Last Updated: October 2025
This Privacy Policy describes how Wenham Carter and its affiliates (collectively, “Wenham Carter,” “we,” “our,” or “us”) collect, use, share, and retain your personal information. It applies to personal information collected through our website ( www.wenhamcarter.com ), recruitment services, communications (e.g., emails, calls), and offline interactions (collectively, “Services”).
“Personal Information” means information that identifies you as an individual or relates to an identifiable individual. If you do not provide required information, we may not be able to provide the Services. We will note which information is required at the time of collection.
For California residents, this Policy also serves as our CCPA Privacy Policy, detailing your rights under the California Consumer Privacy Act (CCPA), as amended. We do not sell or share personal information as defined under CCPA.
Who We Are
Wenham Carter is a niche executive search firm specializing in the global technology sector, serving industries such as Automotive, Financial Services, Technology, and Telecommunications. We provide tailored executive search, interim management, and consulting services to connect clients with senior-level and highly specialized talent, leveraging our industry expertise and global network. Committed to diversity, equity, and inclusion, we operate across the UK, EEA, North America, and beyond, with entities including:
- Wenham Carter Limited, registered in England under company number 04990020, with its registered office at 96a Coleridge Street, Hove, BN3 5AA, UK. Registered with the UK ICO under Z1703696.
- Wenham Carter Consulting Limited, registered in England under company number 07905696, with its registered office at 96a Coleridge Street, Hove, BN3 5AA, UK. Registered with the UK ICO under ZA312607.
- Wenham Carter Consulting Limited (Netherlands Branch), registered in the Netherlands under chamber of commerce number 91072336, with its office at Poortland 66, 1046BD Amsterdam, Netherlands. Acts as a data processor for payroll services under instructions from Wenham Carter Consulting Limited.
- Wenham Carter Consulting Inc, a corporation registered in the state of New York, with its office at 1 Dock 72 Way, Brooklyn, NY, USA. Acts as a data controller for U.S.-based recruitment services, compliant with the SHIELD Act and with CCPA for California data processed for recruitment services.
- Wenham Carter Consulting Sp. z o.o., registered in Poland under KRS 0001185061, with its office at ul. Bartycka 22B office 21A, 00-716 Warsaw, Poland. Acts as a data processor and controller for consulting services, compliant with GDPR and Polish law.
Each entity is a data controller unless stated otherwise. Group companies share CRM and IT systems, including Salesforce, under data-sharing agreements to ensure GDPR-compliant safeguards. Wenham Carter Consulting Limited controls data processed by its Netherlands branch.
Our Services
We provide executive search, interim management, and consulting services globally, including in the UK, EEA, North America, Asia Pacific, South America, and EMEA, for senior-level and specialized roles in industries such as Automotive, Financial Services, Technology, and Telecommunications. In the UK, we operate as an “employment agency” for permanent/fixed-term placements and an “employment business” for temporary/contract roles under the Conduct of Employment Agencies and Employment Businesses Regulations (2003). Our New York entity extends these services locally, ensuring compliance with regional laws. Our Polish entity extends consulting services locally, ensuring compliance with regional laws.
How We Use Your Personal Information
We collect and process personal information for legitimate business purposes, as detailed below. We act as a data controller for recruitment services unless processing data on behalf of clients (e.g., as a processor for client-directed placements).
