Made of Storm | Policy

Last Updated: April 30, 2026

Trust is the foundation of any recruitment relationship. This Privacy Policy explains what personal data we process when you interact with us, why we process it, with whom we share it, and the rights available to you under applicable law. We aim to make this information as clear and accessible as possible, so that you can make informed decisions about your data at every stage of our relationship. In this regard, the Privacy Policy (the “Privacy Policy”) is developed to provide you with up-to-date information on what we (referred to as “Made of Storm” or “we”, “us”, “our”) do with of personal data of our clients, website visitors, business partners, and all other individuals whose data we process (“you” or “users”).

This Privacy Policy is prepared in accordance with the Personal Data Protection Act 2012 of Singapore (“PDPA”). Because our recruitment activities are international and we engage with candidates worldwide, including in the European Economic Area (“EEA”), the United Kingdom (“UK”), and other jurisdictions, we also have regard to the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the UK GDPR insofar as they apply to our processing under Article 3(2) GDPR (and the corresponding UK provisions). Supplementary information specifically for individuals located in the EEA or the UK is set out in Annex A to this Policy.

Where mandatory data protection laws in your jurisdiction apply, we will comply with such requirements to the extent applicable
This Privacy Policy applies to personal data processed by us when you:

visit and use the website at https://madeofstorm.com (the “Website”);
contact us through the contact form “Apply Now” available on the Website;
communicate with us by email or otherwise in connection with the Website;
submit your CV, resume, cover letter, application materials, or otherwise apply for a vacancy posted by us;
engage with us as a representative of a current or prospective client company seeking recruitment or marketing services;
act as a referee or other third party in connection with a candidate’s application.

By using the Website, submitting personal data to us or applying for a vacancy, you acknowledge that you have reviewed this Policy.
In this Privacy Policy, we have endeavored to answer the following questions as fully as possible in order to disclose all information about the processing of your personal data:
1. Definitions
2. About us
3. How we collect your personal data?
4. What personal data do we process, for what purposes, and on what legal basis?
5. Retention of personal data
6. Do we share your personal data with third parties?
7. International transfers
8. Cookies policy
9. Your privacy rights
10. Security measures
11. Are our services designed for children?
12. Changes to the Privacy Policy
13. Links to other websites

1. Definitions
For the purposes of this Privacy Policy, the following defined terms have the meanings set out below:
“Candidate” – any individual who has submitted, or whose details have otherwise been provided to us in connection with, an application for a vacancy or inclusion in our talent pool, including individuals proactively sourced by our recruiters from publicly available sources.
“Client” – a current or prospective customer of Made of Storm engaging us, or considering engaging us, for recruitment or marketing services.
“Client representative” – a natural person acting on behalf of a Client (e.g., a hiring manager, HR manager, or company director).
“Data Intermediary” – has the meaning given in the PDPA: an organisation that processes personal data on behalf of, and for the purposes of, another organisation.
“Data Protection Officer” or “DPO” – the person appointed by Made of Storm to oversee compliance with the PDPA and this Privacy Policy.
“GDPR” – Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“PDPA” – the Personal Data Protection Act 2012 of Singapore, as amended from time to time, and its subsidiary legislation.
“Personal Data” – data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access. “Personal Data” includes, for example, your name, postal address, telephone number, e-mail address, CV, employment history, education records, references, salary expectations, and identification information. Anonymous or de-identified information that we are not able to associate with you does not qualify as Personal Data. For clarity, Personal Data does not include Business Contact Information (as defined under Section 2(1) PDPA), such as an individual’s name, position title, business telephone number, business address, or business email address provided for business purposes; pursuant to Section 4(5) PDPA, the PDPA does not apply to Business Contact Information.
“Referee” – an individual provided by a Candidate as a professional or personal reference in connection with the Candidate’s application.
“Special Categories of Personal Data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data; biometric data processed for the purpose of uniquely identifying a natural person; data concerning health.
“Website” – our website at https://madeofstorm.com.

2. About us
MADE OF STORM PTE.LTD., a company duly incorporated in and registered under the laws of the Republic of Singapore, with company registration number 202510756R, having a registered office at 216 Joo Chiat Road, #02-16, Soho Life, Singapore, 427483, acts acts as an organisation that collects, uses and discloses personal data in accordance with the PDPA. It means we determine the purposes and means of the processing of personal data.
Since we are registered under the law of the Republic of Singapore, the personal data authority overseeing us regarding the personal data processing is Personal Data Protection Commission (PDPC). You always have the right to make a data protection related complaint at any time to a supervisory authority.
You may also contact your local data protection authority. A list of local EU data protection authorities is available here.
If you have any questions regarding would like to exercise your data protection related rights you can submit your request to our e-mail: hr_welcome@madeofstorm.com.

