This Privacy notice provides a detailed overview of how we as an organisation handle any information gathered
Contents
1 Key terms.
2 Personal data we collect about you.
3 Whether the provision of personal data is necessary.
4 How your personal data is collected.
5 How and why we use your personal data.
6 Who we share your personal data with.
7 Where your personal data is held.
8 Transferring your personal data out of the UK.
9 How long your personal data will be kept 1
10 Keeping your personal data secure.
11 Your rights.
12 How to complain.
13 Updating your personal data.
14 How to contact us.
15 Changes to this privacy policy.
ANNEX 1.
How and why we use the personal data of candidates —in more detail
Who we share the personal data of candidates with—in more detail
Kubrick Group Limited or any of its affiliates (collectively “Kubrick” or “we”) take your privacy very seriously. Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.
We collect, use and are responsible for certain personal data about you. When we do so we are subject to the United Kingdom General Data Protection Regulation (“UK GDPR”).
1. Key terms
It would be helpful to start by explaining some key terms used in this policy:
We, us, our | Kubrick Group Limited, a company incorporated in England and Wales (registered number 10035195), whose registered office is at Senator House, 85 Queen Victoria Street, London, EC4V 4AB and our group companies |
Personal data | Any information relating to an identified or identifiable individual |
Special category personal data | Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership |
Data subject | The individual who the personal data relates to |
2. Personal data we collect about you
This policy is addressed to data subjects who are not members of our personnel. The personal data we collect about you depends on i) the particular services we may provide to you if you are member of a potential, current or former client; ii) the particular services or goods we may receive from you if you are member of a potential, current or former service provider or supplier; iii) the particular relationship we may have or have had with you if you are a potential or former member of our personnel; and iv) the particular visit of our UK offices or website if you are a visitor. We will collect and use the following personal data about you:
i) if you are member of a potential, current or former client:
• your name, job title and contact information, including email address and telephone number and company details
• your gender, if you choose to give this to us
• your professional online presence, eg LinkedIn profile
• your contact history
• your feedback on our consultants
ii) if you are member of a potential, current or former service provider or supplier:
• your name, job title and contact information, including email address and telephone number and company details
• your gender, if you choose to give this to us
• your billing information
iii) if you are a candidate to become member of our personnel
- your academic and work experience and other information included in your CV and application
- your name and contact information, including email address and telephone number ☐
- information about any applicable disability and adjustment requirements ☐
- your gender, if you choose to give this to us
- your ethnicity and background, religion and sexual orientation if you choose to give this to us
- your professional online presence, eg LinkedIn profile
- where applicable, your video interview
- our interview notes and ratings
iv) if you are an alumni Kubrick consultant
- your name and contact information, including email address
- the cohort of your Kubrick training
- your gender and marital status
- Our exit interview notes
- information about the role you left Kubrick for if you choose to give this to us
v) if you are a visitor of our office:
- your name and contact information, including email address ☐
- your image/video captured by the CCTV
vi) if you are a user of our website: please refer to our Cookie Policy here.
We collect and use this personal data for the purposes described in the section ‘How and why we use your personal data’. If you do not provide personal data we ask for, it may delay or prevent us from providing services to you.
3. Whether the provision of personal data is necessary
You are obliged to provide the personal data marked ‘☐’ or we may not be able to consider your application to work with us or to give you access to our premises.
4. How your personal data is collected
We collect most of this personal data directly from you—in person, by telephone, text or email and/or via our website. However, we may also collect information:
• directly from a third party, eg: occasionally from recruitment agencies and job boards such as LinkedIn;
• via our IT systems, eg:– from door entry systems and reception logs;
– through CCTV, communications systems, email and instant messaging systems.
5. How and why we use your personal data
Under data protection law, we can only use your personal data if we have a proper reason, eg:
• where you have given consent;
• to comply with our legal and regulatory obligations;
• for the performance of a contract with you or to take steps at your request before entering into a contract; or
• for our legitimate interests or those of a third party.
