Privacy Policy and Cookie Policies

Privacy Policy - Website

Cookie Policy

Privacy Policy - Our Services (including Recruitment)

Architecture Social: Privacy Notice

Last Updated: 20 October 2024

1.0 Introduction and Our Commitment to Your Privacy

This Privacy Notice explains how Architecture Social (“we”, “us”, “our”) collects, uses, shares, and protects your personal data. We are committed to protecting and respecting your privacy in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR).

This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

1.1 Who We Are (The Data Controller)

For the purpose of applicable data protection legislation, the data controller is Architecture Social, a trading name of Architecture Social Ltd, registered in England and Wales.

Registered Address: 21 Vyner Street, London, E2 9DG.

As the data controller, we are responsible for deciding how we hold and use personal data about you.

1.2 Our Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) to oversee our compliance with data protection law. The DPO is the designated point of contact for data subjects and the Information Commissioner’s Office (ICO) on all issues related to data processing. If you have any questions about this privacy notice or how we handle your personal data, please contact our DPO:

DPO Name: Stephen Drew.
DPO Contact Email: hello@architecturesocial.com

1.3 Scope of This Privacy Notice

This notice applies to all individuals whose personal data we process in the course of our business activities, including:

Candidates: Prospective and placed candidates for permanent, temporary, or contract roles.
Clients: Individuals we engage with at prospective, current, and former client organisations.
Suppliers: Individuals we engage with at supplier organisations that support our services.
Website Visitors: Individuals who visit our website, www.architecturesocial.com.
Other Contacts: Individuals who attend our events, participate in our training or consultancy services, or otherwise correspond with us.

For the purposes of this notice, key terms are defined in line with the DPA 2018:

Personal Data: Any information relating to an identified or identifiable living individual.
Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
Data Subject: The individual to whom the personal data relates.

2.0 The Personal Data We Collect About You

We collect personal data through various means to allow us to carry out our business as a recruitment and professional services provider. The collection methods and data types are categorised below for clarity.

2.1 Data You Provide to Us Directly

This is information about you that you give us by filling in forms on our site (www.architecturesocial.com), creating an account, or by corresponding with us by phone, email, or otherwise. This includes:

Candidate Data:

Curriculum Vitae (CVs), résumés, and cover letters.
Contact information (name, address, email address, phone number).
Employment history, qualifications, skills, and professional experience.
Salary expectations and remuneration details.
Right to work documentation (e.g., passport, visa information).
Information from references.
Photographs and links to professional profiles (e.g., LinkedIn).
Any other information you choose to provide during applications, interviews, or registration.

Client Data:

Contact details of individuals within your organisation (name, job title, email, phone number).
Information about your company’s recruitment needs and job specifications.
Contractual and billing information.

Supplier Data:

Contact details of individuals within your organisation.
Contractual and financial information required for the provision and payment of services.

General Enquiries and Service Use:

Information you provide when you subscribe to our services, attend our events, participate in surveys, or report a problem with our site.

2.2 Data We Collect Automatically

When you visit our website, we automatically collect certain technical and usage data to improve our services and ensure the security of our site. This includes:

Technical Data: Internet Protocol (IP) address, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform.
Usage Data: Full Uniform Resource Locators (URL) clickstream to, through, and from our site (including date and time); pages you viewed or searched for; page response times; download errors; length of visits to certain pages; and page interaction information (such as scrolling, clicks, and mouse-overs).

This data is collected primarily through the use of cookies and similar technologies. For more detailed information, please see our Cookie Policy.

2.3 Data We Receive from Third-Party Sources

We may also obtain personal data about you from other sources to support our recruitment activities. When we obtain your data from a third party, we will inform you within a maximum of 30 days, providing you with a copy of this privacy notice and details of the data source. These sources include:

Professional Networking Sites: Publicly available information from platforms such as LinkedIn.
Corporate Websites: Information available on your employer’s or other professional websites.
Job Boards and CV Libraries: Information you have made available on third-party job sites.
Personal Recommendations: Referrals from your colleagues or other contacts.
Business Partners and Sub-contractors: Information received from our partners in technical, professional, or payment services.

2.4 Special Category and Criminal Offence Data

We recognise that certain types of personal data are more sensitive and are afforded greater protection under the law. “Special category data” includes information about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, or sexual orientation, as well as genetic and biometric data.

We will only process special category data where it is strictly necessary and where we have both a lawful basis and a separate, specific condition for processing. For example:

Health Data: We may process information about a disability to make reasonable adjustments during the recruitment process. The condition for this processing is that it is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment and social security law.
Equality and Diversity Data: Where we collect data on ethnicity, religion, or sexual orientation for equality monitoring purposes, this is done on a voluntary basis. The condition for processing is that it is necessary for reasons of substantial public interest, specifically for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment.

