Privacy Policy

Brooke Thornham Consulting Privacy Notice


Brooke Thornham Consulting (Brooke Thornham Limited, company number 10378601) ("BTC", "we", "us" or "our") is committed to protecting the privacy of our candidates, clients, and users of our website. We want to provide a safe and secure user experience. We will ensure that the information you submit to us, or which we collect, via various channels (including our website, through written correspondence (including e-mail), conversations or meetings with our consultants), is only used for the purposes set out in this notice.

Through this Privacy Notice we aim to inform you about the types of personal data we collect from candidates, the purposes for which we use the data and the ways in which the data is handled and protected. We also aim to satisfy the obligation of transparency under the EU General Data Protection Regulation 2016/679 ("GDPR") and national laws implementing GDPR.

For the purpose of this Privacy Notice the controller of personal data is Brooke Thornham Consulting and our contact details are set out in full in the Contact section at the end of this Privacy Notice.



We will collect your personal details, including but not limited to your name and contact details (together with your e-mail address) and other relevant information from your Curriculum Vitae ("CV") which will detail your professional experience and academic background. On occasion this may also include sensitive personal information which you provide to us such as details of ethnic origin or marital status though we do not proactively request nor require this information. When we receive your details and CV electronically, this may be through a direct approach or application through our website, or via email, or an application that you have made through a third party job board.

We will likely obtain further personal information about you during the course of our relationship with you. This information may be obtained from you directly (though correspondence or conversation) or from third parties, such as organisations to whom we have provided your CV and who have engaged with you as part of a job application.


We will hold, and process your personal information for our legitimate business purposes including:

·        to provide our work-finding services to you;

·        to maintain our business relationship, where you are a user of our website, a client or candidate;

·        to enable you to submit your CV for general applications, to apply for specific jobs or to subscribe to our job alerts. (Please see the separate section on your CV below which outlines additional uses and disclosures.)

·        to match your details with job vacancies, to assist us in finding a position that is most suitable for you and to send your personal information (including sensitive personal information) to clients in order to apply for jobs;

·        to retain your details and notify you about future job opportunities other than the specific role for which you have contacted us;

·        to answer your enquiries;

·        to direct-market products and services, advise you of news and industry updates, events, promotions and competitions, reports and other information. Before we do so, you will be given an option to opt-out of such communications and an option to unsubscribe will also be provided with each communication;

·        to fulfil contractual obligations with our clients;

·        to provide further services to you by sharing your personal information with trusted third party service providers to our business;

·        to release personal information to regulatory or law enforcement agencies, if we are required or permitted to do so

We may process, in accordance with local regulations, certain sensitive personal data (known as special category data in GDPR) where you include it in information you send to us e.g. if you include information about your health, religion or ethnic origin in the CV you send to us. We have processes in place to limit our use and disclosure of such sensitive data other than where permitted by law.



Under GDPR, the main grounds that we rely upon in order to process personal information of clients and candidates are the following:

(a) Necessary for entering into, or performing, a contract – in order to perform obligations that we undertake in providing a service to you, or in order to take steps at your request to enter into a contract with us, it will be necessary for us to process your personal data;

(b) Necessary for compliance with a legal obligation – we are subject to certain legal requirements which may require us to process your personal data. We may also be obliged by law to disclose your personal data to a regulatory body or law enforcement agency;

(c) Necessary for the purposes of legitimate interests -we will need to process your personal data for the purposes of our legitimate interests, provided we have established that those interests are not overridden by your rights and freedoms, including your right to have your personal data protected. Our legitimate interests include being able to provide work-finding services which are tailored to you as an individual; storage of electronic mail and other communications as a necessary incident to the transmission and delivery of those communications; to respond to requests and enquiries from you or a third party; optimising our website and customer experience; to inform you about our businesses services, opportunities or market sector information which we believe may be of interest to you; to ensure that our operations are conducted in an appropriate and efficient manner.

(d) Consent – in some circumstances, we may ask for your consent to process your personal data in a specific way, particularly in the instance of submitting your personal data as a candidate to a third party (client) for consideration, or for direct marketing email purposes by us.


We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We also have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Examples of data security measures our business takes include:-

·        Password protection and encryption of all hardware including mobile devices (phone and laptops) which are used to access data away from the office, and with an appropriate policy for their use and capability to wipe all data remotely should a device be lost or stolen.