A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests.
The table below explains what we use your personal data for and why.
What we use your personal data for | Our reasons |
Providing services to our clients | To perform our contract with you or to take steps at your request before entering into a contract |
Preventing and detecting fraud against you or us | For our legitimate interest, ie to minimise fraud that could be damaging for you and/or us |
To enforce legal rights or defend or undertake legal proceedings | Depending on the circumstances: |
Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies | To comply with our legal and regulatory obligations |
Ensuring business policies are adhered to | For our legitimate interests, ie to make sure we are following our own internal procedures |
Operational reasons, such as improving efficiency | For our legitimate interests, ie to be as efficient as we can so we can deliver the best service to you at the best price |
Ensuring the confidentiality of commercially sensitive information | Depending on the circumstances: |
Statistical analysis to help us manage our business, eg in relation to our customer base | For our legitimate interests, ie to be as efficient as we can so we can deliver the best service to you at the best price |
Protecting the security of systems and data used to provide the services | Depending on the circumstances: |
Preventing unauthorised access and modifications to systems | Depending on the circumstances: |
Updating customer records | Depending on the circumstances: |
Ensuring safe working practices, staff administration and assessments | Depending on the circumstances: |
Marketing our services (and potentially those of selected third parties) to: | For our legitimate interests, ie to promote our business to existing and former clients |
External audits and quality checks | Depending on the circumstances: |
To potentially share your personal data with members of our group and third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency | Depending on the circumstances: —to comply with our legal and regulatory obligations; —in other cases, for our legitimate interests, ie to protect, realise or grow the value in our business and assets |
See Annex 1 for more details on how and why we use the personal data of candidates.
5.1 How and why we use your personal data—Special category personal data
Certain personal data we collect about candidates is treated as a special category to which additional protections apply under data protection law:
• ethnic origin and religious beliefs
• data concerning health and sexual orientation.
Where we process special category personal data, we will also ensure we are permitted to do so under data protection laws, eg:
• we have your explicit consent;
• the processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
• the processing is necessary to establish, exercise or defend legal claims.
5.2. How and why we use your personal data—sharing
See the section ‘Who we share your personal data with’ for further information on the steps we will take to protect your personal data where we need to share it with others.
5.3. Marketing
We will use your personal data to send you updates (by email, text message, telephone or post) about our services or employment and networking opportunities.
We may have a legitimate interest in using your personal data for marketing purposes (see the section ‘How and why we use your personal data’). This means we do not always need your consent to send you marketing information. If your consent is needed, we shall ask for this separately and clearly.
You do, however, have the right to opt out of receiving marketing communications at any time by:
• where available, using the ‘unsubscribe’ link/option in communications you received from us; or
• contacting us at DCM@kubrickgroup.com;
We may ask you to confirm or update your marketing preferences if you ask us to provide further services or contact you for further opportunities in the future, or if there are changes in the law, regulation, or the structure of our business.
We will always treat your personal data with the utmost respect and never sell it with other organisations outside the Kubrick group for marketing purposes.
6. Who we share your personal data with
We may routinely share personal data with:
- the affiliates of Kubrick Group Limited
- processors that support the conduct of our business, e.g. providers of software as services such as our recruitment and client databases;
- our bank.
We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data.
We or the third parties mentioned above may occasionally also share personal data with:
- our and their external auditors, e.g. in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations;
- our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
- law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations;
- other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.
See Annex 1 for more details on who we share the personal data of candidates with.
If you would like more information about who we share our data with and why, please contact us (see the section ‘How to contact us’).
7. Where your personal data is held
Personal data may be held at our offices and those of our affiliates, service providers, representatives and agents as described above (see the section ‘Who we share your personal data with’).
Some of these third parties may be based outside the UK/EEA. For more information, including on how we safeguard your personal data when this happens, see the section ‘Transferring your personal data out of the UK and EEA’.