3. How we collect your personal data?
We perform the following actions with your personal data: collection, storage, disclosure by transmission and otherwise process personal data as required to fullfill the purposes listed in the Privacy Policy.
We collect personal data in the following ways:
a) when you provide us with personal data (directly from you).
In most cases we collect your personal data directly from you, for example:

when you fill out a contact form on our Website;
when you submit a CV, resume, cover letter, or other application materials in response to a job posting;
when you correspond with our recruiters or other team members by email, telephone, messaging applications;
when you attend an interview, technical task, or other assessment with us;
when you provide referee details or other supporting information.

b) from third parties
We may also collect personal data about you from third-party sources, including:

from professional networking platforms (such as LinkedIn) and similar publicly available sources, where this is permitted under the platform’s terms of use and applicable law;
from job boards, recruitment portals, and aggregators on which you have published your profile or CV;
from referees you provide in connection with your application;
from our client companies, who may forward your application or relevant details to us in connection with a vacancy;
from professional referrals or recommendations from other candidates.

When we collect your personal data from sources other than yourself, we will, where required under the PDPA, take reasonable steps to ensure that you are made aware of the source of the data and the purposes for which we process it.
c) when personal data is collected automatically.
There are tools that allow us to collect technical personal data about you when you use our Website. Using these tools, we collect some technical information, information about your use of the Services for such purposes as ensuring the normal functioning of the Website, finding bugs and fixing them, etc.

When you visit our website, we may automatically collect:

Technical data: IP address, browser type and version, operating system, device identifiers;
Cookie data: as described in Section 8 (Cookie policy) below.

We do not use your data for advertising, behavioural profiling, newsletter marketing, or analytics/tracking purposes. We do not obtain your personal data from data brokers for marketing purposes.
We do not knowingly collect or process Special Categories of Personal Data, except where strictly necessary, lawful, and where you have provided express consent. Please do not include such information in your CV or any communication with us.
Where you provide us with personal data of third parties (including referees, current or former colleagues), you confirm that you are entitled to disclose such personal data to us and that, where required, you have informed those third parties of, and obtained any necessary consents for, the disclosure to us.

4. What personal data do we process, for what purposes, and on what legal basis?
We process your personal data only when it is necessary to achieve the purpose of the personal data processing and only to the extent necessary to achieve the purpose of the processing. Furthermore, we keep your personal data for a limited period of time and once the processing period has expired, we delete all existing copies of your personal data.
Below we have provided you with a full description of the data processing purposes of the users of the Website, what personal data we process, legal basis of data processing.

Purpose	Description	Processed Personal Data	PDPA Legal Basis
Sourcing and identifying candidates	Identifying candidates suitable for clients’ current or future vacancies, including sourcing from professional networking platforms and other lawful public sources, and maintaining a talent pool	Identification and contact data; professional/employment data (current and former employers, position, skills, certifications, education, languages); publicly available profile information.	For data obtained from publicly available sources: the publicly available information exception under the First Schedule, Part 3, Division 1, Paragraph 2 PDPA; For data obtained directly from the candidate or via a referral: consent / deemed consent (Sections 13 – 17 PDPA)
Reviewing applications and matching candidates with vacancies	Reviewing CVs and applications submitted to us, assessing candidate suitability, and matching candidates with relevant client vacancies	CV and supporting documents; identification and contact data; employment history; education; skills and qualifications; relocation and remote work preferences	Consent / deemed consent under Sections 13 – 15 PDPA (you submit your CV for the purpose of being considered for vacancies)
Reference checks	Contacting referees nominated by you to verify your professional background, performance, and suitability for a role	Referee contact details; reference responses (feedback regarding the candidate)	Express consent of the candidate; deemed consent of the referee (the referee is informed and provides reference voluntarily)
Sharing candidate data with client companies	Introducing candidates to client companies (prospective employers) for specific vacancies, including transferring CVs, profiles, and supporting materials	CV and supporting documents; identification and contact data; employment history; education; skills and qualifications; relocation and remote work preferences	Express consent of the candidate (we share your CV only after your consent for each specific role or identified group of roles).
Operation of the Website	To ensure the availability, security, stability and proper functioning of the Website, including detecting malicious activity, preventing misuse, troubleshooting technical issues and maintaining system integrity	Technical data like information about your mobile device or computer system, including IP Address; OS version; device ID; country; device model and operating system; type of a browser; screen resolution; RAM size, IP address	Our legitimate interests in operating a secure and properly functioning Website. Such processing may also be carried out as necessary for the performance of our services to you
Responding to enquiries	Processing contact form (“Apply Now”) submissions and, responding to your questions about our services	Your full name, email address, LinkedIn profile (optional); Other personal data that you provide us in the correspondence	Legitimate interest (your interest in receiving a response to your inquiry; our interest in communicating with users)
Legal obligations	We may process personal data where necessary to comply with applicable law, regulatory requirements, court orders, or to establish, exercise or defend legal claims	Any personal data relevant to the relevant legal or compliance matter	Required or authorised under the PDPA or other written law (Sections 13(b), 17 and First Schedule, Part 1 PDPA).