Candidates and Contract Resources
| Purpose | Examples of Processing Activities | Personal Information Categories | Legal Basis | Third Party Sources | Who Has Access | Categories Collected in Last 12 Months | Business Purposes | Sold/Shared? | Retention |
|---|---|---|---|---|---|---|---|---|---|
| Recruitment Services | Matching you with permanent, fixed-term, or temporary/contract roles; assessing suitability; maintaining your data in our Salesforce CRM; contacting you about opportunities; administering contract assignments. | Name & Contact Details, Professional Information, Suitability Data, Contract Data, Telephone Call Recordings | Consent (GDPR Art. 6(1)(a)) for sharing with employers; Legitimate interests (Art. 6(1)(f)) for managing candidate relationships; Contract performance (Art. 6(1)(b)) for assignments. | Job boards, referees, public sources (e.g., LinkedIn), lead enrichment tools (e.g., Lusha, RocketReach), third-party introductions. | Prospective employers (after discussion and consent regarding specific companies or industry markets), group entities, Salesforce, background check providers. | Identifiers (e.g., name, email, phone), Professional/Employment-Related Information (e.g., CV, qualifications), Sensitive Personal Information (e.g., health data with consent). | To provide recruitment services, match candidates to roles, and administer placements. | No | Up to 5 years post-last interaction or as required by law. |
| Candidate Outreach | Identifying potential candidates for roles in industries like Automotive or Financial Services; contacting you for opportunities or referrals. | Name & Contact Details, Professional Information, Social Media Information | Legitimate interests (Art. 6(1)(f)) for outreach; Consent (Art. 6(1)(a)) for follow-up communications. | Public sources (e.g., LinkedIn), third-party introductions. | Group entities, Salesforce. | Identifiers (e.g., name, email), Professional/Employment-Related Information (e.g., LinkedIn profile). | To identify and contact potential candidates for opportunities. | No | Up to 5 years post-last interaction or as required by law. |
| Customer Service | Responding to inquiries, requests, or complaints about our Services (e.g., via email, calls). | Name & Contact Details, Relationship History, Preferences, Telephone Call Recordings | Legitimate interests (Art. 6(1)(f)) for responding to inquiries; Legal obligations (Art. 6(1)(c)) for data subject requests. | None | Group entities, Salesforce. | Identifiers (e.g., name, email), Customer Records (e.g., inquiries). | To handle customer service requests and improve services. | No | Up to 5 years post-last interaction or as required by law. |
| Marketing | Sending promotional materials about our Services (e.g., newsletters, job alerts) via email or calls. | Name & Contact Details, Preferences, Marketing Data | Consent (Art. 6(1)(a)) for marketing; Legitimate interests (Art. 6(1)(f)) for existing candidates. | Public sources, marketing providers. | Marketing providers, group entities, Salesforce. | Identifiers (e.g., name, email), Commercial Information (e.g., preferences). | To promote services and send relevant updates. | No | Up to 5 years post-last interaction or as required by law. |
Client Contacts
| Purpose | Examples of Processing Activities | Personal Information Categories | Legal Basis | Third Party Sources | Who Has Access | Categories Collected in Last 12 Months | Business Purposes | Sold/Shared? | Retention |
|---|---|---|---|---|---|---|---|---|---|
| Client Relationship Management | Communicating about recruitment services, matching candidates to vacancies, managing contracts or placements. | Name & Contact Details, Business Contact Details, Relationship History | Legitimate interests (GDPR Art. 6(1)(f)) for client management; Contract performance (Art. 6(1)(b)) for agreements. | Client organizations, public sources (e.g., LinkedIn), lead enrichment tools (e.g., Lusha, RocketReach) | Group entities, Salesforce. | Identifiers (e.g., name, email), Professional/Employment-Related Information (e.g., business contacts). | To manage client relationships and provide services. | No | Up to 5 years post-last interaction or as required by law. |
| Marketing | Sending promotional materials about our Services (e.g., newsletters). | Name & Contact Details, Business Contact Details, Preferences, Marketing Data | Consent (Art. 6(1)(a)) for marketing; Legitimate interests (Art. 6(1)(f)) for existing clients. | Public sources, marketing providers. | Marketing providers, group entities, Salesforce. | Identifiers (e.g., name, email), Commercial Information (e.g., preferences). | To promote services to clients. | No | Up to 5 years post-last interaction or as required by law. |
Other Data Subjects (Suppliers, Referees, Emergency Contacts, Referred Contacts)
| Purpose | Examples of Processing Activities | Personal Information Categories | Legal Basis | Third Party Sources | Who Has Access | Categories Collected in Last 12 Months | Business Purposes | Sold/Shared? | Retention |
|---|---|---|---|---|---|---|---|---|---|
| Supplier Management | Managing supplier relationships for business/support services. | Name & Contact Details, Business Contact Details | Contract performance (GDPR Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)). | Supplier organizations. | Group entities, Salesforce. | Identifiers (e.g., name, email), Professional/Employment-Related Information. | To manage supplier contracts. | No | Up to 5 years post-last interaction or as required by law. |