8. Transferring your personal data out of the UK
It is sometimes necessary for us to transfer your personal data to countries outside the UK. In those cases we will comply with applicable UK laws designed to ensure the privacy of your personal data.
We will transfer your personal data to:
- our service providers located in the EEA and United States; and
- the affiliate of Kubrick Group Limited in the United States.
Under data protection laws, we can only transfer your personal data to a country outside the UK where: - the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR. A list of countries the UK currently has adequacy regulations in relation to is available here. We rely on adequacy regulations for transfers to the following countries: European Economic Area countries and the United States of America to the extent that the data is transferred under the Extension to the EU-US Data Privacy Framework.
- there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you; or
- a specific exception applies under relevant data protection law.
Where we transfer your personal data outside the UK, we do so on the basis of an adequacy regulation or (where this is not available) appropriate safeguards, e.g. legally-approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR and/or EU GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK/EEA unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this notice or our Data Protection Policy.
Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on ‘Changes to this privacy policy’ below.
8.1 International transfers of your personal data outside the UK—in more detail
More details about the countries outside the UK to which your personal data is transferred are set out in the table below.
Recipient country | Recipient | Processing operation (use) by recipient | Lawful safeguard |
USA | Zoho Corporation, a company incorporated in the USA with the registered number 3019282, whose registered office is at 4141 Hacienda Drive, Pleasanton, | Maintaining personal data in the data bases of our Zoho platforms, which include a cloud-based talent acquisition software and a customer relationship management software. | There are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you |
Ireland | HireVue, Inc, a company incorporated in Delaware, whose principal address is at 10876 South River Front Parkway, Suite 500, South Jordan, Utah 84095, USA | Recording video interviews | Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018 |
Member of the European Union | Microsoft Corporation, a company incorporated in England with the registered number GB724594615, whose registered office is at Microsoft Campus, Thames Valley Park, Reading Berkshire RG6 1WG, UK | Using the personal data to communicate with or about the data subject via ‘Microsoft 365’ cloud platforms such as email, instant messaging, phone calls and video calls | Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018 |
USA | Kubrick Consulting Inc, a company incorporated in the state of Delaware with registered number 5323055, with its correspondence address at 535 5th Ave Fl 4, New York NY 10017-8020, USA | Sharing personal data within our group of companies for the running of our international business | There are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you |
USA | Greetly, Inc, of 1805 S. Bellaire St #501, Denver, CO 80222, USA | Recording the contact details of office visitors | There are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you |
Member of the European Union | ZenLeads Inc. d/b/a Apollo.io, a company incorporated in Delaware, whose principal address is at 440 N Barranca Ave #4750, Covina, CA 91723, USA | Maintaining contact details of potential clients | Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018 |
9. How long your personal data will be kept
We will not keep your personal data for longer than we need it for the purpose for which it is used. Different retention periods apply for different types of personal data.
10. Keeping your personal data secure
We have appropriate security measures to prevent personal data from being lost accidentally or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
10.1. Transferring your personal data out of the UK—further information
If you would like further information about data transferred outside the UK, please contact us (see the section ‘How to contact us’).
11. Your rights
You have the following rights, which you can exercise free of charge:
| Access | The right to be provided with a copy of your personal data |
| Rectification | The right to require us to correct any mistakes in your personal data |
| Erasure (also known as the right to be forgotten) | The right to require us to delete your personal data—in certain situations |
| Restriction of processing | The right to require us to restrict processing of your personal data in certain circumstances, e.g. if you contest the accuracy of the data |
| Data portability | The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations |
| To object | The right to object: —at any time to your personal data being processed for direct marketing (including profiling); —in certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims |
| Not to be subject to automated individual decision making | The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you |
| The right to withdraw consent | If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time You may withdraw consent by [insert details as relevant depending on consents] Withdrawing consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn |
For more information on each of those rights, including the circumstances in which they apply, please contact us (see the section ‘How to contact us’) or see the Guidance from the UK Information Commissioner’s Office (ICO).
