Privacy Policy
Who we are?
Xcede Group (Xcede Global Holdings Limited) (“we”, “us”, “ our”) are a limited company registered in England and Wales under registration number 11996176, with a registered office at Sixth Floor, 24 Eversholt St, London, England, NW1 1AD.
The Xcede Group will process your personal information in accordance with applicable data protection laws, including the, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and, where applicable, the EU General Data Protection Regulation (EU GDPR).
We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”) in relation to our processing of Personal Data.
Xcede Limited – registration number Z9829265.
Earthstream Global Limited – registration number ZA317939
What we do
We are a global technology recruitment service which provides work-finding services to its clients and work-seekers. We and our related entities are committed to protecting the privacy and security of the Personal Data we process about you. All companies under the Xcede Group collect the same Personal Data. The only differences between the companies are the sectors they recruit within. This Privacy Notice applies to the entire Xcede Group.
EarthStream: We source and select top talent across all energy sectors globally. Since 2010, EarthStream has delivered exceptional local talent along with experienced expats across a diverse range of energy companies around the world.
Xcede: We connect companies with exceptional professionals that empower growth. Founded in 2003, our vertical specialists provide global transformational talent in data, digital, technology, cyber and embedded software. Across our key areas, our experts operate with a focus on delivering excellence and expertise for our clients.
1. The purpose of this Privacy Notice
The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions, you can contact us using the information provided below under the ‘How to contact us’ section.
It is important that you read this Privacy Notice together with any other Privacy Notices we provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other Privacy Notices and is not intended to override them.
Who this privacy notice applies to
This privacy notice applies to you if:
• You visit our website.
• You are a current client or prospective client of ours.
• You enquire about our services.
• You sign up and create an account on our website.
• You are applying for a role Xcede is advertising, or applying to be a candidate for a role that is yet to be found.
• You are an existing contract employee placed in an Xcede Group client organisation.
• You sign up to receive newsletters and/or other promotional communications from us.
2. What is Personal Data
The term “Personal Data” means any information relating to you that identifies you, or through which you can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier or to one or more factors specific to you physical, physiological, genetic, mental, economic, cultural or social identity.
The term “Special Category Personal Data” is Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying someone, criminal records, data concerning health and data concerning a person’s sex life or sexual orientation.
3. Why we collect your Personal Data and the Type of Data Collected
We collect your Personal Data for the purpose of providing you with Xcede recruitment services as an employer/client or as a candidate.
We will collect data about you, both personal data (such as your name and contact details) and, in some cases, Special Category Personal Data (such as information about your health or disability which is needed for the purpose of making reasonable adjustments for you during the recruitment process or to find out whether you would be able to undertake a function which is intrinsic to the job). Depending on the relevant circumstances and applicable local laws and requirements, we may collect:
• Business email address and telephone number.
• CVs, cover letters, and Application forms.
• Name.
• Date of birth.
• Next of kin details
• Email address.
• Residential address.
• Phone number.
• Visa details and copies of passports.
• Bank or building society account details.
• Details of job role and salary including data held on staff organisation charts.
• Pension information.
• Records concerning appraisal and training.
• Sickness and other absence details.
• Contracts or terms and conditions of employment.
• Correspondence between you and Xcede Group
• Correspondence, such as references, between Xcede Group and third parties in relation to your employment.
• Visual images, for example if CCTV images are used as part of building security
• Records of grievances.
• Investigations into breaches of terms and conditions of employment.
• Records of disciplinary proceedings.
• Health and safety records (including accident reports).
• In some departments, workload and work allocation.
• Where appropriate, audio and/or video recordings of lectures, presentations and workshops and team incentives.
• During our interviews, information about your personal life, including family, place of residence, personal background, education, job experience, views and opinions on situations and the workplace, preferences, life set up.
4. How we collect your Personal Data
We collect most of the Personal Data directly from you in person, by telephone, text or email and/or via our website.
However, we may also collect your Personal Data from third parties such as:
• reputable companies who provide lead generation contact lists
• others to whom you have provided consent
• publicly available sources such as social media platforms
We will collect your Personal Data in the following ways:
• When you contact us using our “Contact us” or “Submit a Brief” forms.
• Job application via the Group’s website
When you apply for a job via Xcede Group, you will be required to provide personal data for your application. For example, your contact details and your, right to work and employment history.
• Xcede Group website profile creation
When you create a profile on one of the websites within the Xcede Group, you will be required to provide contact details.
• Job applications via the direct job advert
When you apply for a job directly, you will be required to provide contact details and job history.
• Applicants found on the job board via the CV search function
If we find you on the job board, you will have already provided your contact details in order to apply for prospective jobs.
• Applicants found on LinkedIn
If we find you on LinkedIn, you will have already provided your employment history on your LinkedIn profile.
