Your career agency


GDPR Statement


General Data Protection Regulation

On 25 May, 2018, the General Data Protection Regulation (GDPR) will take effect in the European Union (EU). GDPR will impose strict controls on how all organisations collect and process personal data within the EU and/or personal data of EU citizens.

NinetyThousandHours will be fully compliant with the GDPR when it becomes enforceable on 25 May 2018.

For the purpose of GDPR, the data controller is;

NinetyThousandHours Ltd 

22 Upper Ground

London SE1 9PD

Our nominated representative for the purpose of the regulations is Gemma Butler. 

The regulation outlines six key points for organisations that process individuals’ personal information. Data must be:

A) Processed lawfully, fairly and in a transparent manner in relation to individuals;

B) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

C) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

D) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

E) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

F) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

G) The controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

NinetyThousandHours Compliance Tools

A)   Processing of data

  • We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
  • We are satisfied that our third party suppliers are compliant with GDPR
  • We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.
  • We have documented our decision on which lawful basis applies to help us demonstrate compliance.
  • We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.

 B)   Data collection

  • We have checked that consent is the most appropriate lawful basis for processing.
  • We have made the request for consent prominent and separate from our terms and conditions.
  • We ask people to positively opt in.
  • We don’t use pre-ticked boxes or any other type of default consent.
  • We use clear, plain language that is easy to understand.
  • We specify why we want the data and what we’re going to do with it. (i.e to send you relevant roles)
  • We name our organisation and any third party controllers who will be relying on the consent.
  • We tell individuals they can withdraw their consent.
  • We ensure that individuals can refuse to consent without detriment.
  • We avoid making consent a precondition of a service.

 C)   Adequate and relevant data

  • We have checked that legitimate interests is the most appropriate basis.
  • We understand our responsibility to protect the individual’s interests.
  • We have identified the relevant legitimate interests.
  • We only use individuals’ data in ways they would reasonably expect without exceptions
  • We are not using people’s data in ways they would find intrusive or which could cause them harm.
  • We keep our LIA under review, and repeat it if circumstances change.
  • We include information about our legitimate interests in our privacy information

D)   Accurate data

  • We take reasonable steps to ensure the accuracy of any personal data the company obtains.
  • We ensure that the source of any personal data is clear.
  • We carefully consider any challenges to the accuracy of information; and We consider whether it is necessary to update the information.

E)   Retention

  • We review the length of time we keep personal data;
  • We consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
  • We securely delete information that is no longer needed for this purpose or these purposes; and
  • We update, archive or securely delete information if it goes out of date.

F) Security

  • We ensure that only authorised people can access, alter, disclose or destroy personal data;
  • those people only act within the scope of their authority; and
  • if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned
  • We do not share data with 3rd parties unless we have individual and specific consent to do so (i.e our clients, only with consent by the candidate)
  • We use Recruit so simple to process our data. RSS Infrastructure is hosted by Amazon Web Services (AWS), which provides industry-leading security and has a long list of internationally recognised certifications and accreditations including: ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1 and many others.
  • Through RSS all customer data is backed up at regular intervals and stored in two alternative locations within the EU at all times, as per AWS recommended guidelines. Finally, security and performance tests are carried out at regular intervals to ensure the smooth running of the service.

G) Principal Controller

  • We have appointed a head of data to take responsibility for matters relating to compliance with GDPR

Questions, comments and requests regarding this privacy are welcomed and should be sent to: 

Gemma Butler, Company Director 

NinetyThousandHours Ltd 

22 Upper Ground