top of page

Privacy Policy

Introduction

NORDFIN PARTNERS LTD (referred to as "we", "us", or "our") is a recruitment agency based in the United Kingdom, specialising in recruitment services. We are committed to protecting the privacy and security of the personal data we process.

This Privacy Policy explains how we collect, use, store, and protect personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR). It applies to candidates seeking employment, clients (employers) using our services, and any other individuals whose personal data we process in the course of our business.

We may update this Privacy Policy from time to time. Any changes will be posted on our website (if applicable) or notified to you directly where required by law. This policy was last updated on August 16 2025.

Data Controller and Contact Details

The data controller for the purposes of this Privacy Policy is Jorel Bautista, operating as NORDFIN PARTNERS LTD with our registered address at 3rd Floor, 86–90 Paul Street, London EC2A 4NE

​

Jorel Bautista also acts as the Data Protection Officer (DPO). You can contact us regarding any data protection matters at:

​

 

If you have any questions about this Privacy Policy or our data processing practices, please contact us using the details above.

Personal Data We Collect

We collect and process personal data necessary for providing recruitment services. The types of personal data we may collect include:

​

For Candidates:

  • Contact information (e.g., name, email address, phone number, postal address).

  • Professional information (e.g., CV/resume, employment history, education, qualifications, skills, references).

  • Identification details (e.g., date of birth, nationality, right-to-work status, where required for verification).

  • Sensitive personal data (e.g., health information, criminal record checks, diversity data such as ethnicity or disability), only where necessary and with your explicit consent or as required by law.

  • Any other information you voluntarily provide during the recruitment process.

 

For Clients (Employers):

  • Contact information (e.g., name, job title, email, phone number).

  • Company details (e.g., business name, address, industry).

  • Recruitment requirements (e.g., job descriptions, hiring preferences).

 

We may also collect data about website visitors (if we operate a website), such as browsing behaviour via cookies (see the "Cookies" section below).

How We Collect Your Personal Data

We collect personal data through various methods, including:

  • Directly from you: When you submit a job application, CV, or inquiry via email, phone, our website, or in-person meetings.

  • From third parties: Such as job boards, social media platforms (e.g., LinkedIn), references provided by you, or previous employers (with your consent).

  • Automatically: Through website analytics tools or cookies, if you interact with our online presence.

  • Public sources: Where relevant for verification, such as professional directories or public profiles.

Purpose and Legal Bases for Processing Your Personal Data

We process personal data for the following purposes, based on the legal bases outlined below:

  • Assessing candidate suitability for job opportunities and matching with potential employers - Legal Basis: Legitimate interests (providing recruitment services); Consent (where you opt-in for specific processing, e.g., retaining data for future opportunities).

  • Facilitating recruitment on behalf of clients, including sharing candidate profiles - Legal Basis: Performance of a contract (with clients); Legitimate interests (efficient recruitment).

  • Verifying identity, qualifications, and right-to-work status - Legal Basis: Legal obligation (e.g., immigration laws); Legitimate interests.

  • Communicating with you about job opportunities, updates, or services - Legal Basis: Consent; Legitimate interests.

  • Complying with legal requirements (e.g., equality monitoring, tax obligations) - Legal Basis: Legal obligation.

  • Improving our services, such as analysing application trends (anonymized where possible) - Legal Basis: Legitimate interests.

  • Processing sensitive data (e.g., health or diversity information) - Legal Basis: Explicit consent; Necessary for employment law obligations.

 

We do not use automated decision-making or profiling that produces legal effects or significantly affects you without human oversight.

Sharing Your Personal Data

We may share your personal data with:

  • Potential employers/clients: Candidate details are shared only with your consent and for specific job opportunities.

  • Service providers: Third-party processors (e.g., cloud storage providers, email services) who assist us, bound by data processing agreements ensuring GDPR compliance.

  • Regulatory authorities: Where required by law (e.g., for audits or investigations).

  • Professional advisors: Such as accountants or lawyers, under confidentiality obligations.

 

We do not sell your personal data to third parties.

International Data Transfers

As a UK-based recruitment agency, all our data processing activities (e.g., storage, management, and processing of candidate and client data) occur within the United Kingdom. However, to provide our recruitment services, we may share candidate personal data with clients located in within the EU/EEA.

​

The UK benefits from an adequacy decision from the European Commission (as of August 2025), allowing free flow of personal data from the EU to the UK without additional safeguards. If this changes or if we transfer data to other third countries, we will use appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to ensure equivalent protection.

Data Retention

We retain personal data only as long as necessary for the purposes outlined above:

  • Candidate data: Up to 12 months after the end of a recruitment process, or longer if you consent to us keeping it for future opportunities (e.g., in a talent pool). You can withdraw consent at any time.

  • Client data: For the duration of our business relationship plus 6 years for legal and accounting purposes.

  • Sensitive data: Deleted immediately after the relevant process unless required by law.

 

Data is securely deleted or anonymised when no longer needed.

Data Security

We implement robust security measures to safeguard your personal data against accidental loss, unauthorised access, use, alteration, or disclosure. Access to your personal data is strictly limited to the data controller/owner, ensuring no unnecessary access. Any third-party service providers (e.g., cloud storage or email platforms) process your data only under our explicit instructions and are bound by confidentiality obligations through GDPR-compliant data processing agreements. We maintain procedures to address any suspected data breaches and will notify you and relevant authorities (e.g., the UK Information Commissioner’s Office or EU data protection authorities) promptly, within 72 hours, where legally required.

Your Data Protection Rights

Under UK GDPR and EU GDPR, you have the following rights:

  • Right to access: Request copies of your personal data.

  • Right to rectification: Correct inaccurate or incomplete data.

  • Right to erasure ("right to be forgotten"): Request deletion under certain conditions (e.g., if data is no longer needed).

  • Right to restrict processing: Limit how we use your data in specific scenarios.

  • Right to data portability: Receive your data in a structured format or have it transferred to another controller.

  • Right to object: Object to processing based on legitimate interests or for direct marketing.

  • Right to withdraw consent: At any time, where processing relies on consent.

  • Rights related to automated decisions: Not to be subject to decisions based solely on automated processing.

 

To exercise these rights, contact us using the details above. We will respond within one month (extendable if complex). These rights are not absolute and may be subject to exemptions.

​

If you are in the EU/EEA, you may also contact your local supervisory authority. In the UK, contact the Information Commissioner's Office (ICO) at www.ico.org.uk.

Cookies and Similar Technologies

If we operate a website, we may use cookies to enhance user experience (e.g., remembering preferences). Cookies collect data like IP addresses and browsing behaviour.

  • Essential cookies: Necessary for site functionality.

  • Analytics cookies: To understand site usage (e.g., Google Analytics, anonymized).

 

You can manage cookies via your browser settings. For more details, refer to our Cookie Policy (available on our website) or contact us.

Complaints

If you are unhappy with how we handle your personal data, please contact us first. You have the right to lodge a complaint with:

  • UK: Information Commissioner's Office (ICO) – www.ico.org.uk or helpline 0303 123 1113.

  • EU/EEA: Your local data protection authority

Changes to This Privacy Policy

We may amend this policy to reflect changes in our practices or legal requirements. Updated versions will be posted with the revision date. If changes are significant, we will notify you directly.

bottom of page