for your pages. When the optimizer script executes, this cookie stores the variation this visitor is assigned to for each experiment, so the visitor has a consistent experience on your site. See the Website Optimizer Help Center for more information. | 2 years from set/update. |
For further information about the Cookies Google uses please visit this Cookie Information page.
MEASURING WEBSITE USAGE – DC STORM
DC Storm Cookies are used by this website to identify how users interact the website, so that they can see things like the most popular pages and the journey that users take though their site.
First Party cookies – These cookies are set by this website that you are visiting.
IMPRESSIONS
Cookies are also created to identify when a user has viewed an advert for this website on an external site.
The cookie contains a unique identifier and nothing else. If you subsequently visit this website, then we link that cookie (and hence the advert) to your visit, but if you never visit the website, the cookie is meaningless and will expire automatically, 90 days after you last saw one of the adverts.
FIRST PARTY COOKIES INFORMATION
These cookies are written to track website usage of this site:
Cookie Name | Description | Expiry |
_#srchist | Stores the history of traffic sources the user has arrived to the site by | 1000 days |
_#sess | Stores information about the session | 1000 days |
_#vdf | Stores the visit definition – ts type, number of visits, expiry | 1000 days |
_#uid | Stores a user identifier (only within a site) | 1000 days |
_#slid | Unique sale ID | 1000 days |
_#clkid | Unique identifier for a click generating a landing | 1 year |
_#lps | Flags that the last page was secure and therefore has no referrer | 20 min |
_#tsa | Stores the referrer details to avoid duplicate Landing events | 10 min |
_#env | Flags whether the environment variables (screen size, browser etc) need to be collected again | 30 days |
For further information about the Cookies DC Storm uses please visit their Cookie Information page.
OTHER 3RD PARTY COOKIES WE MAY USE
When you visit our website, you may notice some cookies that are collecting information for other websites. For example, if you visit a page that has video content, cookies from YouTube may be served. We do not control the setting of these cookies and we recommend you visit the third party websites for more information.
Please find a list of some third party cookies you may find present on this website and links to their specific cookie information:
HOW DO I CONTROL OR DELETE COOKIES?
If cookies are not enabled on your computer is could mean that your experience with our website will be impacted. However, if you want to control or delete cookies you can do so.
Information on deleting cookies or controlling cookies is available at www.aboutCookies.org. To reiterate though, by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our site.