Privacy Notice – Candidates and Clients

Welcome to Harrison Clarke’s Privacy Notice.

This Privacy Notice is aimed at Candidates and Clients who benefit from Harrison Clarke’s recruitment and staffing services within the United States (US) and within the United Kingdom (UK) and the European Union (EU). We ask that you read this Privacy Notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal data, your rights in relation to your personal data and on how to contact us and supervisory authorities in the event you have a complaint.

Who we are

We are Harrison Clarke.

Harrison Clarke International, Inc., is registered in the State of California and has its registered office at 548 Market St, Suite 15352, San Francisco, California 94104, United States (Harrison Clarke US). Harrison Clarke US is also registered in the State of New York with an office at 230 Park Ave, 3rd Floor, New York, NY 10169, United States.

Harrison Clarke International Ltd. is a UK company registered under Company Number: 10541771 and has its registered office at Harrison Clarke International Ltd., 6 Mitre Passage, 8th Floor, London, SE10 0ER, United Kingdom (Harrison Clarke UK).

In this Privacy Notice, Harrison Clarke US and Harrison Clarke UK shall collectively be referred to as “we”, “us”, “our” or “Harrison Clarke”, unless a specific distinction is made between our entities.

We have nominated a Data Protection Counsel, Charlotte Gerrish. You can contact her via our dedicated data protection email address:

Our appointed representative in the European Economic Area (EEA)

As we are based outside of the EEA, we have appointed an EU representative for individuals based in the EEA. The role of our EU representative is to ensure that our clients and candidates based within the EEA have a local point of contact within the EEA to whom they can address queries and any complaints. Our EU representative facilitates such contact and ensures efficient communication with EEA-based supervisory authorities. Details of our appointed EU representative are as follows:

Name: Gerrish Legal SARL

Postal and Office Address: 15 rue de Surène, Paris, 75008, France

Please ensure that all correspondence sent by post is marked with ‘Harrison Clarke’ as a reference to ensure that your matter is dealt with efficiently.

Privacy Shield Commitment

To demonstrate its serious commitment to protecting personal data, Harrison Clarke US is a participant of the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal data. Harrison Clarke US has certified to the US Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. Harrison Clarke US is committed to complying with the Privacy Shield Principles for as long as it processes relevant personal data. If you want to learn more about the Privacy Shield program, and view our certification, please visit the Department of Commerce’s Privacy Shield website at

However, whilst Harrison Clarke US adheres to the Privacy Shield Principles and it remains in compliance with the requirements of such certification, from July, 16 2020, any transfers of personal data from the UK and the EEA to Harrison Clarke US are conducted by relying on the European Commission’s Standard Contractual Clauses in compliance with Chapter V of the GDPR, the UK International Data Transfer Agreement, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses or any other appropriate transfer mechanism authorized under the GDPR. Any transfers of personal data between the Harrison Clarke entities are carried out in reliance on the European Commission’s Controller-to-Controller Standard Contractual Clauses. If there is any conflict between the terms in this Privacy Notice and the Standard Contractual Clauses, the Standard Contractual Clauses shall govern. Further information about our personal data transfers outside of the UK and the EEA are also set out below in this Privacy Notice.

Harrison Clarke’s Recruitment and Staffing Activities

Our business is primarily focused in the US, and Harrison Clarke’s client and candidate base comprises primarily companies and citizens based or residing in the US. Harrison Clarke therefore respects US data protection rules in respect of any processing carried out in the US. As Harrison Clarke UK is a key entity of the Harrison Clarke Group and is based in the UK, Harrison Clarke is also committed to respecting UK and European data protection rules when they are applicable to our activities.

As part of its recruitment and staffing activities, Harrison Clarke collects, uses and is responsible for certain personal data about candidates and clients. When we do this within the EU or UK or when we provide services to UK or EU residents, we are regulated under the General Data Protection Regulation or “GDPR” which applies across the EU (including in the UK due to national laws such as the Data Protection Act 2018).  In this respect, we are a ‘controller’ of personal data for the purposes of those laws. Harrison Clarke UK therefore has strict privacy rules and standards in force pursuant to the GDPR and the Data Protection Act 2018.