We will only process data relating to criminal convictions or offences where authorised by law, for example, for roles that require a basic or enhanced background check.

3.0 Our Purposes and Lawful Bases for Processing

Under the UK GDPR, we must have a valid lawful basis for every processing activity we undertake. The table below explicitly connects each of our processing activities to the types of data involved and the specific lawful basis we rely on.

3.1 Summary of Our Processing Activities

Our Purpose (Why we process your data)	Categories of Personal Data Involved	Our Lawful Basis for Processing (under UK GDPR)
To provide our core recruitment services: Introducing candidates to clients, arranging interviews, facilitating placements, and supporting candidates’ career development.	Candidate Data (CV, contact info, skills, experience, references), Client Data (contact info, role requirements).	Legitimate Interests (to operate our business as a recruitment agency); Contract (to fulfil our obligations to you if we have a placement agreement or to take steps at your request before entering into one).
To manage our client and supplier relationships: Fulfilling contracts, processing payments, and managing communications.	Client Data, Supplier Data.	Contract (to perform our contractual obligations).
To send you direct marketing communications: Informing you about services, events, or roles we believe may interest you via email or other electronic means.	Contact details (name, email), Professional details (job title, company).	Consent (for electronic marketing to individuals, where we obtain your explicit, opt-in consent); or Legitimate Interests (for marketing to corporate subscribers, subject to a clear right to object).
To administer and secure our website and internal systems: Troubleshooting, data analysis, testing, and preventing unauthorised access.	Technical Data, Usage Data.	Legitimate Interests (to ensure the security and operational integrity of our services).
To comply with legal and regulatory obligations: Verifying right to work, complying with tax law, and responding to legal requests.	Candidate Data (right to work documents), Financial Data.	Legal Obligation (to comply with UK law, e.g., Immigration, Asylum and Nationality Act 2006; Conduct of Employment Agencies and Employment Businesses Regulations 2003).
For equality and diversity monitoring: To assess the effectiveness of our equality policies (where undertaken).	Special Category Data (e.g., ethnicity, disability) provided voluntarily.	Legitimate Interests (to promote equality of opportunity) and a specific condition under Article 9 UK GDPR, such as for reasons of Substantial Public Interest.

3.2 A Deeper Look at Our Lawful Bases

To ensure full transparency, we provide a clearer explanation of the lawful bases we rely on most frequently:

Legitimate Interests: This is our primary lawful basis for our core recruitment activities. It means we have a genuine and legitimate business reason to process your personal data, which is essential for us to provide our services to candidates and clients. We only rely on this basis after conducting a Legitimate Interests Assessment (LIA) to ensure that our interests do not override your rights and freedoms. A summary of our LIAs is available upon request from our DPO.
Contract: We rely on this basis when we need to process your data to perform a contract we have entered into with you (e.g., a placement agreement with a candidate or a terms of business agreement with a client) or to take steps you have requested before entering into such a contract.
Legal Obligation: This applies when we are required by law to process your data. A key example in our business is the legal requirement to verify a candidate’s right to work in the UK.
Consent: We rely on consent for specific activities, most notably for sending direct marketing communications via email or SMS to individuals. Where we rely on consent, it will always be a clear, affirmative, opt-in action. You have the right to withdraw your consent at any time, and we will make it easy for you to do so (e.g., via an “unsubscribe” link in our emails).

4.0 Data Sharing and Disclosure

We may need to share your personal data with various third parties for the purposes set out in Section 3.0. We will only share your data where it is necessary to do so and where appropriate safeguards are in place.

We will share your personal information with:

Clients (Prospective Employers): For the purpose of introducing candidates to them, arranging interviews, and facilitating the recruitment process. We will only share information that is relevant to your application.
Candidates: For the purpose of arranging interviews and providing necessary details about roles and client companies.
Our Service Providers (Data Processors): We engage third-party service providers who act as “data processors” on our behalf. They are contractually bound to process your data only on our documented instructions and to implement appropriate security measures. Our processors include providers of:

IT infrastructure and cloud hosting services (e.g., our Customer Relationship Management (CRM) system).
Email marketing and communication platforms.
Website analytics and search engine optimisation services.
Professional advisors, including lawyers, auditors, and accountants.

Regulatory and Legal Bodies: If we are under a duty to disclose or share your personal data to comply with any legal obligation (e.g., with HMRC, law enforcement, or a court order).
Third Parties in Business Transactions: In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer. If Architecture Social or substantially all of its assets are acquired by a third party, personal data held by us will be one of the transferred assets.