| Reference Checks | Verifying candidate suitability via referees. | Name & Contact Details, Professional Information | Legitimate interests (Art. 6(1)(f)) for checks; Consent (Art. 6(1)(a)) if provided by candidate. | Candidates. | Group entities, prospective employers, Salesforce. | Identifiers (e.g., name, email), Professional/Employment-Related Information. | To verify candidate references. | No | Up to 5 years post-last interaction or as required by law. |
| Emergency Contact | Contacting next of kin in emergencies. | Name & Contact Details | Vital interests (GDPR Art. 6(1)(d)); Consent (Art. 6(1)(a)). | Candidates. | Group entities, emergency services. | Identifiers (e.g., name, phone). | To handle emergencies. | No | Up to 5 years post-last interaction or as required by law. |
| Referred Contacts | Contacting individuals referred for roles or services. | Name & Contact Details, Professional Information | Legitimate interests (Art. 6(1)(f)) for outreach; Consent (Art. 6(1)(a)) for follow-up. | Candidates, clients, third parties. | Group entities, Salesforce. | Identifiers (e.g., name, email), Professional/Employment-Related Information. | To follow up on referrals. | No | Up to 5 years post-last interaction or as required by law. |
Other Purposes
| Purpose | Examples of Processing Activities | Personal Information Categories | Legal Basis | Third Party Sources | Who Has Access | Categories Collected in Last 12 Months | Business Purposes | Sold/Shared? | Retention |
|---|---|---|---|---|---|---|---|---|---|
| Security and Fraud Prevention | Auditing systems, preventing fraud, ensuring on-site security (e.g., CCTV). | Name & Contact Details, Device Information, CCTV Data | Legal obligations (GDPR Art. 6(1)(c)) for security; Legitimate interests (Art. 6(1)(f)) for fraud prevention. | None | Group entities, security providers, Salesforce (for system audits). | Identifiers (e.g., name), Internet Activity (e.g., device info). | To maintain security and prevent fraud. | No | Up to 5 years post-last interaction or as required by law. |
| Legal Compliance | Complying with legal processes, responding to authorities, defending claims. | As relevant (e.g., Name & Contact Details, Transaction Information) | Legal obligations (GDPR Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)) for claims. | Authorities, legal advisors. | Authorities, legal advisors, group entities, Salesforce (for compliance records). | As relevant (e.g., identifiers, customer records). | To comply with laws and defend claims. | No | Up to 5 years post-last interaction or as required by law. |
| Business Operations | System maintenance, employee training, facilitating mergers/acquisitions. | As relevant (e.g., Name & Contact Details, Device Information) | Legitimate interests (GDPR Art. 6(1)(f)). | Third parties (e.g., for mergers). | Group entities, Salesforce, other service providers. | As relevant (e.g., identifiers, internet activity). | To operate and improve business. | No | Up to 5 years post-last interaction or as required by law. |
We recognize opt-out preference signals (e.g., Global Privacy Control) sent from your browser or device. If sent, we treat it as a request to opt-out of sale/sharing.
Personal Information Categories
- From You: Name & Contact Details (name, email, phone, address, date of birth, gender), Professional Information (CV, qualifications, employment history), Suitability Data (skills, interests, references, health data with consent), Contract Data (payroll, tax, bank details), Preferences (communication preferences), Relationship History (communications, inquiries), Telephone Call Recordings.
- From Other Sources: Social Media Information (e.g., LinkedIn profiles), Background Information (employment/education verification), Candidate Introduction Information (from third parties), Public Record Information (e.g., business registries).
Sensitive Information
We do not request sensitive personal information (e.g., health, ethnicity, religion, criminal records) unless necessary for role suitability (e.g., health for specific roles) and only with your explicit consent. Please do not provide sensitive information unless requested. We do not process neural data or knowingly collect personal information from minors under 16. For sensitive personal information (e.g., health data for role suitability), we limit use to what’s necessary and obtain explicit consent. California residents may request to limit use of sensitive information.
Disclosure of Personal Information
We may share personal information within our Group to provide seamless Services, using data-sharing agreements or safeguards like the EU-US Data Privacy Framework (DPF, upheld September 2025) or SCCs for transfers to New York or Poland. We also share with:
- Prospective employers (candidates, with consent).
- Third-party service providers, including Salesforce (our CRM provider), background check providers, and payroll services.
- Authorities or legal advisors for compliance or claims.
- Third parties in mergers/acquisitions, with notification per applicable law.
We never sell your personal information. We do not sell or share your personal information for cross-context behavioral advertising. Sharing with clients in recruitment is for service provision, not a ‘sale’ under CCPA. If we meet the criteria for a data broker under California law (e.g., SB 361), we will register accordingly and provide additional disclosures here; currently, we do not believe we qualify as we do not sell personal information.
