About this notice

This notice explains how Morgan Hunt UK Limited (“Morgan Hunt”, “we”, “our” or “us”) collects, uses, shares and protects personal data. It applies to:

  • Candidates — anyone who applies for, is placed in, or is considered for a role through us
  • Clients — organisations who use our recruitment services, and the individuals who work for them
  • Suppliers and partners — individuals who work for organisations that provide services to us
  • Website visitors — anyone who uses morganhunt.com or our related digital services
  • Referees — people whose details are provided to us so that we can obtain a reference

If anything in this notice is unclear, or if you want more detail about anything we say here, please contact us using the details in section 13.

Who we are

Morgan Hunt UK Limited is the data controller for the personal data described in this notice. We are registered in England with company number 04349535. Our registered office is Standon House, Floor 3, 21 Mansell Street, London, E1 8AA.

We are registered with the Information Commissioner's Office (ICO) under registration number Z8762617.

Our group includes Morgan Hunt UK Limited and our parent, Morgan Hunt Group Limited. Your data may be shared within the group where this is necessary for the purposes set out in this notice.

Our Data Protection Officer

Our Data Protection Officer is Sam Porter. You can contact the DPO about anything relating to how we handle your personal data, including making a request to exercise your rights:

  • By email: gdpr@morganhunt.com
  • By post: Data Protection Officer, Morgan Hunt UK Limited, Standon House, Floor 3, 21 Mansell Street, London, E1 8AA
  • By phone: 0207 419 8900

The personal data we collect

The personal data we collect depends on your relationship with us. This section sets out what we typically collect in each case.

Candidates

We may collect any of the following, depending on the role and stage of the process:

  • Identity and contact details — name, date of birth, home address, email, phone number, National Insurance number
  • Work history and skills — CV, job history, qualifications, skills, references, certifications, training records
  • Eligibility to work — passport, visa, other identity documents, and the outcome of right-to-work checks carried out through Yoti (which involves identity document verification and facial similarity checks)
  • Background and suitability — criminal records information from Disclosure and Barring Service (DBS) checks, including digital copies of DBS certificates where required for the role
  • Safeguarding information — where a role involves work in education, social care, or with vulnerable people, any information required under safeguarding regulations
  • Health information — only where relevant, limited to information about reasonable adjustments you need during the recruitment process or in a role
  • Payroll and financial information — bank details, tax codes, pension details (where we pay you directly or through a payroll provider)
  • Emergency and family — next-of-kin contact details
  • Interactions with us — notes from conversations, meetings and interviews, AI-generated summaries of telephone and video calls (see section 6), messages exchanged via our website chatbot, and your use of the Quick Drop CV service
  • Marketing preferences — your preferences about receiving updates from us

 

Clients and suppliers

For individuals who work for our clients and suppliers, we typically collect:

  • Name, job title and employer
  • Business contact details (email, phone, office address)
  • Notes from conversations and meetings
  • Your opinions about candidates where you provide references or feedback
  • Marketing preferences

 

Website visitors

When you visit morganhunt.com, we collect limited technical information (such as IP address and browsing activity) through cookies and similar technologies. This is described in our separate Cookie Policy at morganhunt.com/cookie-policy.

Where we get your data from

We collect personal data from:

  • You directly — for example, when you register with us, send us a CV, apply for a role, or contact us
  • Clients and other employers — for example, when a client provides a brief or feedback
  • Referees — people you ask us to contact
  • Publicly available sources — including LinkedIn, job boards and public professional directories
  • Background screening providers — for example, First Advantage for pre-employment checks
  • Identity verification providers — Yoti, for right-to-work checks
  • Framework operators and other recruitment businesses — where you have applied to a role that is filled through a framework arrangement

If we collect personal data about you from a third party source, we will tell you when we first make contact.

How we use your data and our lawful basis

We only use your personal data when we have a lawful basis to do so. This section sets out what we do with your data and why we are permitted to do it.

