HeadCon Management - Privacy Policy

This policy explains how we process personal data within our global businesses delivering search,
consulting and assessment services, including how it affects our websites: www.headcon.management
HeadCon Management is committed to keeping your information secure and managing it in accordance
with our legal responsibilities, under the privacy and data protection laws applicable wherever we
operate in the world, as well as the General Data Protection Regulation (Regulation (EC) 2016/679
(“GDPR”) in the European Union (“EU”).
We keep this Privacy Policy under regular review and update it from time to time.

Who this policy applies to
We provide executive search, assessment and leadership services (“our services”) to a range of
clients throughout the world. This policy applies to you whether you are a candidate for one of our
clients, an individual we are assessing as an employee of one of our clients, a client or whether
you are a source or a referee in respect of a candidate or an employee of one of our clients.
For the purposes of this policy:
candidate(s) means an individual who is a candidate, applicant, potential candidate, employee of a
client;
client(s) means any, business, firm, organisation, government body or individual that mandates us
to perform any of our services;
referee is a person who provides a personal or work reference in respect of a candidate and;
source is a person who provides us with information or intelligence about a candidate.

Gathering information
Our clients expect that we identify the best individuals to fill roles within their organisations.
So, we need to research systems, online databases and other information sources, and talk to many
individuals. Besides our clients, these will include referees and sources to help inform our
decision-making process.
The nature of our work means we are required to process personal data quickly, confidentially and
often without reference to the data subject. Accordingly, we process such data in accordance with
the Data Protection Laws, regularly using our legitimate interest where it is not possible or
feasible to speak directly with the data subject. Beyond this, we will seek consent in the
circumstances explained later in this policy document.
We collect information from candidates directly when you send this to us via email or post. We also
collect information from you when you speak with us.
How we use your personal data
Candidate
We use the personal data we collect from you for a number of purposes:
•
Processing job applications, in partnership with our clients, on whose behalf we are instructed to
help fill a job vacancy. This means that if you apply for a specific job, we may pass your details
to the relevant client to proceed with the n. As a
result, you may receive further direct correspondence from them.

• Searching for relevant candidates for confidential recruitment assignments where our client
is not initially named. This means that if we believe you are suitable for a specific role, we may
pass your basic details on to the relevant client. If that client agrees that you might be
suitable, we will then discuss this with you in more detail. You might be interviewed for the role
by one of our consultants. If successful, you might be shortlisted for interview by our client. At
this point, we will pass further details to the client and you may receive further direct
correspondence from them.

• From time to time, we conduct mapping or research exercises on behalf of our clients. This is
to enable them to understand a particular market. Here, we may include certain aspects of your
personal data. You will not be contacted by any third party about this unless we first obtain your
consent.

• For the performance of a contract, we have concluded with you as an individual, most likely
an assessment or coaching programme.

• For equality monitoring purposes, to understand the diversity of our applicant pool, but only
if admissible under the applicable law. (This information is anonymised and aggregated).

• Improving the services we offer. For example, you may be asked to complete one of our online
satisfaction surveys.

• For marketing purposes to send you information on our services, white papers, newsletters,
events and so forth. Please note you may opt out from receipt of marketing materials at any time by
writing to us.
We will only use your information in accordance with this Policy, or where we are required or
authorised by law to disclose your information to others or, have your permission to do so.
Please be aware that we are not responsible for the data processing activities of others, such as
our clients.
Client
We will use client data to perform our services to you and other legitimate business purposes such
as marketing.
Source and Referee
We will use source and referee data to perform our services, in particular to enable us to obtain
your opinions on a candidate.
We may also use this information to enable us to market our services to you as a potential client.
We may as well invite you to become a candidate in respect of the provision of our services.

The type of personal data we collect and process
In all cases we collect and process personal data about you, including your name, address,
telephone number and email address.
Candidate database
We will as basis seek specific consent when processing Personal Data as part of our work with
Executive Recruitment and Assessment and Leadership Services, in accordance with the GDPR article
6(1)(a). We will therefore not collect Personal Data from you unless you have specifically agreed
to us doing so through a GDPR compliant consent form when you sign up to be part of our [candidate
database for executive search, CEO succession, board of directors, interim appointment, etc.]
[insert more if relevant]. The consent is for example collected via physical consent form or via an
electronic tick-box on our website or other electronic channel.

We might also collect personal data from third-party databases and other public sources. Our legal
basis for this is our legitimate interest according to GDPR article 6(1)(f) by potentially matching
you with a suitable position.
Candidate to a specific position
If you proceed with a job application, or should we consult you about a role, you may be required
to submit additional personal data. For example, date of birth, education and career history and
curriculum vitae (CV), or resume. Your CV or resume may contain employment history, education,
professional qualifications, memberships, details of papers written, amongst other things. For such
processing HeadCon will be data processor on behalf of our client. If we collect references and
referees we will – on behalf of our client – collect your explicit consent according to the GDPR
art. 6(1)(a).
Based on your explicit consent (according to the GDPR art. 6(1)(a) and art. 9(2)(a), we will also
process any relevant psychometric assessments, psychological tests, or results from such
assessments or tests.
Client
As well as basic contact information we will also collect information about your role and other
information provided to us by your organisation.
Source and Referee
As well as basic contact information we will also collect information regarding your credentials as
a source, details of your professional relationship / knowledge of a candidate and your opinions of
that individual. We may obtain this information directly from you or publicly available
information. Prior to such processing we have collected explicit consent – on behalf of our client
– from the data subject in question and will present you with this.

