From Friday, 25th May, 2018, the General Data Protection Regulation (GDPR) comes into affect. At Shadowhound, we are absolutely committed to ensuring that your personal information is processed and held according to legally compliant standards of data protection whether you are a candidate or a client. We confirm that for the purposes of GDPR, Shadowhound is a Data Controller. This means that we determine the purposes for which, and the manner in which, your personal information is processed. Our legal basis for holding and processing your data is Legitimate Interest pursuant to Article 6(1)(f) of GDPR.


1. The purpose of this policy is to help us meet our data protection responsibilities by:

a) notifying you of the personal information that we may hold about you and what we do with that information;

b) ensuring that you understand the legal standards that we uphold when handling your personal information;

c) clarifying the security measures that are in place to protect your personal information; and

d) clearly explaining your legal rights as the data subject.


2. This policy and the rules contained in it apply to all Shadowhound staff, irrespective of seniority, tenure and working hours, including all directors, officers, consultants and researchers (Staff).
3. The Chief Operations Officer (COO), David Mitchell, has overall responsibility for ensuring that all personal information is handled in compliance with the law. The COO acts as the Shadowhound Data Protection Officer (DPO) with day-to-day responsibility for data processing and data security.
4. All Staff have a personal responsibility to handle your personal information consistently with the principles set out in this document and to ensure that measures are taken to protect that information.
5. All managers have special responsibility for leading by example and monitoring and enforcing compliance.
6. Any breach of this policy will be taken seriously and may result in disciplinary action for Shadowhound staff up to and including dismissal for gross misconduct and/or prosecution.


7. Shadowhound staff must, at all times, comply with the following legal data protection principles ensuring that your personal information is:

a) processed fairly and lawfully. We must always have a lawful basis to process your personal information. You must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
b) processed for limited purposes and in an appropriate way. Your personal information must not be collected for one purpose and then used for another. If we want to change the way we use your personal information we must first tell you.
c) adequate, relevant and not excessive for the purpose(s).
d) accurate. Regular checks must be made to correct or destroy inaccurate information.
e) not kept for longer than necessary for the purpose(s). Information must be destroyed or deleted when we no longer need it. For further guidance on how long we hold your personal information please see below.
f) processed in line with your rights as a Data Subject. You have a right to request access to your personal information, prevent your personal information being used for direct-marketing, request the correction of inaccurate data and to prevent your personal information being used in a way likely to cause you or another person damage or distress (please see below for more information about your rights as data subject).
g) secure at all times.
h) not transferred to people or organisations situated in countries without adequate protection.



8. We collect personal information about you which:

a) is in the public domain; and/or
b) is provided by third parties; and/or
c) you provide during your conversations or meetings with us.

9. The types of personal information that we may collect, store and use about you include (but are not limited to):

a) your name, title, date of birth, sex/gender,
b) your contact details including telephone number, email address & postal address.
c) your job title, career history (including your CV, any references received and details of your qualifications);
d) Any additional information that you have chosen to disclose.

10. Unless we have your direct consent to do so, we do not hold information relating to your racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or sexual life or about criminal offences.


We hold limited personal information about you including your name, contact information (email address, office address, telephone number) and your job title and responsibilities. This information is collected, processed and held in order to allow us to fulfil our contractual obligations to you as one of our valued clients.


11. We collect, process and hold the personal information of financial services professionals with the intent of identifying and presenting suitable candidates for Executive and Board employment roles with our clients when they indicate a requirement to employ such individuals.

12. We use your personal information in order to assess your suitability with these on-going mandates. This enables us to:

a) keep you informed of career opportunities that may be of interest to you;
b) meet the needs of our clients in attracting and employing top talent.

13. In the course of conducting our business, therefore, we may share your personal information with our clients. Any information shared is limited to what is strictly necessary to achieve the above purposes and your interests as a data subject are foremost in our minds.

14. Data Retention Periods. We will hold and process your personal information for as long as it is relevant to our industry. Normally this will be for a period of 6 years, which is assessed to be the average amount of time that financial services professionals remain in the same role.


15. Our data protection policies and practices exist to ensure that your personal information is not accessed, lost, deleted or damaged unlawfully or without proper authorisation.

16. Maintaining data security means ensuring that:

a) information is accurate and suitable for the purpose(s) for which it is processed; and
b) only authorised persons can access information if they need it for authorised purposes.

17. We use strict internal procedures and state-of-the-art technology to secure your personal information throughout the period that we hold or control it.

18. Some of the security measures in place at Shadowhound include the:

a) physical securing of information. Any desk or cupboard temporarily containing personal information is kept securely locked at all times.
b) locking of computers with a password to ensure that sensitive information on monitors is not accessible by authorised persons.
c) use of advanced encryption and firewalls on all databases and computer systems.
d) control of access to our offices.

19. Your personal information is never transferred to any person or organisation to process (e.g. in the provision of our services to one of our clients), unless that person or organisation has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.

20. Electronic Messaging. All our Staff are particularly aware of the vulnerability of electronic messaging including social networking, file sharing, instant messaging. These platforms are not used to transmit sensitive personal information. Only internal databases and company email is permitted as a means of storing and transmitting data.

21. Methods of disposal. Copies of your personal information, whether on paper or on any physical storage device, are physically destroyed when they are no longer needed. Paper documents are shredded and CDs or memory sticks or similar are rendered permanently unreadable.


For more information about you rights as a Data Subject or to exercise one of your rights, please contact or phone us on +44 203 002 9066

22. Data Subject Access Request (DSAR)

a) By law you may make a formal request for information that we hold about you. Provided that we are able to verify your identity, we will endeavour to provide such information within 30 days of your request.
b) In some circumstances it may not be possible to release all the information that we hold about you; e.g. if doing so would violate the personal information or opinions of a third party.
a) Any member of staff who receives a written request will forward it to the Data Protection Officer immediately.

23. Right to Have Data Corrected
If you consider that any information held about you is inaccurate then you should inform us and, if we agree that the information is inaccurate, then we will correct it.

24. Right to Be Forgotten
If you do not wish for us to hold or process you personal information, please contact us at and we will delete such information.


25. Should you feel that your personal information is not being held or processed in a proper manner, or you have any other questions or concerns, then please make us aware by emailing us at or calling us on +44 203 002 9066, and we will take all reasonable steps to rectify the situation.

26. Alternatively, you are able to find the contact details of any member of staff on this website at

27. Right to Complain to Supervisory Body
If, however, you are still not satisfied, you are able to lodge a complaint with the Information Commissioner’s Office (ICO). Their details can be found on their website at