Privacy Policy

Who is Investigo Limited and what do we do?

Investigo Limited is part of The IN Group and is a leading global recruitment agency with experience across multiple specialisms. Investigo Limited provides permanent, temporary, consultancy and interim recruitment services to clients seeking to recruit professional staff across a range of specialist areas. Investigo recruits and employs its own teams of professional recruitment consultants to provide Investigo’s recruitment services as well as other professional and administrative staff to support, advise and structure such services. We operate under different brand names e.g., Investigo, Caraffi, Definia and InX

Our legal entities are listed below:

United Kingdom – Investigo Limited, Caraffi Ltd – 10 Bishops Square, London, England, E1 6EG.

United States – Investigo LLC – 77 Water Street, 24th Floor, NY 10005, United States

Netherlands – Investigo Europe B.V. – 10 Bishops Square, London, England, E1 6EG

We are a data controller as we determine the purposes and means of processing your personal data.

  • ​Investigo Limited is registered with the Information Commissioner’s Office (certificate no: Z8867460)

Who controls your personal data?

  • The Data Controller is Investigo Limited (Investigo) a company registered in the UK: Company Number 04803377

  • Address: Investigo Ltd, 10 Bishops Square, London, E1 6EG

  • The Data Controller’s data protection representative is the Head of Compliance 

  • You can contact them at gdpr@weareinx.com

  • You can call them on +31 20 809 0266

  • Investigo is registered as a Data Controller with the Information Commissioner’s Office Certificate Number Z8867460

  • Any reference to our Group means our subsidiaries, our ultimate holding company and its subsidiaries, our associated companies as defined in section 1159 of the UK Companies Act 2006 (our Group)

Does this Privacy Notice apply to you?

This Privacy Notice applies to you if you are a representative of any of our (prospective) clients or suppliers. It also relates to you if you have provided a reference for one of our candidates.

​What legislation applies?

We have issued this Privacy Notice in accordance with the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and any associated legislation e.g., the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. In this Privacy Notice, any references to GDPR also relate to associated legislation. The relevant legislation may be updated from time to time.

What does this Privacy Notice cover?

Your personal data is data that can identify you as a living individual. Investigo is committed to respecting your right to privacy. As such, this Privacy Notice covers the following topics:

  1. What are the types of personal data that we collect about you?

  2. How do we collect and use your personal data?

  3. How long do we keep your personal data for?

  4. Why do we process your personal data?

  5. Will we use your personal data for automated processing?

  6. What legal bases do we have for processing your personal data?

  7. Will you be receiving marketing emails, and can you opt out of these?

  8. Do we transfer your personal data outside the EEA?

  9. What are your rights?

  10. Is your personal data safely secured?

  11. What do you need to do if you want to file a complaint?

  12. What happens if we make changes to this Privacy Notice?

1. What are the types of personal data that we collect about you?

In order to provide recruitment services to our clients and business representatives we usually process the following data about you: ​

  • Full name

  • Job title

  • LinkedIn profile

  • Email address

  • (Mobile) Telephone number

  • Company details (location, department)

2. How do we collect and use your personal data?

The following include the different sources from which we may collect your Personal Data:

  • Directly from you

For example:

  • the information you provide after us if we contacted you/ your organisation

  • the information provided to us during the different stages of the recruitment process.

  • From an agent/third party acting on your behalf.

For example:

  • a candidate

  • Through (publicly) available sources.

For example:

  • LinkedIn

  • Cognism

  • Job Boards

  • CV databases

  • your organisation’s website

By reference or word of mouth.

For Example:

  • you may be recommended by a friend, a former employer, a former colleague or even a present employer.

If you want to know how we acquired your details, please speak to your recruitment consultant or email GDPR@weareinx.com.

3. How long do we keep your personal data for?

We hold your data on file for as long as the business relationship endures, and your details remain relevant to that business relationship. We would keep your personal data for a maximum of 2 years after our last contact with you. If no meaningful contact has been made with you for a 2-year period, we will delete your data from our systems unless we are under a legal obligation to keep your data for a longer period of time.

