Data Protection Policy

Osmium Partners Limited

  1. Introduction

Osmium Partners Limited (“the Company”) is committed to protecting the privacy and security of personal data. We collect and process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

This policy outlines our responsibilities, procedures, and standards for ensuring the lawful, fair, and transparent handling of personal data.

  1. Scope

This policy applies to:

  • All employees, contractors, and third-party suppliers who process personal data on behalf of the Company 
  • All personal data processed by the company in the course of its recruitment activities
  1. Definitions

Personal Data: Any information relating to an identifiable person (e.g. name, contact details, CVs)

Processing: Any operation performed on personal data (e.g. collection, storage, use, disclosure)

Data Subject: The individual whose data is being processed

Controller: Osmium Partners Limited, which determines the purposes and means of data processing

Processor: Any third party who processes data on behalf of the Company

  1. Principles of Data Protection

We adhere to the following GDPR principles:

  • Lawfulness, fairness, and transparency 
  • Purpose limitation 
  • Data minimisation 
  • Accuracy 
  • Storage limitation 
  • Integrity and confidentiality 
  • Accountability
  1. Legal Basis for Processing

We ensure all processing has a lawful basis, including:

  • Consent (e.g. candidates opting in to job alerts) 
  • Contractual necessity (e.g. placing candidates in roles) 
  • Legal obligations (e.g. right-to-work checks) 
  • Legitimate interests (e.g. business development)
  1. Data Subject Rights

We respect and support the following rights of individuals:

  • Right to be informed 
  • Right of access 
  • Right to rectification 
  • Right to erasure (“right to be forgotten”) 
  • Right to restrict processing 
  • Right to data portability 
  • Right to object 
  1. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encrypted cloud-based systems 
  • Secure password policies 
  • Access controls and staff training 
  1. Data Retention

We only retain personal data for as long as necessary for the purposes it was collected. 

  1. Data Sharing and Transfers

We may share data with:

  • Clients (when submitting candidates for roles) 
  • Service providers (e.g. payroll processors, background check services) 
  • Legal authorities (if required)

All data sharing is governed by appropriate data sharing or processing agreements.

  1. Data Breaches

Any suspected or actual data breaches must be reported immediately to the Data Protection Officer or designated lead.

Where required, we will report breaches to the ICO (Information Commissioner’s Office) within 72 hours and inform affected individuals as appropriate.

  1. Training and Compliance

All staff receive training on data protection obligations and are expected to comply with this policy. Non-compliance may result in disciplinary action.

  1. Policy Review

This policy is reviewed annually and updated to reflect changes in legislation, regulatory guidance, or business operations.


Last Updated: September 2025
Document Owner: Osmium Partners