Privacy Policy

Conga Group Ltd is an ethical business with transparency and accountability at our core. We are fully committed to protecting your privacy and handling your personal information in accordance with the General Data Protection Regulation (GDPR) (25 May 2018). This notice explains how Conga Group Ltd uses and protects any information that we receive and hold about you and is designed to ensure you are aware of our procedures and practices and your rights in relation to your personal data.

The policy is effective as of May 2018.

Who are we?

Conga Group Ltd. is a company registered in Scotland with registered number SC541394 and its registered office at 101 Rose Street, Rose Street South Lane, Edinburgh EH2 3JG. We provide an excellent talent acquisition and executive search service for the technology industry and we require your personal data to provide this service. For the purposes of General Data Protection (Regulation (EU) 2016/679) (GDPR) and related data protection legislation we are defined as a data controller unless we advise otherwise.

We hold information about:
Candidates who are interested in job postings and recruitment services or who have found positions through ourselves;
Temporary workers or contractors who have been engaged on an assignment with us;
Personnel of clients with a need for recruitment services;
Other users of our website and/or services;
Our suppliers.

How can you contact us?

We have a Data Protection Officer (“DPO”), Mr Nicholas Winsey and we are registered with the Information Commissioner’s Office with the reference number ZA247085. If you have any questions about our privacy notice, our data protection policies or about the processing of your personal information please do not hesitate to contact us at [email protected]

You may also contact the Information Commissioner’s office should you have any concerns

Our commitment to you

All of the information we hold about you will only be used for the purpose of providing our services or for legal and/or regulatory compliance.

All of your personal information will be:
Collected for specified, explicit and legitimate purposes.
Processed lawfully, fairly and in a transparent manner.
Only collected as required for our lawful purposes.
Reviewed regularly.
Retained only for as long as required in accordance with our retention policy.
Processed securely and with integrity.

What personal data do we collect and process?

Conga Group’s main aim is to provide Talent Acquisition services and facilitate the recruitment process. We collect information about potential candidates and the personnel of clients. We use the information that we gather to fully understand your situation and needs; this allows us to provide an excellent, detail-oriented service. We also may use your information for internal record keeping and also to allow us to continue to improve our services. We do not request more information from you than is required for us to be able to provide these services.

There is no obligation for you to provide any information that we request but you should note that withholding certain information may affect our ability to assess your application or represent you.

Information we collect may include the following:
Identity information – name, address, gender, personal contact details, and if provided by you, photographs, images and video;
Employment details – information you supply to us on your CV, job title, description of job role, work contact details, details of technical skills and work history, i.e. previous roles; and
Background information – professional membership details, current situation and interests and preferences in a professional/personal sense from information provided by you.
Correspondence – Copies of correspondence both electronic or physical are recorded throughout the recruitment process. If you find a role through us
Application forms, references from previous employers and other information collected during the recruitment process.
Nationality and immigration status and right to work in the UK clearance and other immigration information where relevant.
Proof of identity and proof of residence information and information from related documents, such as your passport, a copy of your driving licence for business insurance.
If on temporary assignment contracted by us – National insurance (NI) number, tax code and other tax information and date of birth, timesheets and pay details including bank details for payment purposes.
Copies of complaints or grievances either from you or about you.

How do we collect the information?

There are a number of ways in which we may acquire your details:

We advertise vacancies on a range of job boards and social media which forward us your details via email. We always document who we are and which consultant you are sending your information to in our adverts.
We collect data from job boards, LinkedIn, and other websites from information you have provided to these services. If we have obtained information indirectly through this method we will will get in touch within 30 days to obtain your approval to process the data or store it. You always have the right to refuse and we will delete your information.
We may also collect information directly from you in response to a conversation or email with Conga Group.
We may also receive information from our clients or candidates throughout the recruitment process or after someone has begun working as a temporary worker or a permanent employment candidate.
We may receive data from our third party payroll supplier.

Web based data

We collect statistics on visits to our website and social media sites and whilst these are anonymous statistics, your IP address may be considered personal data under the legislation. Therefore, we may collect information about the computer or device which is used to access our website. We use this information to collect anonymous statistics to view traffic to the site and how the site is used. This collection does not identify individual users.


Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result. For further information visit

How will your data be used and what is Our Lawful Basis for Processing?