5.0 International Data Transfers

Some of our third-party service providers (data processors), such as those providing our CRM and cloud hosting solutions, are based outside the UK. This means that when we use their services, your personal data may be transferred to, stored, and processed in countries outside the UK, including the United States.

We will only transfer your personal data outside the UK where appropriate safeguards are in place to ensure your data receives a level of protection that is essentially equivalent to that provided under UK law. We use the following mechanisms:

Adequacy Regulations: We may transfer data to countries that the UK Government has deemed to provide an adequate level of data protection. This currently includes all countries within the European Economic Area (EEA).
Appropriate Safeguards: For transfers to countries without an adequacy decision, such as the United States, we rely on appropriate safeguards as permitted under Article 46 of the UK GDPR. Specifically, we use the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (SCCs), as issued by the ICO.
Transfer Risk Assessments (TRAs): In conjunction with using the IDTA or Addendum, we conduct a Transfer Risk Assessment for each restricted transfer. This assessment allows us to verify that the legal framework in the destination country does not undermine the protections provided by the contractual clauses, ensuring your data remains secure.

By submitting your personal data, you acknowledge that this transfer, storage, or processing may take place under these protected conditions.

6.0 Data Security

We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.

Our security measures include:

Encryption: Encrypting personal data both in transit (e.g., using SSL technology on our website) and at rest on our secure servers.
Access Controls: Limiting access to your personal data to those employees, agents, and other third parties who have a legitimate business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.
Secure Infrastructure: Storing all information you provide to us on secure servers, protected by firewalls and other security technologies.
Staff Training: Providing regular data protection and information security training to all our staff to ensure they are aware of their responsibilities.
Breach Procedures: We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.

7.0 Data Retention

We do not keep your personal data for longer than is necessary for the purposes for which we collected it. We operate a data retention policy and have established a retention schedule to ensure we comply with our legal obligations and the principle of data minimisation.

The length of time we retain your data depends on the type of data and the purpose for which we hold it.

After the relevant retention period has expired, personal data will be securely destroyed or permanently anonymised.

8.0 Your Data Protection Rights

Under the UK GDPR, you have a number of important rights regarding your personal data. We are committed to upholding these rights.

The Right to be Informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your information and your rights.
The Right of Access: You have the right to obtain a copy of the personal data we hold about you (a “Subject Access Request”).
The Right to Rectification: You are entitled to have your information corrected if it is inaccurate or incomplete.
The Right to Erasure (‘The Right to be Forgotten’): This enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it.
The Right to Restrict Processing: You have the right to ‘block’ or suppress further use of your information in certain circumstances.
The Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services.
The Right to Object: You have the right to object to processing based on our legitimate interests or for direct marketing. The right to object to direct marketing is absolute.
Rights in Relation to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you.

To exercise any of these rights, please contact our Data Protection Officer at hello@architecturesocial.com. There is no fee to exercise your rights, unless your request is “manifestly unfounded or excessive.” We will respond to your request within one month of receipt.

9.0 Cookies and Similar Technologies

Our website uses cookies to distinguish you from other users. Cookies are small files of letters and numbers that we store on your browser or the hard drive of your computer.

We distinguish between:

Strictly Necessary Cookies: These are essential for the operation of our website and do not require your consent.
Non-Essential Cookies (e.g., Analytical, Performance, Advertising): We will only set these cookies if you provide your explicit, opt-in consent via our cookie consent banner.

For detailed information on the cookies we use, the purposes for which we use them, and how you can manage your preferences, please see our separate Cookie Policy.

10.0 Automated Decision-Making and Profiling

We do not use solely automated decision-making that has a legal or similarly significant effect on you.

We do use our IT systems and CRM to search and filter our database of candidates to identify suitable individuals for specific roles. This process, which involves using parameters set by our consultants (e.g., skills, experience, location) to create shortlists, constitutes profiling under the UK GDPR. However, a human recruitment consultant is always involved in the subsequent decision-making process, such as reviewing the shortlist and deciding which candidates to contact and introduce to a client.

11.0 Your Right to Lodge a Complaint

We hope that we can resolve any query or concern you raise about our use of your information. However, if you are not satisfied with our response, you have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office (ICO).

ICO Website: https://www.ico.org.uk/
ICO Concerns Helpline: 0303 123 1113
ICO Online Complaint Form: https://ico.org.uk/concerns/

We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact our DPO in the first instance at hello@architecturesocial.com.

12.0 Changes to This Privacy Notice

We keep our privacy notice under regular review. This notice was last updated on the date shown at the top of the document. Any changes we make to our privacy notice in the future will be posted on this page and, where appropriate and significant, notified to you by email.