Whilst our processing of personal data tends to concern US residents only, and such data is usually processed outside of the UK or the EEA, we still take privacy rights seriously and have therefore chosen to apply the highest standards of data protection to our business, which might not ordinarily apply to US residents.

The personal data we collect and use

Information collected by us

In the course of our activities as a recruitment and staffing company, we collect different kinds of personal data depending on whether you are a job seeker or a candidate wishing to utilise our recruitment services to find your next employer or role, or whether you are a client who has contacted us to help you to find your next member of staff.

When we refer to clients in this policy, we also refer to our commercial business suppliers, partners and vendors. As a Privacy Shield participant, we limit all personal data collected to the information relevant for the purposes of processing that we carry out. This is further described in this section.

For our clients, we store the following information when you provide it to us:

  • Your name, your job title and role within your organisation;
  • Your office or head office address; and
  • Your professional contact details (such as telephone numbers, fax numbers and email addresses).

For our candidates, examples of information we store about you may include:

  • Your name and contact details (i.e. address, home and mobile phone numbers, email address);
  • Details of your qualifications, experience and employment history (including job titles, salary and working hours) and interests;
  • Details of your referees;
  • Information about your previous academic and/or employment history; and
  • Information from references obtained about you from previous employers and/or education providers.

Sensitive Data

We do not directly collect any sensitive data (also known as special categories of personal data) about you but sometimes this might be incidental to information we require to carry out our recruitment services. Examples of sensitive data include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, or information about your health which might be collected if our clients require evidence of nationality for visa or work permit requirements or if you need assistance or adjustments to attend an interview. We do not collect any information about criminal convictions and offences. If the need for such information arises, we will always contact you to discuss this.

Information collected from other sources

We do not generally obtain personal data about our clients from other sources, but this can occur on occasion, such as information gained from:

  • Professional social media sites where such information is in the public domain;
  • Any professional marketing materials or other publications (including your company’s website) which have been issued and maintained by your company;
  • Information that may have been gained or exchanged from trade fairs, industry talks or networking forums (in respect of this information we will always seek your consent before adding you to our database);
  • Your company or employer, where we have initially been dealing with another department or another group entity.

In respect of our candidates, sometimes we will collect information from third parties such as previous employers, your school, university or college, professional regulators or government bodies based on information that has been provided by the candidates themselves. Here are examples of some of the categories of information collected and organisations who might provide us with that information:

  • Your previous academic institution and/or employers;
  • Professional bodies or regulators regarding your professional qualifications or certifications; and/or
  • Job boards or CV banks or a profile on a social networking website designed specifically for professional networking.

How we use your personal data

For both our clients and candidates, we use any information we collect about you to:

  • best provide our recruitment services, tailor-made to suit your needs;
  • to contact you in order to provide our recruitment services; and
  • to negotiate and enter into agreements with our clients which govern the provision of our recruitment services to you and sets out your (and our) rights and obligations, such as dealing with payment, and sending related correspondence.

Who we share your personal data with

Typically, for our candidates, the types of organisations with whom we may share your information include our clients to whom we provide recruitment services, who are seeking individuals with a profile similar to yours in order to offer employment opportunities. The purpose is so that we can help you find a new position and fulfil our clients’ recruitment needs. This data sharing enables us to best help you in your job search, and also allows us to fulfil our sourcing obligations to our clients.

However, candidates, please rest assured! We take our data protection obligations seriously and do not share your personal data with any other third party, unless we have your express consent to do so. As we are committed to providing high quality recruitment services, will never forward on your CV to any third party without first having obtained your approval to do so.

Similarly, we may share client information with our candidates when we think that we have found a good fit. This information is limited to details of the role available, the company and any specific requirements or details you provide to us. If the candidate is offered an interview with you, we will also provide the candidate with the hiring manager’s name, professional contact details and office address. The reason for this is so that we can introduce candidates to our clients so that we can fulfil our obligation to provide staffing services to all parties concerned. Again, we will only ever share such information provided that our client contact has confirmed to us that we can do so, and that they are happy to meet with the candidate.

