Valtus UK Privacy Policy

Our contact details:

Name: Valtus UK
Address: Holborn Gate, 330 High Holborn, London, WC1V 7GH
Phone Number:02073987500
E-mail: enquiries@valtus.uk
Website: https://valtus.uk

Valtus UK Limited, a company incorporated in England and Wales under number 04681489 with our UK head office at the address above.  Valtus UK Limited (hereinafter “Valtus”, “we”, “us” or “our”), provides interim-management and executive-search services to corporate clients in the United Kingdom and abroad. We recognise the importance of safeguarding the fundamental rights and freedoms of the natural persons whose personal data we process, including the right to protection of personal data and, where applicable, the right to transparency regarding the use of artificial-intelligence (“AI”) systems.

This Notice explains how we collect, use, disclose, retain and otherwise process personal data in connection with our business activities.

1.     Legal Framework

This Notice has been prepared in accordance with, and shall be interpreted pursuant to, the following laws and regulations, as amended or replaced from time to time (together, the “Data Protection Laws”):

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018(UK DPA 2018)
  • Data (Use and Access) Act 2025 (DUAA 2025)
  • EU GDPR (Regulation (EU) 2016/679) where it applies extraterritorially to our processing of data subjects located in the European Economic Area (EEA)
  • Regulation (EU) 2024/1686laying down harmonised rules on artificial intelligence (“EU AI Act”) where it applies extraterritorially to our processing of data subjects located in the European Economic Area (EEA)

2.     Definitions

  • Personal data: any information relating to an identified or identifiable natural person (Data Subject).
  • Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor: means a natural or legal person, public authority, agency or other body which processes the personal data on behalf of the controller.
  • Sub-processor: acts under the instructions of the processor, meaning they may process personal data on behalf of the processor.
  • Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Automated decision making including profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  • AI: Article 3(1) of the EU AI Act defines an AI system as a machine-based system designed to operate with varying levels of autonomy, potentially adapting after deployment, and that generates outputs like predictions, content, recommendations, or decisions from input, which can influence physical or virtual environments. 

Capitalised terms not otherwise defined herein have the meanings assigned to them in the Data-Protection Laws.

3.     Controller & Data Protection Officer

Valtus UK acts as Controller for the Processing activities described in this Notice. Their contact details are at the start of this policy document.

4.     Categories Of Personal Data

Consistent with the principle of data minimisation, we process only those categories of personal data that are relevant and necessary for the purposes set out in section 6, including:

  • Identity & contact data: name, postal and e-mail address, telephone numbers, date of birth, nationality, national-insurance number, passport/ID copies
  • Employment & professional data: curriculum vitae, qualifications, training, employment history, remuneration, references, performance appraisals
  • Financial data: bank-account details, invoicing data
  • Technical data: IP address, log-in credentials, browser type, device identifiers
  • Marketing & communications data: preferences, consents, interaction history.

We do not intentionally collect special-category data (Article 9 EU/UK GDPR) save where required by law or necessary for the establishment, exercise or defence of legal claims and subject to the safeguards prescribed by law.

5. How We Collect Your Personal Data

We obtain Personal Data:

  • Directly from Data Subjects (e.g. via our candidate portal, during interviews or events)
  • From publicly available sources (e.g. LinkedIn, Companies House filings, press releases)
  • From third-party intermediaries acting on your behalf (e.g. recruitment agencies)
  • From your use of our websites, applications and AI-enabled tools
  • From referees, background-check providers and certification bodies.

6. Purposes & Legal Bases of Processing

We process personal data strictly for the purposes set out below and on the lawful bases indicated:

Purpose Lawful basis (Art. 6 EU/UK GDPR)
Sourcing and evaluating candidates/interim managers; maintaining talent pool Legitimate interests (Art. 6(1)(f)) and/or performance of a contract (Art. 6(1)(b))
Entering into and performing interim-service, employment or supplier contracts Contract (Art. 6(1)(b))
Managing client relationships; direct marketing of relevant services Legitimate interests (Art. 6(1)(f)); consent for electronic marketing where required (PECR; Art. 6(1)(a))
Operating AI-enabled matching, screening and analytics tools Legitimate interests (Art. 6(1)(f)); compliance with EU AI Act; if Automated Decision-Making with legal/similar effects is deployed, Art. 22 safeguards
Compliance with statutory obligations (tax, accounting, company law, anti-money laundering, employment law) Legal obligation (Art. 6(1)(c))
Cybersecurity, fraud prevention and network integrity Legitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have conducted documented assessments demonstrating that such interests are not overridden by your rights and freedoms.