·        Password protection for accessing our database, and subsequent role-based access rights to our data within our CRM.

·        Our IT provider uses privacy enhancing technologies such as encryption, pseudonymisation and anonymization.

·        Virus checking software and monitored firewalls within our CRM providers environment and also protecting our local network

·        Regular penetration testing of systems and servers which hold our data

·        Use of secure SSL encryption for transmitting data that is sent to us from our website.

·        Making regular, secure backups of personal data and storing the media off-site

·        Automatic locking of idle terminals, adoption of a clear desk policy, and minimising the use of hard copy data within the office.

·        Storing of any paper based data in lockable fire-proof cabinets

·        destroying or permanently anonymising personal information if it is no longer needed for the purposes for which it was collected, including shredding of hard copy documents by a certified company

·        internal policies setting out our data security rules for our personnel, conducting data protection training, and placing contractual data protection requirements on our staff members and service providers.



In certain circumstances we will share your personal information with other parties. We will only share your personal information with third parties for the legitimate purposes stated above, the third parties being:

·        Our clients (ie law firms) where your consent has been given for the release of your details to them.

·        Our database/CRM provider who host and maintain our recruitment database and systems.

·        On occasion of us wanting a branded email communication to be sent for marketing purposes we may manage that through CampaignMonitor which is run by our external marketing agency.

·        We may provide aggregate statistics about our customers, traffic patterns and other site information to third party analytics providers, but these statistics will not include any information that could personally identify an individual.

·        Function co-ordinators in the instance of you being personally invited to an event by us.

All our third-party service providers are required to take appropriate security measures to protect your personal information. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Regulatory and Law Enforcement Agencies – If we receive a request from a regulatory body or law enforcement agency, and if permitted under GDPR and other laws, we may disclose certain personal information to such bodies or agencies.

New business owners - If in the future we sell or transfer some or all of our business/assets to a third party, we may disclose information to a potential or actual third party purchaser of our business/assets, and their advisors. If this happens, you will be sent notice of such event.



The length of time we will hold or store your personal information for will depend on the services we perform for you and for how long you require these. As we often support candidates with placements over many years, and potentially throughout their careers, the purpose for which we retain candidate data is often an ongoing purpose. We conduct regular data-cleansing and updating exercises with our candidates to ensure that (a) the data that we hold is accurate and (b) we are not holding data for too long.

Our standard terms of business state that our clients should retain candidate data such as CVs for the purposes of the specific role you apply for and that, as controllers of your data, they should inform you if they plan to retain your CV on file in order to notify you about potential future roles, or to otherwise hold or use your data for other purposes.


You have certain rights in relation to personal information we hold about you. Details of these rights and how to exercise them are set out below. We will require evidence of your identity before we are able to act on your request.

Right of Access - You have the right at any time to ask us for a copy of the personal information about you that we hold. Where we have good reason, and if the GDPR permits, we can refuse your request for a copy of your personal information, or certain elements of the request. If we refuse your request or any element of it, we will provide you with our reasons for doing so.

Right of Correction or Completion - If personal information we hold about you is not accurate, out of date or incomplete, you have a right to have the data rectified, updated or completed. You can let us know by contacting us using any of the methods in the Contact section below.

Right of Erasure - In certain circumstances, you have the right to request that personal information we hold about you is erased e.g. if the information is no longer necessary for the purposes for which it was collected or processed or our processing of the information is based on your consent and there are no other legal grounds on which we may process the information.

Right to object to or restrict processing - In certain circumstances, you have the right to object to our processing of your personal information by contacting us using any of the methods in the Contact section below. For example, if we are processing your information on the basis of our legitimate interests and there are no compelling legitimate grounds for our processing which override your rights and interests. You also have the right to object to use of your personal information for direct marketing purposes.

You may also have the right to restrict our use of your personal information, such as in circumstances where you have challenged the accuracy of the information and during the period where we are verifying its accuracy.

Right of Data Portability - In certain instances, you have a right to receive any personal information that we hold about you in a structured, commonly used and machine-readable format. You can ask us to transmit that information to you or directly to a third party organisation. This right exists only in respect of personal information that you have provided to us previously and which is processed by us using automated means.