5. Retention of personal data
We will retain your personal data for as long as needed to provide you our services, unless we are required by law to delete or if we accept your request to delete the personal data pursuant to applicable law (for example in situation when you exercised the “right to be forgotten”).
Specific retention periods we apply include:

Successful placement – candidate file: for the duration of the placement engagement and a period of 2 (two) months thereafter, in line with applicable contractual, tax, employment-agency, and limitation-of-action requirements;
Unsuccessful application (no consent for talent pool): up to 12 (twelve) months from the date of the last interaction relating to the application, after which the data is deleted or anonymised, unless a longer retention period is required or authorised by law;
Talent pool (with consent): up to 24 (twenty-four) months from the date of consent or the last interaction with you, with periodic re-confirmation of consent. You may withdraw your consent at any time;
Client and supplier records: for the duration of the contractual relationship and 6 (six) years thereafter (or such longer period as required by applicable law);
Communication records (emails, messaging, contact-form submissions): for as long as necessary to handle your enquiry, plus a reasonable retention period thereafter consistent with our records-management policy.

Please note that under certain circumstances, we may be required to retain your personal data for a longer period in accordance with applicable law or regulatory requirements. This may include but is not limited to, situations involving legal proceedings, investigations, or government inquiries. We will only retain your personal data for as long as necessary to comply with these legal obligations, and we will take appropriate measures to ensure its security and confidentiality during this period.
When we no longer require your personal data, we will look to delete, destroy, or anonymize it pursuant to our typical procedures. If this is not possible (for example, because your personal data has been stored in backup archives), then we will apply security measures to your personal data and isolate it from any further processing until deletion or destruction can occur pursuant to our typical procedures. If we anonymize your personal data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

6. Do we share your personal data with third parties?
In certain cases, we may share your personal data with third parties. We do this only in the situations described in this Privacy Policy. In any case, we strive to transfer your personal data in a secure manner and, if required by applicable law, based on an agreement between us and each recipient. We will make all reasonable efforts to ensure that each recipient understands the principles of the data protection directive and complies with them in accordance with the law and/or the specific agreement.

We share your personal data to third-party as follows:
1) Client companies (prospective employers)
The central purpose of our recruitment service is to introduce candidates to potential employers. We share your CV and relevant supporting information with our client companies only:

with your prior express consent for each specific role or for an identified group of similar roles where you have consented to such sharing; and
where strictly necessary for the recruitment process.

You may withdraw your consent to such sharing at any time, although this may affect our ability to support your application or place you with a client company.
2) Service providers (data intermediaries)
We engage carefully selected third-party service providers under written agreements that require them to process personal data only in accordance with our instructions and applicable data protection laws. These include:

Hosting and cloud infrastructure providers (including the platform hosting our Website);
Email, communication providers;
IT support, cybersecurity, and infrastructure providers;

3) Authorities and disclosures required by law
We may disclose personal data where we are required or authorised to do so under applicable law, court order, regulatory request, or other legal process; or where we have reasonable grounds to believe disclosure is necessary to protect our rights, property, or safety, or those of others; or to investigate, prevent, or take action regarding suspected fraud or illegal activities.
Each time before transferring personal data to a new counterparty, we:

assess the level of personal data protection offered by the third-party recipient;
enter into a Data Processing Addendum or equivalent contractual safeguards with such recipient;
limit the personal data shared and access provided to what is necessary for the relevant purposes.

