ST LEGAL RECRUITMENT
GDPR & Data Protection Compliance Policy
Internal Policy Document | Version 1.0 | Date: 30 May 2026
Next review due: May 2027
1. Purpose and Scope
This policy sets out ST Legal Recruitment’s approach to data protection compliance under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
It applies to all personal data processed by ST Legal Recruitment in connection with its recruitment activities, including data relating to candidates, law firm clients, website visitors, and any other individuals whose data we hold.
All persons who work for or on behalf of ST Legal Recruitment — including employees, contractors, and consultants — must comply with this policy.
2. Data Protection Principles
ST Legal Recruitment is committed to processing personal data in accordance with the six data protection principles under UK GDPR. Personal data must be:
- Processed lawfully, fairly, and in a transparent manner
- Collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes
- Adequate, relevant, and limited to what is necessary for the purpose (data minimisation)
- Accurate and, where necessary, kept up to date
- Kept in a form that permits identification for no longer than necessary (storage limitation)
- Processed in a manner that ensures appropriate security (integrity and confidentiality)
3. Lawful Basis for Processing
ST Legal Recruitment relies on the following lawful bases:
Legitimate interests: Processing candidate and client data for the purpose of matching candidates with suitable roles and providing recruitment services. A legitimate interests assessment (LIA) has been conducted and is documented.
Consent: Obtaining and storing candidate CVs and personal data where we have sought specific consent. Consent must be freely given, specific, informed, and unambiguous.
Contract: Processing client data where necessary to perform recruitment contracts.
Legal obligation: Processing where required to comply with legal obligations, such as tax or employment law requirements.
4. Categories of Data and Data Flows
4.1 Candidate Data: ST Legal Recruitment processes the following data in respect of candidates: personal contact details; CV, employment and academic history; right to work documentation; interview feedback; and communication records. This data is collected directly from candidates or from publicly available professional profiles.
4.2 Client Data: In respect of law firm clients, ST Legal Recruitment processes: names and job titles of contacts; business contact details; vacancy briefs and hiring requirements; and invoicing and payment information.
4.3 Data Flows: Candidate data may be shared with prospective employer law firms, subject to candidate consent. No data is shared beyond what is strictly necessary for the purpose of facilitating a specific introduction.
5. Data Retention Schedule
Data shall be retained only for as long as necessary for the purpose for which it was collected:
| Data Category | Retention Period | Basis |
| Active candidate records | 2 years from last contact / end of active search | Legitimate interests |
| Placed candidate records | 6 years from date of placement | Legal obligation (contract) |
| Unsuccessful candidate records | 12 months from last activity | Legitimate interests |
| Client contact records | 6 years from end of business relationship | Legal obligation (contract) |
| Financial/invoicing records | 7 years | Legal obligation (HMRC) |
| Website enquiry data | 12 months | Legitimate interests |
| Interview notes | 6 months post-decision | Legitimate interests |
6. Subject Access Requests (SARs)
6.1 Any individual (data subject) has the right to request access to the personal data ST Legal Recruitment holds about them.
6.2 SARs should be directed to Saleem@STLegalRecruitment.com.
6.3 ST Legal Recruitment will respond to SARs within one (1) calendar month of receipt. The response is free of charge unless the request is manifestly unfounded or excessive.
6.4 Upon receipt of a SAR, ST Legal Recruitment will: verify the identity of the requester; locate all relevant data held; prepare a clear and comprehensive response; and record the request and outcome in the SAR log.
7. Data Breach Procedure
7.1 A personal data breach includes any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
7.2 Any suspected breach must be reported to Saleem Iqbal immediately upon discovery.
7.3 ST Legal Recruitment will assess the breach within 24 hours of becoming aware and determine whether notification to the ICO is required.
7.4 Where the breach is likely to result in a high risk to the rights and freedoms of individuals, the ICO must be notified within 72 hours and affected individuals notified without undue delay.
7.5 All breaches, whether reportable or not, shall be documented in ST Legal Recruitment’s breach register, including: the nature of the breach; categories and approximate number of individuals affected; categories and approximate number of records affected; and the measures taken to address and mitigate the breach.
8. International Data Transfers
8.1 ST Legal Recruitment operates across London and the Middle East (including the UAE, Saudi Arabia, and Qatar). Transfers of personal data to countries outside the UK require additional safeguards.
8.2 Where candidate data is shared with employers based in the Middle East, ST Legal Recruitment will implement one of the following safeguards: (a) standard contractual clauses approved by the ICO; (b) the data subject’s explicit consent to the transfer; or (c) where the transfer is necessary for the performance of a contract at the data subject’s request.
8.3 ST Legal Recruitment will maintain records of all international transfers and the safeguards applied.
9. Data Protection Officer (DPO)
9.1 ST Legal Recruitment is a small organisation and is not currently required to appoint a formal Data Protection Officer under UK GDPR. Overall responsibility for data protection compliance rests with Saleem Iqbal as the business owner.
9.2 As the business grows, the need for a formal DPO will be reviewed annually.
10. Staff Responsibilities
All individuals working for or on behalf of ST Legal Recruitment must:
- Handle personal data only in accordance with this policy and applicable law
- Access personal data only to the extent necessary for their role
- Not share personal data with unauthorised third parties
- Report any suspected data breaches to Saleem Iqbal immediately
- Complete any data protection training as required
- Ensure personal data is stored securely and not left accessible to unauthorised persons
11. Records of Processing Activities (ROPA)
ST Legal Recruitment maintains a Record of Processing Activities (ROPA) as required under Article 30 of UK GDPR. The ROPA records: the name and contact details of the data controller; the purposes of processing; descriptions of categories of data subjects and personal data; recipients of data; international transfers; retention periods; and security measures. The ROPA is reviewed and updated annually.
12. Policy Review
This policy will be reviewed annually and updated as necessary to reflect changes in law, regulatory guidance, or our business operations. Any material changes will be communicated to all relevant staff.