Examples of “meaningful contact” includes (but is not necessarily limited to):

  • When we obtain your details via a third-party company (such as a CV database), meaningful contact is defined as any verbal or written communication between us and yourself;

  • If there is two-way communication via verbal or written communication or through any of our marketing communications, we will also consider this to be meaningful contact.

As outlined above, please note that there can be other legal reasons that can restrict us from deleting your personal data. See two (non-exhaustive) examples below:

  • Investigo has entered into a transaction with your business and therefore needs to keep records on file in accordance with the relevant statutory notice period.

  • Also, under the Conduct of Employment Agencies and Employment Businesses Regulations 2003, we must retain evidence of an introduction or supply for at least one year from the last activity e.g. interview, introduction or engagement.

We may also be under a duty to disclose or share or retain your personal data in order to comply with any legal obligation, to defend our business against a legal claim, to enforce or apply our standard terms of business or other agreements or to protect the rights, property or safety of Investigo, our customers or other parties.

4. Why do we process your personal data?

Our legal basis for the processing of personal data is our legitimate business interests, described in more detail below, although we will also rely on contract, legal obligation and consent for specific uses of data.

We will rely on contract if we are negotiating or have entered into a placement agreement with your organisation or any other contract to provide services to or receive services from your organisation.
 
We will rely on legal obligation if we are legally required to hold information on to you to fulfil our legal obligations.
 
We will in some circumstances rely on consent for particular uses of your data and you will be asked for your express consent, if legally required. 

We retain records of our dealings and transactions with you and where applicable, we use such records for the purposes of:

  • establishing compliance with contractual or legal obligations;

  • business development;

  • addressing any query or dispute that may arise (including establishing, exercising or defending any legal claims);

  • protecting our reputation;

  • maintaining a backup of our systems, with the purpose of being able to restore them to a particular point in the event of a system failure or security breach;

  • evaluating quality and compliance (including compliance with this Privacy Notice);

  • providing you with networking opportunities, market insights and industry information.

​5. Will we use your personal data for automated processing?

We will not conduct any forms of automated processing of your personal data consisting of the use of personal data to evaluate certain personal aspects relating to you.

We will not analyse or predict aspects concerning your performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Furthermore, we will not make decisions that are based solely on automated processing which produces legal effects or similarly significantly affects your rights.

6. What legal bases do we have for processing your personal data?

If we process your personal data, we mostly rely on the following legal bases:

  • Legitimate interest – Adding your details to our database and contacting you from time to time to discuss current business affairs and potential opportunities for your business Sending emails for marketing purposes (to existing clients)

  • Contract – Signing an agreement with you or, if you are a client contact, your organisation.

  • Legal obligation – Under the Conduct of Employment Agencies and Employment Businesses Regulations 2003, we must retain evidence of the provision of our services to you, for example of an introduction or supply for at least one year from the last activity e.g., interview, introduction or engagement.

  • Consent – Sending emails for marketing purposes (prospective clients)

​The legal basis on which we usually rely for processing your information will be our legitimate interests. We have carried out a Legitimate Interest Assessment which is available upon request. As part of this Legitimate Interest Assessment (‘LIA’), a “balancing test” is carried out to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests. We maintain a record of these balancing tests and may request a copy of the LIA by contacting GDPR@tig.com

7. Will you be receiving marketing emails, and can you opt out of these?

If you are a representative working for one of our new clients, we would ask for your consent if we were intending to send you marketing related emails.

If you are a representative who works for one of our existing clients, then we may market relevant products and services to you unless you inform us of your wish to opt out (which you are entitled to do at any stage).

​8. Do we transfer your personal data outside the EEA?

As our servers are based in the United Kingdom, your personal data is shared, stored and processed outside the European Economic Area (EEA).