We do not sell personal data. We do not share candidate personal data with advertising networks or marketing platforms for promotional communications without your consent.

7. International transfers
Recruitment is by nature an international business. Our candidates, clients, and service providers are located across multiple jurisdictions, and personal data may therefore be transferred to and processed outside Singapore – for example, where:

a candidate based outside Singapore submits an application or is contacted by our recruiters;
a candidate is being considered for a role with a client based outside Singapore;
our service providers (including, for example, certain hosting and cloud providers) operate from outside Singapore.

Where we transfer personal data outside Singapore, or permit personal data to be accessed from outside Singapore, we will take reasonable steps to ensure that the transferred personal data is protected to a standard comparable to the protection required under the PDPA, in accordance with Section 26 of the PDPA. Depending on the circumstances, these steps may include:

conducting due diligence on the overseas recipient;
entering into contractual arrangements requiring the recipient to protect the personal data to a comparable standard (including, where appropriate, ASEAN Model Contractual Clauses or equivalent);
implementing technical and organisational safeguards;
limiting the personal data transferred and access granted to what is necessary for the relevant purposes;
relying, where appropriate and after providing you with a reasonable summary of the protections available, on your express consent to the transfer.

If you have any questions regarding a possible transfer of personal data outside Singapore, or would like to exercise your data rights in connection with such a transfer, please contact us at hr_welcome@madeofstorm.com.

8. Cookies policy
Cookies are small text files stored in your web browser that allow us or third parties to enhance your experience on the Website. Cookies are used to store and receive identifiers and other information on computers, phones, and other devices. Please note that not only cookies are used for these purposes. Therefore, this section also applies to any similar technologies that store or access information on your device.
The Website uses strictly necessary cookies and similar technologies only. These cookies are essential for the operation, security and core functionality of the Website and do not require consent under applicable rules where they are strictly necessary. Cookies categorized as “necessary” are essential for the proper functioning of the Website and for you to effectively use the features and services it provides. These cookies are crucial in enabling key functionalities such as security, network management, cookie preferences, and accessibility.
We do not use:

analytics cookies;
performance cookies;
preference/functionality cookies that are not strictly necessary;
advertising cookies;
social media tracking cookies;
profiling or cross-site tracking technologies.

Below we have described how you can control your cookie settings:
1) Remove cookies from your device
In order to delete all cookies from your device, you need to follow these steps:

go to the browser settings on the device;
clear history, including advanced settings.

Please note that clearing your history in this way will result in the loss of your preferences on other sites, including your saved login preferences and passwords, as well as other personalized website settings.
2) Block cookies
Almost all browsers allow users to block the processing of cookies on all websites. However, a complete block will block, among other things, the processing of necessary cookies, which may lead to incorrect operation of the Website and other websites.
To disable cookies, each browser has its own set of controls available. Please refer to your browser’s help menu for further instructions:

9. Your privacy rights
Under the PDPA, you have certain rights in relation to your personal data. These rights allow you to access, correct, and manage the use of your personal data that is in our possession or under our control. We will handle all requests in accordance with the requirements of the PDPA, including verification procedures and permitted exceptions under the First and Second Schedules to the PDPA.
You may exercise your rights by submitting a written request to us using the contact details provided in this Policy.

1) Right of Access (Section 21 PDPA)
You have the right to request:

confirmation of whether we hold personal data about you;
access to such personal data; and
information about how your personal data has been used or disclosed within the past 12 (twelve) months.

Access may be refused in cases permitted under the PDPA, including where disclosure would reveal confidential commercial information or involve the personal data of another individual

2) Right to Correction (Section 22 PDPA)
You have the right to request correction of any error or omission in your personal data that we hold (for example, outdated employment details or contact information).
If we are satisfied that the correction is reasonable and supported by evidence, we will:
• make the necessary correction as soon as practicable; and
• where appropriate, send the corrected data to third parties to whom the data was previously disclosed (such as client companies who received your CV).
If we decline to make a correction, we will annotate the personal data with your request and our reason for not making the correction, in accordance with Section 22(3) PDPA.
Note: the right to correction does not apply to opinions (including evaluative opinions formed by recruiters and assessment results) under Paragraph 1 of the Sixth Schedule PDPA.

3) Right to Withdraw Consent
You may withdraw your consent to our collection, use, or disclosure of your personal data at any time by submitting a request to our DPO. This includes, in the recruitment context, the ability to withdraw consent to:

retention of your CV in our talent pool;
sharing of your CV with specific client companies;
cross-border transfers of your personal data.

Upon withdrawal of consent:
• we will cease the relevant collection, use, or disclosure of your personal data, unless such processing is required or authorised under written law;
• the withdrawal may affect our ability to provide recruitment services to you (for example, we may no longer be able to introduce you to client companies or notify you of suitable vacancies).
We will inform you of the likely consequences of withdrawing consent before acting on your request.

4) Right to Information
You may request information regarding:

the types of personal data we collect;
the purposes for which personal data is collected, used, or disclosed;
the data protection policies and practices we have implemented to ensure compliance with the PDPA

5) Right to Contact the PDPC
If you are unable to resolve a concern with us after contacting us, you may obtain further information regarding your options or lodge a complaint with the Personal Data Protection Commission (PDPC):
https://www.pdpc.gov.sg/
10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438
+65 6377 3131

Exceptions and Limitations
Your rights under the PDPA are subject to exceptions permitted by law, including where:

complying with your request would likely compromise the privacy of another individual;
disclosure would reveal confidential commercial information;
retention is required for legal proceedings, regulatory compliance, or record-keeping;
access is denied under the First or Second Schedules to the PDPA.

Be aware that these rights are subject to certain limitations and exceptions as provided by law. To exercise any of these rights or for further inquiries, please contact us using the provided contact information (via e-mail address or at our legal address). Please note we may deny a request under certain circumstances, in particular if we are unable to verify your identity or locate your information on our systems. If we are unable to fulfill all or part of your request, we will explain our reasons for denying the request. You always have the right to make a data protection related complaint at any time to a supervisory authority.
Be aware that these rights are subject to certain limitations and exceptions as provided by law. To exercise any of these rights or for further inquiries, please contact us using the provided contact information:

via e-mail address hr_welcome@madeofstorm.com; or
at our legal address: 216 Joo Chiat Road, #02-16, Soho Life, Singapore, 427483.

We will review your request as soon as possible, but not more than 30 (thirty) calendar days. Please note we may deny a request under certain circumstances, in particular if we are unable to verify your identity or locate your information on our systems. If we are unable to fulfill all or part of your request, we will explain our reasons for denying the request.

10. Security measures
We implement reasonable and appropriate technical and organizational measures to protect the security of your personal data against accidental or unlawful destruction, loss, change or damage. The following measures are implemented:

Measures of pseudonymisation and encryption of personal data;
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing;
Measures for the protection of data during transmission;
Measures for the protection of data during storage;
Measures for internal IT and IT security governance and management;
Measures for ensuring data minimisation;
Measures for ensuring data quality;
Measures for ensuring limited data retention;
Measures for ensuring accountability;
Measures for allowing data portability and ensuring erasure.

11. Are our services designed for children?
Our Website is not intended for individuals under the age of 16, and we do not knowingly collect, use, or disclose personal data from minors.
We request that individuals under the age of 16 do not submit any personal data through the Website or contact forms. If we become aware that personal data has been provided by a minor without verifiable parental or guardian consent, we will take reasonable steps to delete such data as soon as practicable, in accordance with the Protection Obligation and Retention Limitation Obligation under the PDPA.
If you believe that a minor has provided personal data to us, please contact so that appropriate action may be taken.

12. Changes to the Privacy Policy
This Privacy Policy may be changed from time to time due to the implementation of new technologies, laws’ requirements or for other purposes. Your continued use of the Website after the effective date of the updated Privacy Policy will be subject to the new Privacy Policy. If we make any major changes to our Privacy Policy and will need your explicit consent for further processing of your personal data, we will request your consent or your renewed consent (in case it was obtained previously).

13. Links to other websites
The Website may, from time to time, contain links to external websites or online resources that are operated by third parties and are not under our control.
If you follow a link to a third-party website, please note that such website is governed by its own privacy policy and terms of use. We do not control, and are not responsible for, the content, privacy practices, or data processing activities of any third-party websites or services.
This Privacy Policy applies only to personal data collected through the Website and in connection with our services. It does not apply to information collected by third parties, whether online or offline, even if accessed via links on the Website. We encourage you to review the privacy policies of any third-party websites you visit.

