Elgin Shaw Limited
Privacy Policy

Last updated: 20/01/2026

1. Introduction

Elgin Shaw Limited is committed to protecting personal data and complying with the
UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We operate as a recruitment and staffing provider supplying permanent, contract and temporary
personnel to clients, including via Recruitment Process Outsourcers (RPOs), Managed Service
Providers (MSPs), and public-sector frameworks.

This Privacy Policy explains how we collect, use, share and protect personal and special category
data in the course of delivering staffing and employment-related services.

2. Data Controller Status

Elgin Shaw Limited is generally the Data Controller in relation to candidate and contractor data
collected directly by us.

Where we supply staff via an RPO or MSP arrangement, data controller/processor roles may vary
depending on the contractual structure. In such cases:

• The end client may act as Data Controller for assignment-related data.
• The RPO/MSP may act as Data Controller or Joint Controller.
• Elgin Shaw may act as either Controller or Processor in accordance with contractual agreements.

We process personal data strictly in accordance with agreed contractual data protection terms.
Company details: Elgin Shaw Limited
Registered in England & Wales
Company No: 10828387
Registered Office: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ
Email (Data Protection): shakir.farooqi@elginshaw.com

3. Categories of Personal Data Processed

In the provision of recruitment and staffing services, we may process:

3.1 Standard Personal Data

• Full name, address, email, phone number
• Date of birth
• National Insurance number
• Right-to-work documentation
• Employment history, CVs, qualifications
• Interview notes and assessment results
• References
• Bank details (for payroll/self-billing reconciliation)
• Timesheet data
• Contract and assignment details
• Business contact details (client contacts)

3.2 Special Category Data

Where legally required or necessary for employment purposes:

• Health information (e.g. occupational health, adjustments)
• Diversity and equality monitoring data
• Trade union membership (if relevant)
• Criminal conviction data (e.g. DBS checks), where legally required

Special category data is processed only where permitted under Article 9 UK GDPR and Schedule 1 Data Protection Act 2018.

4. Lawful Bases for Processing

We process personal data under the following lawful bases:

• Contractual necessity – to enter into or perform contracts of employment or services
• Legal obligation – including HMRC, right-to-work, IR35, tax, and regulatory compliance
• Legitimate interests – operating and improving our recruitment services
• Consent – where required (e.g. marketing communications)

Special category data is processed under:

• Employment and social security law
• Substantial public interest
• Explicit consent (where applicable)

5. RPO / MSP / Public Sector Processing

Where we supply personnel via an RPO or MSP:

• Candidate data may be shared with the RPO/MSP and end client for role evaluation and onboarding.
• We may receive assignment approvals, timesheet approvals and payment confirmations via vendor management systems (VMS).
• Data processing is governed by contractual data processing agreements (DPAs) where required.
• We comply with public-sector procurement data protection requirements, including audit and assurance rights where applicable.

We ensure that personal data shared within supply chains is limited to what is necessary for the assignment.

6. Self-Billing Arrangements

Where self-billing arrangements apply:

• The RPO/MSP or client generates invoices on our behalf.
• We process contractor and assignment data for reconciliation and accounting purposes.
• Financial and timesheet data is retained for audit, tax and statutory compliance.

All financial data is handled securely and in accordance with accounting and tax regulations.

7. Data Sharing

We may share personal data with:

• End clients and hiring managers
• RPOs and MSPs
• Payroll providers
• Umbrella companies (where applicable)
• HMRC and regulatory authorities
• Background screening providers
• IT system providers (e.g. CRM, ATS, payroll systems)
• Professional advisers (legal, financial, compliance)

All third parties are required to implement appropriate security and confidentiality measures.

8. International Transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

• UK adequacy decisions
• Standard Contractual Clauses
• Equivalent lawful transfer mechanisms

9. Data Security Measures

We implement appropriate technical and organisational security measures, including:

• Secure, access-controlled CRM and ATS systems
• Role-based access controls
• Encrypted storage and secure communications
• Confidentiality obligations for staff and contractors
• Secure payroll and financial processing systems
• Regular system and policy reviews

10. Data Retention

We retain personal data only as long as necessary for:

• Contractual and assignment obligations
• HMRC and tax compliance
• Employment law requirements
• Public-sector audit requirements
• Legal defence and regulatory obligations

Typical retention periods:

• Candidate and contractor records: up to 6 years after last engagement
• Payroll and tax records: in line with statutory requirements

11. Individual Rights

Under UK GDPR, individuals have the right to:

• Access their personal data
• Request rectification
• Request erasure (where lawful)
• Restrict or object to processing
• Data portability
• Withdraw consent (where applicable)

Requests should be made to: shakir.farooqi@elginshaw.com

12. Complaints

If you are dissatisfied with how we handle your data, you may contact the Information Commissioner’s Office (ICO):

www.ico.org.uk

13. Policy Updates

We may update this policy from time to time. The latest version will always be available at:

www.elginshaw.com/elgin-shaw-privacy-policy.html