Jurisdiction and Cross-Border Transfers
Your personal information may be stored/processed where we have facilities or engage service providers, including Salesforce. Transfers outside the EEA/UK (e.g., to New York, Salesforce servers) use safeguards like the EU-US DPF, SCCs, or your explicit consent, ensuring compliance with GDPR, UK DPA, and Polish law. Contact us for a list of destination countries.
Security
We use reasonable organizational, technical, and administrative measures to protect personal information, including data stored in Salesforce. If you believe your data is no longer secure, contact us immediately at datacomplianceofficer@wenhamcarter.com.
In the event of a data breach, we will notify affected California residents promptly, in compliance with CCPA requirements.
Retention Period
We retain personal information for up to 5 years to support senior executive recruitment, where cycles and relationships often span several years, or longer if required by law (e.g., New York SHIELD Act breach logs, UK tax records for 6 years). Criteria include:
- Duration of our relationship or service provision.
- Legitimate needs (e.g., record-keeping, analysis).
- Legal obligations (e.g., tax, compliance).
- Advisability for legal position (e.g., claims, investigations).
- You may request erasure sooner (see “Your Rights”). We may de-identify/aggregate data for research, which is no longer personal information.
Cookies and Other Information
We use cookies and similar technologies to enhance your experience on our website. We collect non-identifying information (e.g., usage data, aggregated statistics) and treat it as personal information if combined with identifying data.
Third-Party Services
This policy does not cover third-party websites or services linked from our Services (e.g., LinkedIn, Salesforce). Review their privacy policies, as we are not responsible for their practices.
Use of Services by Minors
Our Services are not directed to individuals under 16. We do not knowingly collect their personal information.
Your Rights
Under GDPR, UK DPA, and applicable laws, you have the right to:
- Access : Request a copy of your data.
- Rectification : Correct inaccurate data.
- Erasure : Request deletion of unnecessary data.
- Restriction : Limit processing in certain cases.
- Objection : Object to processing (e.g., marketing, AI-assisted screening).
- Data Portability : Receive your data in a structured format.
- Withdraw Consent : Where processing relies on consent.
- Human Review : Request review of AI-assisted decisions.
For New York residents, you may request breach notifications under the SHIELD Act. To exercise rights, email datacomplianceofficer@wenhamcarter.com, including relevant email addresses and Services used. We may verify your identity (e.g., via email control). Authorized agents may submit requests with proof of authorization. We respond within one month (extendable for complex requests). We may decline requests that risk others’ privacy or our intellectual property.
How to Complain
Contact our Data Protection Officer at datacomplianceofficer@wenhamcarter.com. You may also lodge complaints with:
- UK: Information Commissioner’s Office (www.ico.org.uk).
- Poland: Personal Data Protection Office (UODO, www.uodo.gov.pl).
- New York: No direct authority.
Updates to This Policy
We review this policy annually or upon material legal changes (last: September 2025). Updates will be posted on www.wenhamcarter.com.
Additional Information for New York Residents
Under the New York SHIELD Act (amended March 2025), we protect private information (e.g., health, financial data) and provide breach notifications if required. To request notifications or exercise rights, contact datacomplianceofficer@wenhamcarter.com.
Additional Information for California Residents
Under CCPA, you have rights to: (1) Know categories/sources of personal info collected, purposes, and if sold/shared; (2) Delete; (3) Correct inaccurate info; (4) Opt-out of sale/share; (5) Limit sensitive info use; (6) Non-discrimination. Exercise via email (datacomplianceofficer@wenhamcarter.com). We respond within 45 days (extendable to 90).
Additional Information for Polish Residents
Per the Polish Personal Data Protection Act and GDPR, we provide transparency on data processing. Contact datacomplianceofficer@wenhamcarter.com for inquiries or to exercise rights. Complaints can be lodged with UODO (www.uodo.gov.pl).
Additional Information for UK Residents
We comply with the UK Data Protection Act 2018 and UK GDPR. Contact our DPO at datacomplianceofficer@wenhamcarter.com or lodge complaints with the ICO (www.ico.org.uk).
Contacting Us
For questions, contact our Data Protection Officer at datacomplianceofficer@wenhamcarter.com or call +44 1273 648040. Do not include sensitive information in emails.