GDPR Compliance

What is UK GDPR?

The UK General Data Protection Regulation (UK GDPR) is the UK's framework for the protection of personal data, implemented alongside the Data Protection Act 2018. It sets out how organisations must collect, process, store, and share personal data — and the rights individuals have in respect of their own data.

For a firm like ours, where trust is central to the service we provide, compliance is not a box-ticking exercise. It is inseparable from the way we work with candidates and clients.

Our role as a data controller

In most of our processing activity, TCG acts as a data controller — we determine the purposes for which and the means by which personal data is processed. This includes personal data about:

• Candidates who have registered with us, applied for a role, or been contacted by our consultants as part of a search
• Client contacts at organisations we provide services to
• Wider professional contacts across our markets

Where we use third-party services to support our work (such as email, CRM, and cloud storage), those providers act as data processors, operating under written data processing agreements.

The principles we apply

Lawful, fair and transparent processing

We identify a lawful basis for every processing activity — most commonly legitimate interests (running our search business), performance of a contract, or explicit consent. We are clear with candidates and clients about why we hold their data and what we do with it, as set out in our Privacy Statement.

Purpose limitation

We use personal data for the purposes it was collected — delivering talent advisory services, introducing candidates to clients, and maintaining long-term professional relationships. We do not repurpose data for unrelated activities.

Data minimisation

We collect only the personal data we need to do our work — typically what a CV, an initial conversation, and a role brief require. We do not ask for special category data (such as health, ethnicity, or political information) and we will not retain it if it is incidentally supplied.

Accuracy

Candidate details change regularly — roles, employers, locations, preferences. We encourage everyone registered with us to keep their information up to date, and we act promptly on requests for rectification.

Storage limitation

We retain personal data for as long as it is genuinely useful to the work we do with you, and no longer. Retention periods are set out in our Privacy Statement. You may request deletion at any time.

Integrity and confidentiality

We apply technical and organisational measures appropriate to the sensitivity of the data we hold — encrypted data transmission, access controls, least-privilege permissions, vendor review, and staff training. Senior hiring is frequently sensitive on both sides; confidentiality is non-negotiable.

Accountability

We can demonstrate our compliance. We maintain records of processing activity, have a named Data Protection Officer, review our processors regularly, and respond to subject access and related requests within the statutory timeframe.

Rights under UK GDPR

As a data subject, you have the following rights in respect of your personal data:

• Right to be informed — to know what data we hold, why, and how long we will keep it
• Right of access — to request a copy of the personal data we hold about you
• Right to rectification — to have inaccurate data corrected
• Right to erasure — to have your data deleted, subject to overriding legal obligations
• Right to restrict processing — to limit how we use your data in certain circumstances
• Right to data portability — to receive your data in a portable format
• Right to object — to object to processing based on legitimate interests, including any direct marketing
• Rights in relation to automated decision-making — we do not use personal data for automated decision-making that produces legal or similarly significant effects

To exercise any of these rights, contact Christian Pampellonne at the details below. We will acknowledge your request within five working days and respond fully within one month.

Sensitive processing: candidate confidentiality

Executive search frequently involves personal data in sensitive contexts — a CEO exploring options while still in role, a CFO under NDA ahead of a deal, a Head of Strategy whose direct team cannot yet know. We treat every conversation as confidential by default. Specifically:

• We do not share candidate information with any client without the candidate's prior agreement, and we confirm that agreement before submission.
• Internal access to candidate profiles is limited to the consultants working a specific mandate.
• We decline to disclose which candidates we are speaking to, or about, to anyone outside the specific mandate in question.

International transfers

We place talent across the UK, Europe and the US. Where personal data is transferred outside the UK or European Economic Area, we rely on an appropriate safeguard — adequacy decisions, the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses — to ensure equivalent protection.

Data breach response

In the unlikely event of a personal data breach, we follow the procedure set out by the ICO. Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours. Where the risk is high, we will notify affected individuals directly without undue delay.

Questions or complaints

If you are not satisfied with how we have handled your personal data or a data-related request, you also have the right to complain to the UK supervisory authority: