GDPR Commitments

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in recent history. It aims to support the rights that individuals have on data held on themselves. It also aims to detect, identify and mitigate against data breaches or leaks, as well as enforcing the reporting on these issues. This aims to create one uniform policy across the EU regardless of whether the UK is part of the European Union. Any business that deals with EU nationals and business alongside their data must comply with the legislation.

River Partnership will comply with the applicable GDPR regulations as a data processor and controller. Working alongside its employees, clients, candidates and suppliers it will comply when the GDPR legislation takes effect on 25th May 2018.

River Partnership use Third Party suppliers and software to process, control and manage data. These systems have been audited in line with GDPR commitments and outlined below. In the context of this statement, 'data subject' refers to the person or entity submitting data and can include employees, candidates, clients and other individuals or organisations that River Partnership works with.

Data Collection

River Partnership headhunt for our mandates via a variety of channels. Vastly through mapping the market via meetings with our network and by publicly available sources to establish hierarchy and team sizes within organisations. Data collection and processing is necessary for the performance of the recruitment process with the data subject. The terms that a data subject enters are made available to them on our website and upon request. By submitting data, the data subject agrees that this data can be processed and stored. We would obtain consent to process and store personal data including but not limited to; name, professional experience, career history, education history, resume, salary information and contact information. This data is necessary to ensure the data subject is suitable for engagements including but not limited to; mandates that River Partnership source, business opportunities with River Partnership and other reasons for communication. River Partnership reserve the right to contact data subjects who have submitted this data both upon submission and in the future to ensure data is accurate.

Data Retention

River Partnership would keep data on file for a period of 7 years unless otherwise stipulated. Data would be hard erased after this time unless the data subject requests otherwise. Data subjects have the right to request personal data on themselves in a portable format. Data subjects must request their data by phone, email or letter stipulating what data they would like to access. The data request would be acknowledged within 7 days and we will endeavor to resolve all queries in 30 days. We would send confirmation of this either by email or letter (whichever is most appropriate). If data has been deleted, erased or otherwise irretrievable the subject will also be informed of this.

Data Deletion

River Partnership aims to keep data on file for a period of 7 years unless otherwise stipulated. Data would be hard erased after this time unless the subject of the data requests otherwise. Subjects of data have the right to be forgotten and erased from records upon request. Data subjects must make such requests by phone, email or letter stipulating what data they would like erased. The data request would be acknowledged within 7 days and we will endeavor to resolve all queries within 30 days. We would send confirmation of this either by email or letter.

Transporting Data

The data stored on our ATS and database is controlled by the Company. River Partnership permit the portability of data by our employees on mobile devices such as mobiles or laptops, as well as advocating home working, under restriction and/or limitations. This is also for the benefit of data subjects which makes transferring data to a data subject, upon request, much simpler. Access to this data can be terminated or limited, as and when necessary, to prevent data breaches or leaks. Every reasonable step is taken to ensure that River Partnership data accessed outside of our network is secure.

Reporting Data Breaches

As per the GDPR guidelines we would analyse any suspected data breach and report it within 72 hours of becoming aware of the breach. Unless the breach itself is considered low risk. Breaches would be reported to the top authorities, which would be ICO (Information Commissioner’s Office). Once a data breach or leak has been detected then it would be reported to this authority. A data breach or leak includes but is not limited to; a lost USB stick, loss or theft of portable devices or data sent to the wrong person. River has processes and policies in place to avoid any potential data breaches. We train all of our employees on the importance of data security and what their responsibilities are with safeguarding data that River processes.

Internal Policies for GDPR

River Partnership execute a stringent security and access policy for employees that safeguards data and protects the integrity of data. River also ensures that this doesn’t impact business functions and data subject experiences. River Partnership have a data security policy, confidentially policy, password policy and a policy to target Bring Your Own Devices (BYOD). These policies aim to mitigate any instance of data breach or leaks and employees are trained in maintaining data security.

IT policies for GDPR

River Partnership outsource our IT system maintenance and management to a Third-Party. This Third-Party supplier is responsible for safeguarding the network and terminals with access to the network. They manage the anti-virus on the machines, encryption and security updates to mitigate against data breaches and leaks. The data this Third Party can access is limited to the minimum needed to complete their role and they are also bound by a data privacy and confidentiality contract. River Partnership are solely responsible for employee accessibility in granting, limiting or terminating accessibility where necessary.

River Partnership's ATS and Database

River Partnership use a dependable and resilient ATS system for data processing. We rely on compliant ATS System and Database which applies rigorous security standards.

International data transfers: our ATS and database complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. It has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

This statement is provided as of February 2018, for informational purposes to explain River Partnership's stance on GDPR legislation and compliance. It is subject to change or removal without notice.

For any further information or requests please send an email to

Downloadable Data Request Form