We will however only transfer your data outside the EEA to countries which the European Commission believes offer an adequate level of protection to you or where appropriate safeguards have been put in place to preserve the privacy of your data. If you need to see a copy of the relevant Standard Contractual Clauses signed by our UK and US office, please contact GDPR@tig.com.

9. What are your rights?

By law, you have a number of rights when it comes to your Personal Data. These rights can be summarised as follows: right to be informed, right of access, right to rectification, right to erasure/to be forgotten, right to restrict processing, right to data portability, right to object and rights in relation to automated decision making and profiling. For more information see below. Further information and advice about your rights can be obtained from the Information Commissioner’s Office. https://ico.org.uk/.

You are entitled to lodge a so-called Subject Access Request (‘SAR’). The type of SARs are outlined below:

What rights do you have in relation to the data we hold on you?​

  1. The right to be informed – You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we are providing you with the information in this Privacy Notice.

  2. The right of access – You have the right to obtain access to your information (if we are processing it), and certain other information (similar to that provided in this Privacy Notice). If you would like to make a request for information, please contact GDPR@tig.com. This is so you are aware and can check that we are using your information in accordance with the GDPR.

  3. The right to rectification – You are entitled to have your information corrected if it is inaccurate or incomplete.

  4. The right to erasure – This is also known as ‘the right to be forgotten’ and in simple terms, enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.

  5. The right to restrict processing – You have the right to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but cannot use it further. We keep encrypted lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.

  6. The right to data portability – You have the right to obtain and reuse your personal data for your own purposes across different services. For example, if you decide to switch to a new provider, this enables you to move, copy or transfer your information easily between our IT system and theirs safely and securely, without affecting its usability.

  7. The right to object to processing – You have the right to object to certain types of processing, including processing for direct marketing (e.g. if you no longer want to be contacted regarding potential opportunities).

  8. The right to lodge a complaint – You have the right to lodge a complaint about the way we handle or process your personal data with the ICO https://ico.org.uk.

  9. The right to withdraw consent – If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your personal data for marketing purposes.

We will respond any request within 1 month (this can be extended to 2 months in exceptional circumstances). However, where requests are manifestly unfounded or excessive in particular because of its repetitive character, we may refuse to act upon your request. If this happens then we will inform you within one month of about the possibility of lodging a complaint with a supervisory authority (in the UK this will be the ICO: www.ICO.org.uk) or seeking a judicial remedy.

The fact that you lodge a SAR does not necessarily mean that we will grant your request in every instance especially if we have good reasons to retain your personal data. We will always give reasons if we decline your request.

Please note that should we receive any requests from you to erase personal data or stop processing your information, we may retain a record of such requests as well as the actions taken by us. This will serve as both evidence of our compliance to your request as well as enable us to take steps to curtail any future processing of your data should it be received again from a third-party source.

10. Is your personal data safely secured?

We take all reasonable steps to ensure that your personal data is adequately secured. We’re delighted to have been awarded ISO 27001 certification for the quality of our information security, following an independent audit by certification body QMS International.

ISO 27001 is an international standard laying out the specifications for implementing an information security management system. Certification demonstrates that our organisation has invested in the people, processes, and technology to protect our data and provides an independent, expert assessment of whether our data is sufficiently protected. We use market suppliers such as Bullhorn, Microsoft market, Broadbean, Cube 19 and ETZ all of which are leading and up-to-date technologies.

11. What do you need to do if you want to file a complaint?

If you are based in the UK and are unhappy about any aspect of the way in which your Personal Data is processed by us, in the first instance please contact us at GDPR@tig.com. This does not affect your right to make a complaint to the Information Commissioner’s Office https://ico.org.uk.

If you are based in the EU and are unhappy about any aspect of the way in which your Personal Data is processed by us, in the first instance please contact us at GDPR@tig.com or call:

David Korthals-Clarke, Head of Compliance | +31 20 809 0266

12. What happens if we make changes to this Privacy Notice ?

It is important to note that we may amend this Privacy Notice from time to time. Please visit this page if you want to stay up to date as we will post any changes here.

Last updated: November 2022