About this policy
Durlston Partners is committed to protecting personal data and respecting the privacy rights of individuals. This policy outlines how we collect, use, store, protect and manage personal data in accordance with applicable data protection laws in the jurisdictions in which we operate.
If you have any questions regarding this policy or our data protection practices, please contact: [email protected]
1. Who we are
Durlston Partners (“we”, “us”, “our”) is a global recruitment firm specialising in technology and quantitative finance talent.
The Durlston Partners group comprises Durlston Partners London Limited (United Kingdom – parent company), Durlston Partners USA LLC (New York, United States), and Durlston Partners DMCC (Dubai, United Arab Emirates). This policy applies across all group entities and, depending on the circumstances, the relevant group entity may act as a data controller or data processor.
We comply with applicable data protection laws including UK GDPR and the Data Protection Act 2018, EU GDPR where applicable, UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, DMCC Data Protection Regulations, and relevant US privacy and cybersecurity laws including the New York SHIELD Act.
2. Data we collect
Personal data refers to any information relating to an identifiable individual. We process personal data in the course of providing recruitment services.
Candidate data may include name, contact details, location, employment history, CV and career information, skills and qualifications, compensation expectations, immigration or visa status, and interview notes or recruitment process details.
Client data may include names and professional contact details of employees at client organisations, hiring requirements, and correspondence relating to recruitment processes.
Technical data may include email communications, CRM system records and website usage information.
We may also create aggregated or anonymised data for statistical or research purposes.
3. How we collect data
Personal data may be collected through direct communication (email, phone, meetings or messaging platforms), CV submissions, professional networking platforms such as LinkedIn, publicly available sources, referrals, and previous recruitment processes.
4. Legal basis for processing
Where required by law, we rely on the following legal bases for processing personal data: legitimate interests (core recruitment activities), performance of a contract, legal obligations, and consent where required. Our legitimate interests include matching candidates with relevant opportunities and maintaining professional recruitment networks.
5. Data sharing
We may share personal data with clients considering a candidate for employment, other Durlston Partners group companies, IT and CRM service providers, professional advisers (such as lawyers, accountants and auditors), and regulatory authorities where required by law.
Candidate data is only shared with clients with the candidate’s express consent.
6. International transfers
Because Durlston Partners operates internationally, personal data may be transferred between our group entities in the UK, UAE and United States.
Where personal data is transferred internationally, appropriate safeguards are implemented including Standard Contractual Clauses (SCCs), adequacy decisions where applicable, or consent where legally required, ensuring personal data receives an equivalent level of protection.
7. Data retention policy
Durlston Partners retains personal data only for as long as necessary to fulfil legitimate business purposes and comply with legal obligations.
Typical retention periods include candidate data retained for up to 15 years due to the specialised nature of recruitment markets, client contact data retained for the duration of the commercial relationship and a reasonable period thereafter, and financial records retained in accordance with applicable accounting and tax regulations.
8. Data security
We implement appropriate technical and organisational security measures to protect personal data, including secure cloud-based systems, role-based access controls, password-protected systems, restricted employee access and confidentiality obligations for staff.
9. Data breach response plan
Durlston Partners maintains procedures for identifying, reporting and responding to personal data breaches. If a breach is suspected, the incident must be reported internally immediately, assessed by management, and appropriate containment and remediation steps implemented.
Where legally required, relevant regulators will be notified within 72 hours of becoming aware of a breach, and a data breach log is maintained to document incidents and remedial actions.
10. Data subject rights
Individuals may have rights under applicable data protection laws including the right of access, rectification, erasure, restriction of processing, data portability and objection to processing.
Requests relating to these rights can be made by contacting [email protected], and we will respond within legally required timeframes.
11. Training and compliance
Employees with access to personal data must comply with this policy, follow data protection procedures, maintain confidentiality of personal data and report suspected breaches. Failure to comply may result in disciplinary action.
12. Policy review
This policy is reviewed periodically to ensure compliance with evolving data protection regulations. Last updated: March 2026