What we do
For certain roles, we may run an advertisement to which you may respond, either electronically or
via mail. Other roles may involve one of our researchers or consultants calling you to discuss the
details. Then, we will either inform you verbally that we will process your personal data or send
you a Data Privacy Notice. Both will direct you to this Privacy Policy.
Besides filling particular leadership vacancies, we also process personal data when we conduct
market intelligence exercises to map out particular business sectors or functions to help clients
understand the available talent.

Sensitive data
From time to time, we will seek your consent – on behalf of our client – in accordance with the
GDPR article 9(2)(a) to process personal data in respect of certain specific and limited purposes.
We will always do this before processing any sensitive personal data. We encourage you not to
provide us with sensitive personal data, unless it is specifically requested, and we have your
consent.

Local agreements
We may also provide services to our clients in Denmark that entail the assessment and coaching of
their employees. Here, depending on the specific assignment, we will either process your personal
data to meet the legitimate interests pursued by the client, or act on their behalf, in accordance
with their instructions. If our services include any psychometric assessments or psychological
tests, and we’re not acting on behalf of your employer, we will – on behalf of our client – obtain
your explicit consent in accordance with the GDPR article 6(1)(a) and article 9(2)(a).
In Denmark, we provide services to individuals, such as assessment and coaching. Here, we will
process personal data for the performance of the contract with you. If our services

include any psychometric assessments or psychological tests, we will obtain your specific consent
in accordance with the GDPR article 6(1)(a) and article 9(2)(a).

Your right to object and to have your data erased
You are not obliged to provide any personal data to us. However, please note that this may mean we
will not be able to consider you in respect of some of our services.
Remember, you may withdraw any consent you have previously given, at any time. Also, you have the
right to ask us to stop processing any personal data and to have it erased.
In these circumstances, we reserve the right to maintain basic personal data such as your name and
address. This is to ensure your personal data isn’t processed by us in the future.
Please note that no automated decisions, such as computerised candidate profiling, are made on the
basis of the information we collect.

Satisfaction surveys
If you take part in a user satisfaction survey, we may ask you to provide us with personal data,
including your name, email address, and your views and opinions. In this regard our processing will
be based on your explicit consent in accordance with the GDPR article 6(1)(a).
Providing information to others
To help us run this website, and to provide executive search services or assessment services in
Denmark, we work closely with trusted partners with whom we need to share personal data. These
partners include:
• Our clients, for whom we provide executive search services.

• Our clients, for whom we provide assessment and coaching of their employees in Denmark.

• Prospective clients, where we might need to demonstrate an understanding of a particular
market and the individuals that work within it.
We will share information only as anticipated within this Privacy Policy and, wherever appropriate,
limit disclosure to information in aggregated form, to avoid or limit identifying you personally.
Where we share information with such a third party, you will not be contacted by them, unless we
have obtained your prior consent.

Third parties
We may also provide information to third party service providers who process information on our
behalf. This is to help run some of our internal business operations, including email distribution,
IT services and customer services. As part of our agreements with them, these third parties are
required to process such data securely and only in accordance with our instructions.
Your information may also be shared with organisations located elsewhere in the world. As their
privacy laws may not match your home country’s standards, we’ll only make a transfer data if
adequate levels of protection are in place to protect any information held in that country, or the
local service provider complies with applicable privacy laws at all times.
Where required by law, we will take measures to ensure that personal data handled in other
countries will receive at least the same level of protection as in your home country.
We may sometimes be required to disclose information about you to law enforcement bodies, agencies
or third parties, under a legal requirement or court order. We will act

responsib r interests when
responding to these
requests.
If you are concerned about these arrangements to disclose or share personal data with third
parties, you should contact us and ask us not to process your personal data.

Third countries
If your personal data is transferred to data controllers or data processors which are located in
countries outside the EU/EEA, including group entities, not ensuring an adequate level of data
protection, such transfer will be safeguarded by the EU Commission’s standard contractual clauses.
Keeping information secure
We invest significant resources to protect your personal data, from loss, misuse, unauthorised
access, modification or disclosure. However, no system can be 100% secure, and so we cannot be held
responsible for unauthorised or unintended access that is beyond our reasonable control.
Information about others
If you provide us with information about other individuals, like details of a referee or personal
contact, you must ensure they’ve agreed to this. We would advise you to keep a record of their
agreement and provide them with a copy of, or link to, this Privacy Policy.
Keeping your records
We keep your personal data for as long as required to provide our services, and in accordance with
legal, tax and accounting requirements. Where your personal data is no longer required, we will
ensure it is disposed of in a secure manner. Where required by law, we will notify you when this
has happened.
Access rights
In Denmark, you may have the right to request copies of your personal data held by us. If you think
any of that data is inaccurate, you may also ask us to correct it. You may also have a right, in
certain circumstances, to require us to stop processing your personal data. Also, you have the
right to ask us to transfer your personal data to someone you nominate for your own purposes.
To get in touch with us about any of this, please email or write to us at the company address.
Please note that we may request proof of identity. We will respond to your requests within the time
frame that applies in the country concerned.
In certain circumstances, where it is required or permitted by law, we might not be able to provide
you with access to some of your personal data. Wherever possible, we will notify you of the reasons
for this.

Complaints procedure
If you have a complaint about how we have handled your personal data, contact us using the details
below, and we will investigate your complaint. Please use the same contact details to instruct us
to cease processing your personal data. You may also file your complaints with the Danish Data
Protection Agency (in Danish “Datatilsynet”), Borgergade 28, 5, 1300 København K, phone no. 33 19
32 00, e-mail dt@datatilsynet.dk.

Contacting us
If you have any questions about this Privacy Policy or your
rights
with respect to your personal data, please contact us.