Annex A – Supplementary information for EEA and UK data subjects (GDPR / UK GDPR)

This Annex applies to individuals located in the European Economic Area (“EEA”) or the United Kingdom (“UK”) at the time their personal data is collected. It supplements, and should be read together with, the main body of this Policy. In the event of a conflict between this Annex and the main body of the Policy with respect to an EEA/UK data subject, this Annex prevails for that individual.

A.1. Controller and Data Protection Officer
The controller of your personal data within the meaning of Article 4(7) GDPR is MADE OF STORM PTE.LTD. You may contact our DPO at hr_welcome@madeofstorm.com.

A.2. Legal bases under Article 6 GDPR
In addition to the PDPA legal bases set out in Section 5, where the GDPR applies we rely on the following legal bases under Article 6(1) GDPR:

Consent (Article 6(1)(a) GDPR) – e.g., for sharing your CV with a specific Client; for retention in our talent pool beyond the initial application; for non-essential communications. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal;
Contract / pre-contractual steps (Article 6(1)(b) GDPR) – to provide our recruitment services to Candidates with whom we have, or are forming, a placement-related arrangement;
Legal obligation (Article 6(1)(c) GDPR) – to comply with applicable laws (including AML/CFT, tax, and record-keeping obligations);
Legitimate interests (Article 6(1)(f) GDPR) – our legitimate interests in operating our recruitment business, sourcing Candidates from publicly available sources, securing our Website and IT systems, managing relationships with Clients, defending legal claims, and engaging in B2B communications with Client representatives. We perform a balancing test before relying on this basis and you have the right to object as set out below.

A.3. Your rights under the GDPR / UK GDPR
In addition to the rights set out in Section 8, where the GDPR applies you have the following rights:

Right of access (Article 15) – to obtain confirmation as to whether we process your personal data and, if so, a copy of that personal data and certain related information;
Right to rectification (Article 16) – to have inaccurate personal data corrected and incomplete data completed;
Right to erasure / “right to be forgotten” (Article 17) – to have your personal data erased in certain circumstances (e.g., where the data is no longer necessary, where you withdraw consent, or where you successfully object to processing);
Right to restriction of processing (Article 18) – to obtain restriction of processing in certain circumstances (e.g., where you contest accuracy or where processing is unlawful but you oppose erasure);
Right to data portability (Article 20) – to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where the processing is based on consent or contract and is carried out by automated means;
Right to object (Article 21) – to object, on grounds relating to your particular situation, to processing based on legitimate interests; we will then cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where the processing is needed for the establishment, exercise, or defence of legal claims. You have an absolute right to object to direct marketing;
Rights related to automated decision-making (Article 22) – see Section 6 above. We do not currently engage in solely automated decision-making producing legal or similarly significant effects;
Right to withdraw consent (Article 7(3)) – where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

You may exercise any of these rights free of charge by contacting our DPO at the details in Section 9. We will respond without undue delay and in any event within one month of receipt of your request, with a possible extension of two further months in complex cases (we will inform you of any such extension).

A.5. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is available at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en. For UK data subjects, the competent authority is the Information Commissioner’s Office (ICO): https://ico.org.uk/.

A.6. International transfers (Chapter V GDPR)
Where we transfer personal data of EEA or UK data subjects to a country outside the EEA / UK that is not the subject of an adequacy decision by the European Commission (or, for UK data, by the UK government), we will ensure that one of the following safeguards is in place under Article 46 GDPR (or its UK equivalent):

the European Commission’s Standard Contractual Clauses (SCCs) (Implementing Decision (EU) 2021/914), supplemented by the UK Addendum issued by the ICO where UK data is transferred;
an adequacy decision (e.g., for transfers to jurisdictions recognised as providing an adequate level of protection);
binding corporate rules, where applicable; or
another lawful transfer mechanism set out in Chapter V GDPR.

Where required, we conduct transfer impact assessments (TIAs) and put in place supplementary technical, organisational, and contractual measures. You may request a copy of the relevant transfer mechanism (with appropriate redactions for confidentiality) by contacting our DPO.

A.7. Statutory and contractual requirements
Where you provide personal data to us, you are not under a statutory obligation to do so. However, certain personal data is necessary for us to consider you for a vacancy, introduce you to Clients, or provide our services to you. Failure to provide such data may mean we are unable to process your application or to provide the relevant service.