If you would like to exercise any of those rights, please:
- email, call or write to us—see the section ‘How to contact us’; and
- provide enough information to identify yourself (e.g. your full name, email address and your relationship with Kubrick) and any additional identity information we may reasonably request from you;
- let us know what right you want to exercise and the information to which your request relates.
12. How to complain
Please contact us if you have any queries or concerns about our use of your personal data (see the section ‘How to contact us’). We hope we will be able to resolve any issues you may have.
You may also have the right to lodge a complaint with the Information Commissioner (the UK data protection regulator).
13. Updating your personal data
We take reasonable steps to ensure your personal data remains accurate and up to date. To help us with this, please let us know if any of the personal data you have provided to us has changed, e.g. your surname or address—see the section ‘How to contact us’.
14. How to contact us
You can contact us and/or our Data Protection Lead by post, email or telephone if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.
Our contact details are shown below:
Kubrick Group
Attn. Data Protection Lead
85 Queen Victoria Street
London
EC4V 4AB
United Kingdom
15. Changes to this privacy notice
This privacy notice was published on 1 March 2024.
We may change this privacy notice from time to time—when we do we will inform you via our website or email.
ANNEX 1
MORE DETAILS ON THE PERSONAL DATA OF CANDIDATES
How and why we use the personal data of candidates —in more detail
More details about how we use your personal data and why are set out in the table below.
Purpose | Processing operation | Lawful basis relied on under the UK GDPR | Relevant categories of personal data |
| Communications with you related to our contract or future contract | Managing the contractual or precontractual relationship | Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract (Article 6(1)(b)) | Your name and contact information, including email address, telephone number and where applicable company details |
| Selection of candidates | Automated decision – see more information below | Processing is based on —your consent (Article 6(1)(a)) or | Your education |
An automated decision is a decision which is made solely by automatic means, where no humans are involved in the decision-making process related to your personal data. In the following instance, Kubrick processes your personal data using automated means: Kubrick uses algorithms which select candidates that have graduated from top universities. You have the right not to be subject to a decision which is based solely on automated processing and which produces legal or other significant effects on you. In particular, you have the right:
- to obtain human intervention;
- to express your point of view;
- to obtain an explanation of the decision reached after an assessment; and
- to challenge such a decision.
If you would like more information about automated decisions or would like to exercise your rights, please contact us (see the section ‘How to contact us’).
Who we share the personal data of candidates with—in more detail
More details about who we share your personal data with and why are set out in the table below.
| Recipient | Processing operation (use) by recipient | Relevant categories of personal data transferred to recipient |
| Zoho Corporation, a company incorporated in the USA with the registered number 3019282, whose registered office is at 4141 Hacienda Drive, Pleasanton, California 94588, USA | Maintaining the candidates’ personal data in the data base of our Zoho platforms, which include a cloud-based talent acquisition software. | The personal data contained in your CV or application |
| HireVue, Inc, a company incorporated in Delaware, whose office is at 10876 South River Front Parkway, Suite 500 South Jordan, Utah 84095 | Recording video interviews | The content of your video interview, including your image |
| Microsoft Corporation, a company incorporated in England with the registered number GB724594615, whose registered office is at Microsoft Campus, Thames Valley Park, Reading Berkshire RG6 1WG, UK | Using the candidates’ personal data to communicate with or about their application via ‘Microsoft 365’ cloud platforms such as email, instant messaging, phone calls and video calls. | The personal data contained in your CV or application and exchanged with us during the recruitment process |
| Kubrick Consulting Inc, a company incorporated in the state of Delaware (registered number 5323055), with its correspondence address at 535 5th Ave Fl 4, New York NY 10017-8020, USA | Sharing personal data within our group of companies for the running of our international business | The personal data contained in your CV or application and exchanged with us during the recruitment process |