7. Automated Processing & AI Compliance

7.1 AI Enabled Tools.

Valtus UK deploys AI Systems, including natural-language processing and predictive-analytics models, to assist consultants in:

  1. Parsing CVs;
  2. Matching candidate profiles with client briefs; and
  • Generating market insights.

7.2 High-risk systems.

Where we implement an AI System classified as high-risk under Annex III EU AI Act or the DUAA (e.g. AI for candidate evaluation), we:

  • Complete a conformity assessment and register the system in the EU high-risk AI database;
  • Maintain risk-management, data-governance, testing, accuracy, human-oversight and cybersecurity measures (Arts. 9–15 EU AI Act);
  • Implement post‑market monitoring and incident‑reporting (Arts. 16–18 EU AI Act);
  • Provide affected Data Subjects with meaningful information and facilitate the rights in section 12.

7.3 Human oversight

All final hiring or engagement decisions are taken by qualified human consultants.

8. Data Retention

We retain personal data no longer than necessary for the purposes set out in this policy and in accordance with statutory retention periods:

  • Candidate/interim‑manager profiles:2 years from last meaningful contact unless a longer contractual or statutory requirement applies or you request earlier deletion
  • Contract and financial records:7 years from the end of the relevant financial year (to satisfy UK taxation and accounting obligations)
  • Client & supplier contact data:2 years from last meaningful contact
  • Technical logs:up to 12 months unless needed for security investigations.

9. Who is Your Data Disclosed To

We may disclose Personal Data to:

  • Client organisations (with your consent where required)
  • Service providers acting asProcessors (CRM hosting, IT maintenance, payroll, auditors, AI service vendors)
  • Public or regulatory authorities where legally obliged.

10. International Transfers

Where Personal Data is transferred outside the United Kingdom or the EEA, we implement appropriate safeguards, such as adequacy regulations under Art. 45, the ICO’s or European Commission’s Standard Contractual Clauses, or binding corporate rules, to ensure an essentially equivalent level of protection.

10. Security Measures

Access to Personal Data within Valtus UK is role‑based and limited to staff who require it for their duties, all of whom are bound by confidentiality undertakings.

We employ administrative, technical and organisational measures proportionate to the risk of data loss, including:

  • Network segmentation
  • Encryption at rest and in transit
  • Multi‑factor authentication
  • Access‑control policies
  • Vulnerability management
  • Staff training
  • Incident‑response procedures.

11. Cookies & Similar Technologies

Our websites use cookies and similar technologies as described in our separate Terms and Conditions, which forms an integral part of this policy. You can manage your cookie preferences through the cookie consent banner or your browser settings.

12. Data Subject Rights

Subject to the conditions and exemptions set out in the Data Protection Laws, you have the rights to:

  • Access, rectify and erase your personal data
  • Restrict processing
  • Object to processing based on legitimate interests or for direct marketing
  • Data portability (where lawfully applicable)
  • Not to be subject to automated decision making producing legal or similarly significant effects, and to obtain human intervention and an explanation
  • Withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal)
  • Lodge a complaint with a Supervisory Authority (see section 15).

13. Exercising Your Rights

To exercise any of the rights above, please contact our data protection officer using the contact details at the start of this policy.  We will respond within one month of receipt. This period may be extended by up to two additional months for complex or numerous requests.

14. Supervisory Authority

If we are unable to meet the exercising of your rights under section 14 you may contact the competent supervisory authority. The supervisory authority is the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom. Their website is www.ico.org.uk.

If the EU GDPR applies to particular processing, you may also lodge a complaint with the supervisory authority in the EEA Member State of your habitual residence or place of work.

15. Changes to This Notice

We may amend this Notice to reflect legal or operational changes. Material changes will be communicated through appropriate channels.

16. Governing Law & Jurisdiction

This Notice and any dispute arising out of or relating to it are governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction, without prejudice to mandatory rights under the EU GDPR.