We also share information with external suppliers such as our CRM database providers and providers of cloud- storage and hosting to ensure that we have a high quality, efficient and secure IT environment. We may also give your details to our third-party providers, such as external finance, external marketing managers, external information security and IT specialists or external lawyers to make sure that we are able to complete our contractual obligations to you and ensure the smooth running of our business.

If any transfers of your personal data with third parties constitutes a controller-processor relationship, we ensure that both parties are responsible for your personal data within the limits of the GDPR, including by entering into a data processing agreement where this is necessary. For all other transfers we remain responsible for third parties’ use of your personal data. We ensure that we have appropriate indemnities in place with these third parties. Whenever we share your personal data with third parties, we always ensure that the transfers are governed by contractual obligations (pursuant to a data processing agreement or other contractual mechanisms). In any case, we always make sure that we have appropriate technical, security and organisational methods in place to secure the confidentiality and proper processing of your data, and we require that our third-party providers adhere to these guarantees too. A list of our third-party suppliers with whom we may share your personal data is available on request by contacting our Data Protection Counsel at:

Some of those third-party recipients may be based outside of the UK or EEA — for further information including on how we safeguard personal data of EU or UK residents when this occurs, see ‘Transfer of your information out of the UK or EEA’ below.

Please note: We may also share personal data with law enforcement or other authorities if required by applicable law or for the purposes of litigation. This specifically includes the requirement for us to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements in force across the US, UK and/or EEA.

Whether information has to be provided by you, and if so why

Sometimes we require specific information about you in order to properly provide you with our services. If you do not wish to provide us with certain information, then we will contact you on a case-by-case basis to explain the situation and to see how we can continue to provide you with our services in the absence of such information.

How long your personal data will be kept

As a general rule, we will keep your personal data on file for a period of 4 years following our last meaningful contact with you, unless you expressly tell us otherwise. Before we delete your data, we will check with you to see whether our recruitment services are still of interest, unless you tell us otherwise. We consider that 4 years is a reasonable timeframe, as this is usually the length of time an individual remains in a role, and you may need our services again towards the end of this period, either to find a new employee or to look for a new job.

Sometimes, we might keep your personal data for longer than the 4-year period, for example, to allow us to keep any data in accordance with legal or fiscal obligations to in pursuit or defence of a claim. It may be that some personal data is retained on these documents, but this is purely incidental to documents which are generally required strictly for commercial, legal or fiscal purposes. Where possible, we will ensure that any personal data is anonymized where it is not strictly necessary.

These timeframes apply to our client contacts who are based within the EU or UK, but where practical, we also use our reasonable efforts ensure that these timeframes apply to our US based contacts, unless Harrison Clarke US has a business reason for doing otherwise. As a Privacy Shield participant, Harrison Clarke US also complies with data retention principles applicable to it under the Privacy Shield framework.

Reasons we can collect and use your personal data

As far as our clients are concerned, we process your personal data: (i) with a view to entering into a commercial contract or to perform that commercial contract; (ii) in accordance with our legal obligations (for example, our accounting and HMRC and other tax obligations); and (iii) in our mutual legitimate interests – we both have the same or similar legitimate interests in collaborating together – to find you your next employee.

In respect of our candidates, we collect and use your personal data on the basis of our mutual legitimate interests. We rely on legitimate interests because we consider that our legitimate interests as a recruitment agency are not overridden by your interests or rights as a candidate. In fact, we consider that our mutual legitimate interests are likely to align with your interests in finding a job, especially when you have placed your CV on a job board with the intention of finding work or when you have selected an “Available for Work” option or “Please Notify Recruiters” on professional networking sites.

For EEA or UK-based candidates only we will nonetheless rely on your consent in instances where you have not selected an “Available for Work” option on your social networking profile. In this case, we will contact you to see if you would like to be included in our database or if you would like to benefit from our recruitment services.