To provide our recruitment services

We use your data to match candidates to roles, submit candidates to clients, arrange interviews, negotiate terms, and place candidates in assignments. Our lawful bases are:

  • Performance of a contract — where we have entered into, or are negotiating, a contract with you (Article 6(1)(b) UK GDPR)
  • Legitimate interests — our interest in running our recruitment business, balanced against your interests and rights. We have carried out Legitimate Interests Assessments for these uses (Article 6(1)(f) UK GDPR)
  • Consent — where required by law, for example before submitting your CV to a specific client (Article 6(1)(a) UK GDPR)

To meet legal and regulatory obligations

We are required by law to process personal data for certain purposes, including:

  • Verifying identity and right to work under the Immigration (Restrictions on Employment) Order 2007
  • Meeting our obligations under the Conduct of Employment Agencies and Employment Businesses Regulations 2003
  • Paying tax, National Insurance and pension contributions under HMRC and pension rules
  • Complying with anti-money laundering, anti-bribery and fraud prevention legislation
  • Meeting safeguarding requirements in education and social care placements
  • Cooperating with regulators, law enforcement and courts

The lawful basis is legal obligation (Article 6(1)(c) UK GDPR).

To run and improve our business

We also use data to:

  • Administer our relationship with you
  • Keep records of our dealings and transactions
  • Investigate and resolve queries, complaints and disputes
  • Train our people and monitor service quality
  • Keep our IT systems secure and back up our data
  • Analyse market trends and produce anonymised insights for clients
  • Market our recruitment services to existing and prospective clients

The lawful basis is legitimate interests (Article 6(1)(f) UK GDPR), except where we rely on consent for electronic marketing.

Marketing

We may send you marketing communications about our recruitment services and related offerings. For electronic marketing to individuals who are not existing contacts, we rely on your consent. You can withdraw consent or opt out at any time using the unsubscribe link in any marketing email, or by contacting us at gdpr@morganhunt.com.

Special category data and criminal records data

Some types of personal data are subject to extra protection. These are “special category” data (such as health, racial or ethnic origin, religious beliefs) and criminal offence data.

Special category data

We only process special category data where one of the conditions in Article 9(2) UK GDPR applies. In practice, the conditions we rely on are:

  • Explicit consent (Article 9(2)(a)) — for example, where you tell us about a health condition or other personal characteristic and ask us to take it into account
  • Employment, social security and social protection law (Article 9(2)(b), together with Schedule 1, Part 1, paragraph 1 of the Data Protection Act 2018) — for example, to administer payroll, pensions, or reasonable adjustments
  • Equality of opportunity or treatment (Article 9(2)(g), together with Schedule 1, Part 2, paragraph 8 of the Data Protection Act 2018) — for monitoring and reporting on diversity, where you choose to provide this information
  • Legal claims (Article 9(2)(f)) — where needed to establish, exercise or defend legal claims

We have an Appropriate Policy Document in place as required by the Data Protection Act 2018 where we rely on the employment or equality conditions above.

Criminal offence data

For some roles, we collect criminal offence data — most commonly through DBS checks. We process this data under Article 10 UK GDPR in reliance on the condition in Schedule 1, Part 1, paragraph 1 of the Data Protection Act 2018 (employment, social security and social protection).

We only carry out DBS checks where they are required for the role, and we hold digital copies of DBS certificates securely for the retention period set out in section 10.

Biometric data

When you complete a right-to-work check through Yoti, the check involves a facial similarity comparison between a live image and the image on your identity document. This is biometric data. We rely on Article 9(2)(b) UK GDPR and Schedule 1, Part 1, paragraph 1 of the Data Protection Act 2018 (employment) as the condition for processing. Yoti acts as a processor on our behalf.

Automated decision-making, profiling and AI

We use software — including AI-based tools — to help us run our recruitment services. This section explains how, what your rights are, and how to exercise them.

What we mean

Profiling is any automated processing of your personal data to evaluate things about you — for example, your suitability for a role. Automated decision-making is a decision made solely by automated means, without meaningful human involvement.

AI-assisted candidate matching (pilot)

We are currently piloting AI tools that help our consultants identify candidates who may be suitable for particular roles. The tools analyse information held on our systems (skills, work history, qualifications, location, availability) and suggest or rank candidates for a consultant to review.