As a staffing solutions company, we gather information and process personal data in order to pursue our legitimate interests of recruiting and supplying staff to clients. We also process personal data in order to comply with any required legal obligations. We will only use your personal data when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. For example, performing recruitment based services. (Legitimate Interest as a lawful basis).
Where we have obtained your prior consent – specifically we will obtain prior consent before referring you to a position with one of our clients, releasing your details to our third party suppliers for payroll, sending client details to candidates or information needed when placing you as as a temporary worker permanent employee with one of our clients. (Consent as a legal basis)
Where we need to perform a contract we have entered into with you. (Contract as a legal basis)
Where we need to comply with a legal obligation such as the legal requirements associated with the employment regulations and best practice, the requirements of HMRC, the Modern Slavery Act 2015, the Equality Act 2010 and other employment / tax related legislation. (Legal Obligation as a lawful basis).
Where we need to take steps to enforce or defend any legal claims made by, against or otherwise involving you. This includes any associated investigations or discovery exercises. (Legal Obligation and Legitimate Interests).
We may also use your personal information where we need to protect your interests (or someone else’s interest) or where it is needed in the public interest.

Bulk marketing

We do not undertake bulk marketing but we will obtain your consent for bulk marketing should this ever change (Consent as a legal basis).

Automated decisions

We do not use your personal information to make solely automated decisions which affect you legally or similarly.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the GDPR rules, where this is required or permitted by law.

Special Categories of particularly sensitive information

”Special categories” of particularly sensitive personal information require higher levels of protection and we require further justification for collecting, storing and using this kind of information. We rarely collect this kind of personal information.

Should we need to process special categories this will usually be under the following conditions:
In limited circumstances with your explicit written consent
Where we need to carry out our legal obligations
Where it is needed in relation to legal claims
Where it is needed in the public interest, such as for equal opportunities monitoring, and in line with our privacy policy
Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
Where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

As noted above we rarely collect this kind of information. In the rare event that we need to use your particularly sensitive information we may do so in the following ways:
Information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws if you are on engagement as a contractor.
Information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.

Information about criminal convictions

We rarely possess or use information relating to criminal convictions. We will only use information relating to criminal convictions where the law allows us to do so and when processing is necessary to carry out our obligations provided we do so in line with our privacy policy.

We may collect information about criminal convictions as part of the recruitment process and throughout the duration of your engagement with us (whether as temporary worker, candidate or other staff) where you are engaged in or applying for regulated work. We will use this information about criminal convictions and offences in order to determine your suitability and continued suitability for our clients and the regulated services that they perform.

We are allowed to use your personal information in this way in order to comply with our obligations to our clients to provide suitable staff and in order to protect the interests of the end user.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

Do we need your consent for this data?

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us (or your other engagement with us) that you agree to any request for consent from us.

Who will have access to your personal data?

All employees of Conga Group Ltd have access to the data relevant to their posts.

We share personal information with clients who we think may be interested in engaging your services, whether as an employee or otherwise. We do this in the course of providing our services to you and will always ask you for your consent to do so. Once you have taken on a role with our client we may need to continue sharing your personal data to perform a contract with you, to comply with our legal obligations or to protect your or someone else's interests.

In addition, we may need to share personal data with third parties in order to provide as full a service as possible; where we have a legitimate interest in doing so or where where required by law.

These may include:
Third party service providers - who need to know the information in order to provide us or you with services including our third party service providers who process information on our behalf to help run some of our internal business operations. This includes payroll of contractors, email distribution, data storage, recruitment database provision, information technology and marketing services, and data analytics.
Our advisors, which includes our accountants, auditors, lawyers, other professional advisors and business contacts - for the purpose of assisting us to better manage, support or develop our business and comply with our legal and regulatory obligations;
Law enforcement and regulatory bodies - in order to comply with any legal obligation or court order;
Other statutory bodies if required.

We will take all reasonable steps to ensure all information sharing is carried out in a secure way and will ask our third-party associates to assure us they will handle your personal data securely by ensuring they have policies in place and using contracts that are within the GDPR legal requirements. We will only share the necessary data for them to be able to carry out their duties.

We do not share your data with third party marketing bodies.

Where do we store Personal Data?

All information is held in an electronic format. Data is stored in the following places:
In a CRM provided by a cloud hosted provider.
Using cloud hosted Microsoft Office 365, Onedrive or Outlook email.
For contracted temporary workers and clients engaging contractors your payroll related information and timesheets are stored with a cloud hosted payroll system.


Your information is held predominantly in an electronic format and very rarely may be in a physical format. Your details are held securely by us and/or our data processors within the European Economic Area. All systems are enforced by password protocols. All emails are encrypted and our website is protected by several security protocols. We do not usually pursue international assignments. However, where required, we may transfer to and securely store your data at processors outwith the European Economic Area.

Data Quality

We rely on you to ensure that your personal information is complete, accurate and current. Please do inform us promptly of any changes to or inaccuracies to your personal information by informing your recruitment consultant or contacting our DPO through the contact details on this page.