• Applicants found via Headhunt
This system is used to understand where key hires are placed, so the Xcede Group will contact candidates directly to introduce them to a role and then request more data.
• Applicants found on Daxtra
Daxtra sits in between applications and entry onto the CRM, creating coversheets entering candidates if flagged in Broadbean or sent via email to Daxtra. This data will include contact details and employment history.
• Applicants found via Broadbean
Broadbean is an applicant tracking system that sits between Xcede and the Job boards. Applicant data is stored in AdCourier. This data will include contact details and employment history.
• Details stored on CRM systems – Permanent placements
Our CRM systems will store candidate details, such as contact details, employment history and salary details. Our systems can also be used to communicate with clients to confirm candidates’ placements or offers.
• Communications via email, including scheduling and conducting phone and/or videophone interviews, providing you with feedback, and managing communications between you and prospect employers.
We may communicate with you via email in order to discuss your job applications or you may apply for jobs via an email sent directly to the Xcede Group. During that correspondence, you will be providing Personal Data. We will process the Personal Data you provide to us to respond to you and provide our recruitment services. Emails will be stored in accordance with our retention period set out in the Schedule of Processing which can be found at the end of this document.
• Security checks
Special Category Personal Data may be collected as part of your recruitment process in order to carry out DBS, eligibility to work and additional checks for successful candidates. This will include your name, proof of address, and your passport. We rely on third-parties to assist us with the checks.
• Through third-party mailing lists
Name, role, corporate email address, corporate mobile phone number, organisation, place of work, company, photographs, and seniority levels within the organisation are collected from third-party mailing lists and databases to fulfil our legitimate interests of reaching out to prospect businesses.
5. How we use your Personal Data
We will use your Personal Data in order to provide you with the Xcede Group service. In particular, when you access and interact with our website or recruitment consultants, we need to track your activities to enable you to connect to our website. We use tracking cookies to identify you in performance of this service, information of which is provided in detail in our Cookie Policy.
We will only use your Personal Data for the purpose we collected it and in accordance with the law. We will not use your Personal Data for any other purpose without your prior consent or any other lawful basis under the applicable data protection regulations, including if processing personal data is required or permitted by law, such as where it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the enforcement of civil law matters.
6. Our Lawful Bases for processing your Personal Data
The UK GDPR and the EU GDPR (our global standards of data protection compliance) requires that a controller must have a lawful basis for processing Personal Data. In most instances, our lawful bases for processing your personal information are:
• The processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request, prior to entering into a contract. This is where you engage with the Xcede Group such as by applying directly on the website, job boards, or LinkedIn, with a view to securing an employment contract with the prospecting employer.
• The processing is necessary for our legitimate interests in providing you with services in order to receive, process and provide you with a response to your enquiries made through our website or phone, or when you download materials from our website such as Salary Surveys and any other guides.
• We need to comply with a legal obligation. For example, this is where the law requires us to obtain Personal Data in relation to things like work permit and DBS checks, making reasonable adjustments, and in relation to maintaining personal and financial records according to the relevant legislation;
• It is necessary for our legitimate interests (or those of a third party, including you). Under this lawful basis, we’ll process your personal data to provide you with high-standard recruitment services, including providing feedback regarding your unsuccessful application and contacting you regarding job positions we think may be of your interest, both for our internal recruitment services and when recruiting for our company clients. If you’re a business, we may also send you marketing content under the legitimate lawful basis, or contact people within your organisation to generate leads and upscaling our selling process.
We have your consent. This is where you agree either in writing or verbally for us to store and process your Personal Data for our marketing purposes – including sending you newsletters, invitations to our webinars/events, and obtaining analytical insights about how you interact with our website, connecting your LinkedIn account with our portal, and to contact you with potential jobs available.
7. Data Sharing and International Transfers
In order to provide our services, we may need to transfer your personal data outside the UK or EEA.
Your personal data may be shared across the Xcede Group for purpose of providing our recruitment services and our operational activities. Xcede have offices in the UK, Europe (Spain & Germany), Africa, Asia and North America. We may also share it with third parties such as your prospective employer.
Your personal data may also be processed outside the UK or EEA because the organisations we use to provide services to you are located outside of the UK or EEA.
If we do transfer your Personal Data outside the UK and/or the EEA, we will take appropriate steps to ensure that it receives an equivalent level of protection to that guaranteed in the UK and EEA. For example, we will ensure that the country we are sending it to has an adequacy decision issued by the European Commission and the UK Government Secretary of State..
In the absence of an adequacy decision, Xcede Group will adopt other appropriate safeguards to protect your Personal Data, such as Standard Contractual Clauses (SCC) issued by the European Commission if you are in the EU, and the International Data Transfer Agreement if you are in the UK.