These tools support, but do not replace, human decision-making. A Morgan Hunt consultant reviews suggestions and decides whether to contact you, shortlist you, or submit your details to a client.

Our lawful basis is legitimate interests. We have carried out, or are carrying out, Data Protection Impact Assessments and Legitimate Interests Assessments covering this activity.

Automated right-to-work eligibility screening (pilot)

We are piloting automated screening that rejects applications from candidates who confirm they do not have the right to work in the UK. We only place candidates in UK roles, so we are not legally able to place someone without UK right to work. This is a statutory eligibility check rather than an assessment of your skills or suitability.

Because this decision may have a significant effect on you, we make sure that:

  • You are told before you apply that this automated check will be carried out
  • You can ask a Morgan Hunt consultant to review the outcome
  • You can provide additional information if you believe the automated outcome is wrong

AI call summaries

When a Morgan Hunt consultant has a telephone or video call with you, we may use an AI tool to produce a written summary of the call for our records. The underlying audio is not stored after the summary is created. The summary is held on our systems as a record of our conversation and is used in the same way as written notes.

Candidate chatbot

Candidates who are already registered with us can interact with a chatbot on our website, powered by Bullhorn Automation. The chatbot can answer questions, update information, and help with common tasks. Conversations are stored on our CRM alongside your candidate record.

Quick Drop CV

The Quick Drop CV service on our website automatically reads (parses) your CV so that your details can be added to our CRM and matched against current vacancies. No decision about your suitability is made solely by this process — a consultant reviews any potential matches.

Third-party AI providers

Some of our AI tools use third-party AI models. Where this is the case:

  • We have a written data processing agreement in place
  • Your personal data is not used to train third-party AI models
  • Processing takes place within the UK or European Economic Area (see section 9)

Fairness and bias

We recognise that automated tools can reflect or amplify bias. To reduce that risk:

  • We carry out fairness and bias testing on AI tools before deployment and on an ongoing basis
  • We do not use protected characteristics under the Equality Act 2010 as inputs to matching decisions
  • We monitor outcomes where we lawfully can
  • Our consultants are trained in the appropriate use of these tools
  • We carry out due diligence on AI suppliers including their training data, model governance and bias mitigation

Your rights in relation to automated decisions

You have the right to:

  • Ask a human at Morgan Hunt to review any solely automated decision that affects you
  • Receive a plain-language explanation of the decision
  • Express your point of view and provide additional information
  • Contest the decision and ask us to reconsider
  • Object to profiling where our lawful basis is legitimate interests
  • Withdraw consent at any time where our lawful basis is consent

To exercise these rights, email gdpr@morganhunt.com. We will respond within one month.

Who we share your data with

We only share personal data where we are permitted to do so. The main categories of recipient are set out below.

Clients

We share candidate information with clients when we submit you for a role, and as needed to manage any assignment. For permanent roles, sharing typically requires your consent. For temporary roles and assignments, sharing is necessary to perform our contract with the client.

Processors acting on our behalf

We use service providers who process personal data on our behalf under written contracts. Our main categories of processor are:

  • CRM and recruitment platform — Salesforce (including Bullhorn Automation functionality built on Salesforce)
  • Productivity and collaboration — Microsoft 365 and Microsoft Azure
  • Website and content management — SourceFlow
  • Identity verification and right-to-work checks — Yoti
  • Background screening — First Advantage
  • IT support and hosting providers
  • AI and analytics providers used to support the services described in section 6

Joint and separate controllers

We share data with other recruitment businesses and framework operators in the course of delivering public sector framework contracts and neutral vendor arrangements. Depending on the arrangement, these parties may act as joint controllers with us or as separate controllers in the same supply chain. They include Crown Commercial Service, other UK public sector framework operators, Reed, Matrix, Comensura and Connect2.

Where we act as joint controllers, we have (or are putting in place) Article 26 arrangements setting out our respective responsibilities. You can ask us for the essential terms of any such arrangement that relates to you.

Other recipients

We may also share data with:

  • Regulators, government bodies, law enforcement and courts, where required
  • Our legal, tax, audit and professional advisers
  • Our insurers
  • Buyers or potential buyers in the event of a sale, merger or reorganisation of our business

We do not sell, rent or otherwise share personal data for third-party marketing purposes.