Data Retention

We hold your data with a view to providing future recruitment services to you and to manage our business relationship with you. The retention periods for personal data depend on the purpose for which the information was obtained and will differ for different organisations.

We retain personal data for varying time periods in order to assist us in complying with legal and regulatory obligations, to enable compliance with any requests made by regulators or other relevant authorities and agencies, to enable us to establish, exercise and defend legal rights and claims, and for other legitimate business reasons.

We retain your personal data for the period of time required for the purposes for which it was collected, any compatible purposes which we subsequently establish, any new purposes to which you subsequently consent, or to comply with legal, regulatory and policy requirements.

Data Deletion

Should you wish to delete your data we will do so, securely, within a month and provide you with a notification that this has occurred. Whilst there are elements of your records that can be deleted, others will remain on file for lawful statutory purposes such as filing and reporting for HMRC and any supporting evidential information.

Data Breaches

In the event of a “high risk” personal data breach the individual / individuals involved will be notified immediately (within 72 hours). The Information Commissioner’s Office (ICO) will also be notified immediately. Conga Group and our staff will follow our security protocols in our “Data Breach” policy as well as the ICO guidelines. We will take all necessary precautions to minimise the severity of the breach for the individual. All personal data breaches will be recorded in our data breach register.

Your Rights

You have a number of rights under the GDPR legislation.

These are:

Right to be informed

You have the right to be informed about the processing of your personal data, and this Privacy Notice provides you with the information you need to reassure you that we handle your personal data securely and lawfully.

Right of access

You have the right to request access to your personal data and to request further information relating to your personal data such as the purposes of processing, the categories of organisations with whom we share your personal data, the retention period for such personal data and the existence of any automated decision-making relating to your personal data. We will provide you with this information within 30 days as per the GDPR legislation.

Right to rectification

You have the right to have any inaccuracies or factual errors corrected or incomplete data amended. We aim to ensure that all personal information is correct. You also have a responsibility to ensure that changes in personal circumstances (for example, change of address and bank accounts) are notified to us so that we can ensure that your data is up-to-date. If this information has been disclosed to a third-party we will inform that party and request that they amend their records.

Right to erasure (the right to be forgotten).

You can request to have your personal data deleted or removed if there is no compelling reason to keep it, as follows:
if your personal data is no longer required for the purposes for which we obtained them;
where the processing of your personal data is based on your consent and you withdraw such consent;
where the processing of your personal data is based on our legitimate interests and you successfully object to such processing;
where the personal data is processed unlawfully; or
where the personal data has to be erased for compliance with a legal obligation.
If the personal data is held for statutory or regulatory requirements it cannot be erased.

Any request made will be discussed with you, unless deletion is an obvious step.

Erasure means we could not contact you should an employment opportunity arise that you may be interested in after reviewing the job specification.

Following erasure we will not retain your information and therefore it is possible that your personal information may be re-obtained from the public domain or social media which may result in contact from our organisation.

Right to restrict processing

This relates to personal data where the accuracy is contested or where you have objected to our processing based on our legitimate interests or where we no longer require the personal data but you request us to keep. It is a complex area and whilst a decision is being made in consultation with you, we will store the data but not process it.

Right to data portability

You have the right to take and use your data for other services or purposes. Where the personal data provided by you is processed on the basis of your consent or a contract between us and you, we are required to make this information available to you in a readable easily transferred format and will do so within a month as required by GDPR.

Right to object

Where the processing of your personal data is based on our legitimate interests, you have the right to object (based on your particular circumstances) to the way we handle, use or store your personal data. If you object to our processing of your personal data, we will restrict any further processing until we determine whether or not there are any compelling reasons why we should continue the processing.

We do not sell your personal data and we do not use it for marketing purposes.

Right not to be subject to automated decision-making including profiling

We believe the best way to provide services to our candidates and clients is through direct conversation. We do not use any automated decision making tools.

More details on these rights can be found at the Information Commissioner’s Office web site or equivalent European Economic Area government bodies.

Exercise of your rights

If you wish to exercise any of your rights in respect of your personal data, please contact us using the details above. Our Data Protection Officer will provide you with further information if required.

We will respond to any request to exercise your rights within one month, unless the request is complex in which case we will seek an extension and respond within a further two months thereafter.

We will respond to your requests to exercise your rights at no charge, although repeated or manifestly unfounded or excessive requests may be refused or may incur an administrative charge covering the time and other costs associated with this.


You are free to discuss any complaints with our DPO at any time. If we do not address your complaint to your satisfaction you can complain to the Information Commissioner’s Office

Changes to our Privacy policy

Occasionally Conga Group is likely to change our Privacy Policy, if we do change our policy; we will update policy information on this page. If you have any questions or if we can help, please get in touch at: [email protected]