Your Personal Data may be shared as follows:
• Service Providers
This can include database management systems that we use to store data, finding prospective candidates and sharing that information with our clients, including recruitment platforms (Headhunt, Daxtra, Broadbean) DBS checking companies (Verifile, People Check, First Advantage and Accurate), CRM systems (Mercury CRM), and our internal data management providers (such as Microsoft and Mailchimp)
• Sharing data with prospective employers and other third parties
This is essential to carry out our business and place candidates.
• Data transfer due to a legal obligation
If we are obligated to transfer your Personal Data to a third party based on a legal obligation or in order to comply with applicable laws and governmental bodies, we will only do so in accordance with those laws (i.e. DPA 2018, EU GDPR and UK GDPR). This may include for example, defending or pursuing legal claims, investigating fraud and co-operating with criminal investigations, such as complying with a subpoena, or similar legal process, or with the ICO (UK) or other Data Protection Supervisory Authorities.
8. Marketing
With your consent, we may contact you via email or phone to promote our services, send you newsletters, and invite you to webinars/events. To start or stop receiving marketing from us, simply contact us via our job website portal, let us know through the phone, or use the unsubscribe button placed on our communications.
Where we are legally required to obtain your consent to provide you with marketing material, for instance, when you’re a job applicant, we will only provide you with such marketing materials if you have provided consent for us to do so.
To fulfil our legitimate interests, we rely on third-party B2B data bases to provide us with prospect contact details and allow us to reach out to relevant people with decision-making powers inside prospect organisations. We only receive corporate identifiers such as name, corporate email address and phone number, role, location of work, seniority degree and organisation.
When we collect B2B mailing lists and build a prospect data base, we only do it so in compliance with the Privacy of Electronic Communication Act (PECR).
If you want to unsubscribe from mailing lists or any marketing, you should look for and follow the instructions we have provided in our relevant communications to you, such as by using the unsubscribe link.
If you choose to unsubscribe from any or all marketing, we may retain information sufficient to identify you so that we can honour your request.
9. How long we will keep your Personal Data
We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.
At the end of the retention period, your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.
When calculating the appropriate retention period for your data, we consider the nature and sensitivity of the data, the purposes for which we are processing the data, and any applicable statutory retention periods. Using these criteria, we regularly review the Personal Data which we hold and the purposes for which it is held and processed. If you want to know how long we keep a specific type of personal data, you may obtain a copy of our Data Retention Schedule upon request.
10. Security of your Personal Data
We implement appropriate technical and organisational measures to protect data that we process from unauthorised disclosure, use, alteration or destruction. These measures include ensuring our internal IT systems are suitably secure and implementing procedures to deal with any suspected data breach.
In the unlikely event of a data breach, we will take steps to mitigate any loss or destruction of data and, if required, will notify you and any relevant supervisory authority of such a breach when appropriate.
In addition to the technical and organisational measures we have put in place, there are a number of simple things you can do to in order to further protect your personal information;
1. Never share your portal password.
2. Never enter your details after clicking on a link in an email or text message.
3. Always send confidential information by encrypted email where possible this reduces the risk of interception.
4. If you’re logged into any online service do not leave your computer unattended.
5. Close down your internet browser once you’ve logged off.
6. Never download software or let anyone log on to your computer or devices remotely, during or after a cold call.
11. Your Rights & How to Exercise your Rights
You have certain rights in relation to the processing of your Personal Data, including to:
• Right to be informed
You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.
• Right of access (commonly known as a “Subject Access Request”)
You have the right to receive a copy of the Personal Data we hold about you.
• Right to rectification
You have the right to have any incomplete or inaccurate information we hold about you corrected.
• Right to erasure (commonly known as the right to be forgotten)
You have the right to ask us to delete your Personal Data.
• Right to object to processing
You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.
• Right to restrict processing
You have the right to restrict our use of your Personal Data.
• Right to portability
You have the right to ask us to transfer your Personal Data to another party.
• Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
• Right to withdraw consent
If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.
You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.
You have the right to lodge a complaint with the Information Commissioner’s Office. They can be contacted using the information provided at: https://ico.org.uk/concerns/ and their address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
For supervisory authorities in other countries within the EU see the link below:
12. Your obligations
If any of your Personal Data changes whilst you are a user of our services, it is important that you update the information within your account or notify us to ensure the data we hold about you is accurate and up to date.
13. How to contact our Data Protection Officer
We have appointed a global Data Protection Officer (DPO) to handle data protection matters. You can contact via email or via dataprivacy@Xcedegroup.com
14. Changes to this Privacy Notice
We, from time to time as shown by the Revision date at the top of this page. We will notify of the changes where required by applicable law to do so.
We may update this Notice (and any supplemental Privacy Notice) from time to time as shown by the revision date at the top of this page. Changes apply as soon as they are published on our website. We recommend you visit this page regularly to find out about any updates that may have been made.
You can find previous version of this Notice here.