Annapurna General Data Protection Regulation

Client GDPR Policies

Annapurna Recruitment (Annapurna HR Limited) Privacy statement for Clients

Data Privacy Manager (DPM) –

About GDPR

The General Data Protection Regulation came into force on 25th May 2018 and supersedes the prior UK Data Protection Act.

The new regulations give customers greater rights with regards to the data they give to businesses they deal with.

In practice, the main areas affecting our clients are the following:

You can

  1. Ask for a data subject access request – we will provide you with all electronic communications and data we have on you, wherever possible, for free. We will respond within 1 month
  2. You can require us to completely remove all your data from all of our systems (exceptions apply, see below)

Your rights

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes and we will collect express consent from you if legally required prior to using your personal data for marketing purposes.

You can exercise your right to accept or prevent such processing by checking certain boxes on the form on our website. You can also exercise the right at any time by contacting us at

Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

The GDPR provides you with the following rights. To:

  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party in certain formats, if practicable.
  • Make a complaint to a supervisory body which in the United Kingdom is the Information Commissioner’s Office. The ICO can be contacted through this link:

We will process your data on the basis of legal requirement, legitimate business interests, vital interests and consent, as applicable. You can request further information on the basis of your data processing as required.

How do we store your data?

All of our business uses a secure cloud environments for all candidate and client data processing, and everything is stored in the cloud with providers who meet the necessary standards and criteria set out under GDPR. All our communications are stored on our cloud CRM system.

We do need to make you aware that we use G-Suite from Google for various business applications and therefore that data is stored in North America, and not in the EU.

Mobile devices have an enforced security policy that means they are locked, and they can be remotely wiped if lost, stolen, or otherwise compromised.

Any system breaches will be reported to the Information Commissioner’s Office within 72 hours of us becoming aware of the breach.

What data do we get from you?

The reality is that we will hold no personal data on you, with the possible exception that we may have your personal phone number or personal email address, particularly if we have also worked with you as a candidate (whereby we will probably also have a copy of your CV).

The only information we generally have is any business communications we have had with you or your business.

Exceptions may apply if we have successfully concluded some business with your organisation, whereby we may have the organisations bank details etc for the purposes of invoicing etc, but these will never be your personal data.

How do we get your data?

  • When you apply for an advertised position
  • We already hold it from an historical application
  • Referrals from friends or colleagues of yours
  • From public social networking sites such as Linkedin or Xing

What do we do with client data?

We may, from time to time, market to you with phone calls and/ or email communications with details such as candidates we think may be of interest to you, news items, and details of upcoming events.

Our policy is that any business data is held under legitimate business interests, as such we will hold it for 5 years, at which point it will be deleted if redundant. When we register your data you will be able to choose to opt in to our marketing communications (see below) and/ or request for your contact information to be deleted. If we have successfully conducted business with your organisation previously, we will not be able to delete our business records, for legitimate business reason and, in some cases, due to compliance with HMRC requirements.

The best course of action?

Should you no longer wish to receive any communication from our business in the future, the best course of action is to request an opt-out from communications, whereby we will remove all your contact information and place a note on the record which will prevent any further communications.

Requesting a delete, which is your right if you wish, could easily result in your details being picked up again at a later date and re-added to our CRM (internal database), because the consultant would not be able to see that you had previously requested a removal.

Data retention & deletion – Privacy by design

We will automatically delete all emails that are older than 365 days.

All downloaded CVs and/ or candidate or client records (whom we do not place) are held on our database for 5 years (unless you request deletion earlier), before then being deleted.

Any data records held on Annapurna Recruitments cloud servers will be checked and deleted on a quarterly basis.

Marketing Communications

These will take the form of one, or some, of the following:

  • General Marketing collateral about our range of services
  • The presentation of good candidates we feel you may be interested in, or candidates who have requested we represent them to you because they want to work for your business
  • Invites and information pertaining to relevant industry events we host

We hope that you will opt-in to our emails and that you feel that any email you receive from our business is well presented and contains relevant information, even if it is not needed on that particular day

However, you will of course be able to opt out of any such emails at any time in the future.

Let’s help grow your business exponentially

We’ll take care of your hiring from start to finish, so you can focus on growing your business.

Get in touch