If we ever need to process sensitive personal data, we will contact you at this stage and explain why we need certain information about you and obtain your express consent where this is legally required under the GDPR or UK Data Protection Act 2018.

You can of course object to us processing your personal data at any time and you are also able to withdraw your consent at any time. You may do this by contacting us at For more information, please review the section ‘Your Rights’ below.

Transfer of your information out of the UK or EEA

We may transfer your personal data to the following locations, which are located outside the EEA and the UK as follows:

  • We may transfer your personal data between Harrison Clarke UK and Harrison Clarke US in order to share data between the Harrison Clarke Group which enables us to properly perform recruitment services for clients and candidates based in the United States.
  • We may transfer personal data about clients within the EEA and the UK to candidates based in the US or elsewhere outside of the EEA or the UK in order to fulfil our obligations to provide clients with staffing services.
  • We may transfer personal data about candidates residing within the EEA or the UK to clients based in the US or outside of the EEA or the UK in order to assist those candidates with their job search.
  • We may also transfer your personal data to locations outside the EEA or the UK, for example, for storage on servers based in the US or otherwise outside of the EEA or the UK.
  • When Harrison Clarke US provides services to clients and candidates based in the US, the data is always held in the US and is not usually transferred to the EEA or the UK, as generally there is no business need to do so.

Some non-EEA countries do not have the same data protection laws as within the UK and the EEA, but Harrison Clarke commits to ensuring that EU and UK residents suffer no consequence or impact to their privacy rights in the event of an international transfer.

Our transfers of personal data from Harrison Clarke UK to Harrison Clarke US

To ensure that our clients and candidates benefit from the high privacy standards in force in the UK and the EEA, any transfer of personal data between Harrison Clarke UK and Harrison Clarke US is carried out pursuant to the obligations set out in the European Commission’s Standard Contractual Clauses (SCCs), and where applicable, the UK International Data Transfer Agreement (IDTA) and/or the IDTA Addendum to the SCCs (Addendum).

Harrison Clarke US also adheres to the Privacy Shield Principles, which impose strong obligations on companies in the US to protect personal data and stronger monitoring and enforcement by the US Department of Commerce and the Federal Trade Commission. Following Harrison Clarke US has been placed on the Privacy Shield List by the US Department of Commerce. However, Harrison Clarke does not rely on the Privacy Shield for any transfers of personal data from the UK and the EEA to the US – such transfers will always be conducted on the basis of the SCCs. For more information about the SCCs, please visit: For more information about the EU-US Privacy Shield, please visit the Department of Commerce’s Privacy Shield website:

Other International Transfers

Whenever we transfer personal data out of the UK and/or the EEA or between the UK and EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • Where the individual concerned has specifically consented after being informed of the risks due to the absence of an adequacy decision or other appropriate safeguards.
  • Where the individual themselves is a resident outside of the UK or EEA.
  • We will only transfer personal data from the UK or EEA to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Where we use certain service providers who process personal data outside of the UK and the EEA and outside of a country that has been deemed to provide an adequate level of protection, we will enter into specific contracts approved by the European Commission (the SCCs) and/or the UK Information Commissioner’s Office (the IDTA and/or the Addendum) which give personal data the same protection it has in the UK and in the EEA.
  • Where we transfer personal data from the UK to the EEA after December 31, 2020, we rely on the UK’s finding that EEA countries are deemed to provide an adequate level of protection of personal data.
  • Where we transfer personal data from the EEA to the UK, we rely on the European Commission’s finding of adequacy of June 28, 2021 for the free flow of personal data.
  • In accordance with the latest SCCs issued by the European Commission on June 4, 2021, where we transfer personal data outside the EEA, we have established a Transfer Impact Assessment (TIA) to analyse the impact and security implications of such transfers.