We are happy for such requests to be made, and subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request. We will provide reasons if we are unable to comply with any request for the exercise of your rights. You can exercise any of the above rights by contacting our Data Privacy Manager on or by using the address in the Contact section below.



To the extent that we are processing your personal information based on your consent, you have the right to withdraw your consent at any time. You can do this by contacting us using the details in the Contact section below, the recommended route being to email to

Marketing emails - To subscribe to branded marketing emails, you will be required to provide your name and e-mail address, which will be used for the purpose of keeping you informed of the latest jobs in your nominated industry and to provide you with industry news and other information related to our services. Unsubscribe links are provided in every marketing email that you receive so you can easily update preferences in this regard if you decide that you no longer wish to receive communications in this way from us. 

Branded marketing emails are sent by our chosen third party marketing agency who are UK based and use the data we provide to them for this purpose exclusively for our use.



We give you the option of submitting your CV via our website (uploading it) or by providing your CV to one of our consultants in person or my email. You can do this either to apply for a specific advertised job or for consideration by our recruitment consultants for positions as they come up. Your CV will be stored in our database, and will be accessible by our recruitment consultants. You can provide revised CV information to us at any time. Your CV remains confidential and your named details will not be shared to a third party without your consent.



Our website uses secure sockets layer (SSL) encryption technology to ensure that all your personal information shared with us via a data capture form is encrypted before transmission. The closed padlock icon at the top of your browser shows that you are in a secure area of our site. This security practice applies to both desktop computers and mobile devices, and serves to safeguard your privacy from unauthorised access/improper use. 

We may collect information about your tastes and preferences by analysis of customer traffic, including by using cookies (see below). When you visit our website, some information such as your internet protocol address, internet service provider, operating system, the website from which you arrived, and the time and date of your visit may be collected automatically as part of the software operation of this website. This collection of information is entirely anonymous. We only use this data in the aggregate form, and solely for internal marketing purposes.

This information helps us determine what is most beneficial for our users and how we can continually improve our online services to create a better overall experience for our users.



We may collect information through the use of a technology called “cookies”. A cookie is a small file that a website can send to your browser, which is then stored on your system by your browser. Any use of cookie technology on is solely for internal marketing purposes. If you are uncomfortable accepting cookies from our website or indeed any other, you can set your browser to notify you when a website attempts to send you a cookie, giving you the opportunity to decide for yourself whether or not to accept the cookies. You can also set your browser to turn off cookies. Our website can still be browsed without the use of cookies.



We are not responsible for the privacy policies and practices of other websites. If you access sites using links from our website, we recommend that you check their privacy and security policy when you visit.



Please note that communications over the Internet are not secure unless they have been encrypted, so think twice before putting sensitive information in an email/webmail. Your communications may route through a number of countries before being delivered - this is the nature of the World Wide Web/Internet. We cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.



This privacy notice can be changed by Brooke Thornham Consulting at any time. If we change our privacy policy in the future, we will advise you of material changes or updates by email, where you have provided us with your email address.



Brooke Thornham Consulting is an equal opportunities employer and a company committed to diversity. This means that all job applicants and members of staff will receive equal treatment and that we will not discriminate on grounds of gender, marital status, race, ethnic origin, colour, nationality, national origin, disability, sexual orientation, religion or age.

Since 2007 we have collected information on a voluntary and anonymised basis for the purpose of diversity monitoring as part of our commitment to equal opportunities. However, with the advent of GDPR in 2018 the advice on best practice is to no-longer request, collate or store “special category data”, and so we no longer ask for or process this information from individuals who contact us. We do remain committed to diversity and are glad to assist our clients with their own diversity monitoring initiatives.



The primary point of contact for all issues arising from this Privacy Notice is our Data Privacy Manager, who can be contacted by using email, or by sending a communication to Data Privacy Manager, Brooke Thornham Consulting, 1 Aire Street, LEEDS LS1 4PR.

If you have any questions, concerns or complaints regarding our compliance with this Privacy Notice, we encourage you to first contact our Data Privacy Manager. We will investigate and attempt to resolve complaints and disputes as quickly as possible and in any event, within the timescales provided by applicable data protection laws.

You also have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom if you believe we have not handled your personal data in accordance with the law. Further information, including contact details, is available at