International transfers

Morgan Hunt processes personal data within the United Kingdom and the European Economic Area (EEA). Our main systems, including Salesforce and Microsoft 365, are hosted in the UK. Our core processors operate within the UK or EEA.

We do not currently transfer personal data to countries outside the UK or EEA in a way that would be a restricted transfer under UK GDPR.

If this changes in the future, we will only make a restricted transfer where an adequacy regulation applies, or where we have appropriate safeguards in place — for example, the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, supported by a Transfer Risk Assessment. We will update this notice before any such change takes effect.

Security

We take appropriate technical and organisational measures to protect personal data from unauthorised or unlawful access, loss, alteration or disclosure. These include access controls, encryption, network security, staff training, and supplier due diligence. If we ever suffer a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO and, where required, affected individuals.

How long we keep your data

We keep personal data for as long as we need it for the purposes set out in this notice, and then for as long as required by law.

Our default retention period is six years from the last point at which we provided services to, or dealt with, you. This applies to:

  • Candidate records (whether or not you were placed)
  • Client and supplier contact records
  • Website enquiries and marketing contacts

We also keep certain records for the minimum periods set by law, including:

  • 12 months for records of recruitment services under the Conduct of Employment Agencies and Employment Businesses Regulations 2003
  • 2 years for right-to-work check records under The Immigration (Restrictions on Employment) Order 2007
  • 3 years for statutory maternity, paternity and parental leave records
  • 6 years from the end of each tax year for payroll records under the Income Tax (Earnings and Pensions) Act 2003
  • 6 years from the end of each tax year for VAT records

We may keep data for longer where we are legally required to, or where it is necessary for ongoing legal claims or disputes. We have a written retention schedule that sets out the detail; you can ask us for a copy.

If you think we are keeping your data for longer than necessary, please contact gdpr@morganhunt.com.

Your rights

You have the following rights under the UK GDPR and Data Protection Act 2018.

Right of access

You can ask for a copy of the personal data we hold about you, and information about how we use it. This is known as a Subject Access Request. We will respond within one month of verifying your identity; this may be extended by up to two further months for complex requests, in which case we will tell you. There is no fee unless the request is manifestly unfounded or excessive.

Right to rectification

You can ask us to correct personal data that is inaccurate or incomplete.

Right to erasure

You can ask us to delete your personal data in certain circumstances. There are exceptions — for example, where we are required to keep the data by law.

Right to restriction

You can ask us to restrict how we use your personal data in certain circumstances — for example, while we investigate a concern you have raised about its accuracy.

Right to data portability

Where we process your data based on consent or on the performance of a contract, and the processing is automated, you can ask us to provide the data in a structured, commonly used, machine-readable format, or to send it to another organisation.

Right to object

You can object to our processing of your personal data where we rely on legitimate interests. You have an unconditional right to object to direct marketing.

Rights in relation to automated decisions

These are set out in section 6.9 above.

Right to withdraw consent

Where we rely on consent, you can withdraw it at any time. This does not affect the lawfulness of any processing we carried out before you withdrew consent.

How to exercise your rights

Email us at gdpr@morganhunt.com or write to the Data Protection Officer at the address in section 2. We may ask you for information to verify your identity.

Right to complain

If you are unhappy with how we have handled your data or a rights request, please let us know first at gdpr@morganhunt.com so we can try to put things right. You also have the right to complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.

Cookies

Our website uses cookies and similar technologies. Full information about the cookies we use, your choices, and how to manage them is set out in our separate Cookie Policy at morganhunt.com/cookie-policy.

Contact us

If you have any questions about this notice, or would like to exercise any of your rights, please contact:

  • Sam Porter, Data Protection Officer
  • Email: gdpr@morganhunt.com
  • Phone: 0207 419 8900
  • Post: Data Protection Officer, Morgan Hunt UK Limited, Standon House, Floor 3, 21 Mansell Street, London, E1 8AA

 

Changes to this notice

We review this notice regularly and update it to reflect changes to our business and to the law. Material changes will be notified to you through our website or, where appropriate, directly.

Last Updated: 15th May 2026