Please contact us if you want further information on the specific mechanism used by us when transferring personal data out of the UK/EEA, please contact us at:

Receiving emails from us

We will only ever contact you in accordance with established marketing rules and practices, including the Privacy and Electronic Communications Regulations where applicable. If you would like to unsubscribe from any email communications not related to the services we are providing you, or you no longer wish to receive marketing emails or if you simply wish to be removed from our database, you can contact us at any time at: or click on the ‘unsubscribe’ button at the bottom of our emails to you. It may take up to thirty days for this to take place.

Our use of cookies

We may wish to use cookies and other similar technologies when you browse our website. Where legally required, we will only apply cookies and other similar technologies once we have had your express consent to do so. You may withdraw this consent at any time. Please note that if you refuse certain cookies when browsing our website, some parts of our website may become inaccessible or not function properly. For more information about the cookies we use on our website and how we obtain your prior consent when required, please see our Cookies Policy.

Keeping your personal data secure

We have appropriate security measures in place to prevent personal data from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

We also ensure that you are able to limit the use and disclosure of your data by practical or technical means, such as by seeking your consent for transfers to third parties (where appropriate) and ensuring that we have appropriate technical mechanisms in place, such as IT security involving the encryption of our database and data, and also the possibility to anonymise your personal data at your request, and where appropriate.

For California and New York residents, in order to comply with applicable laws regarding data breaches, Harrison Clarke US will notify you without unreasonable delay in the event of a breach of the security of our systems, following discovery or notification of such breach, where we are legally required to do so.

This notification will take place either via email or via a notice on our website. Where required to do so (depending on the nature and severity of a breach), we will also notify, without undue delay, the relevant Attorney General, the relevant Department of State and the State Police in accordance with applicable laws and our internal data breach policies. We will take all steps to mitigate any such breach in accordance with applicable law.

Your rights

Under the GDPR both our candidates and clients residing within the EU or UK have a number of important rights free of charge. In summary, those include rights to:

  • fair processing of information and transparency over how we use your use personal data;
  • access to your personal data and to certain other supplementary information that this Privacy Notice is already designed to address;
  • require us to correct any mistakes in your information which we hold;
  • require the erasure of personal data concerning you in certain situations;
  • receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
  • object at any time to processing of personal data concerning you for direct marketing;
  • object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
  • object in certain other situations to our continued processing of your personal data;
  • otherwise restrict our processing of your personal data in certain circumstances; and
  • for issues arising in respect of the EU-US Privacy Shield, the possibility, under certain conditions, to invoke binding arbitration for any dispute that has not been resolved by other recourse and enforcement mechanisms.

For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.

As Harrison Clarke US is an EU-US Privacy Shield participant, individuals may also bring a complaint directly to us, which we will respond to within 45 days where the GDPR time limits do not apply. Furthermore, at no cost to the individual, Harrison Clarke US will also provide an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved. Finally, Harrison Clarke US will respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield Framework.

If you would like to exercise any of your rights set out at the section directly above, please contact us at with enough information to allow us to identify you (by providing proof of your identity and address) and let us know the information to which your request relates. If you are an EEA resident, you may also contact our EU representative in the first instance at: to the attention of Charlotte Gerrish.

How to complain

We hope that we can resolve any query or concern you raise about our use of your personal data.

However, the GDPR and UK Data Protection Act 2018 gives EEA and UK residents respectively the right to lodge a complaint with a supervisory authority, in particular in the UK, or within the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority governing Harrison Clarke’s data activities in the UK is the Information Commissioner (ICO) which may be contacted at Other EEA supervisory authorities and their contact information may be found at

In compliance with the Privacy Shield Principles, Harrison Clarke commits to resolve complaints about our collection or use of your personal data. Notably, EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Harrison Clarke at:

Harrison Clarke has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.

Harrison Clarke US is also subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). As a Privacy Shield participant, Harrison Clarke US also commits to make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if Harrison Clarke US becomes subject to an FTC or court order based on non-compliance.

Changes to this Privacy Notice

We may change this Privacy Notice from time to time and when we provide the latest version on this website. This Privacy Notice was published on May 24, 2018 and last updated on May 10, 2023.

How to contact us

If you wish to contact us, please send an email to our Data Protection Counsel at: