Spencer Stuart is committed to protecting the privacy of your personal data. This statement summarizes our policy on what personal information we have, how we handle and protect it and what rights you have in relation to your data.
What Personal Data Do We Collect?
Spencer Stuart is a leadership consulting firm specialising in advisory and search services, which handles a variety of personal data necessary to provide such Services (please see a list of our services here). The type of information depends on our relationship with you.
Candidate / Participant
The categories of personal data we collect may include the following information and identifiers of individuals: name, contact information (e-mail address, address, telephone number), professional experience, photographs, individual capabilities, qualifications, professional style profile, peer reviews, executive competencies, interview notes as well as recordings and transcripts of such (if applicable). This data may be obtained directly from you, through publicly available sources, your professional networking profile, news reports, and/or third parties such as our clients, professional partners, sources/referees, and/or our authorized background check/verification providers. If you are an executive search candidate, in addition to the information listed above, we may collect information regarding your education history, languages, social activities, compensation details (where permitted by applicable legislation), information relating to references, offer letters, identification data (civil/marital status, gender, nationality), and contact history.
In order to align our processes with our commitment to ensuring equal opportunities, we may collect information about you (in the appropriate circumstances and in accordance with applicable local law) which may be classified as diversity information (or protected legal characteristics under California or federal law), such as your racial or ethnic background, gender, disability, age, sexual orientation, religion or beliefs, and/or socioeconomic background. Additionally, as some of our clients may be subject to employment diversity requirements, Spencer Stuart may be required to share such information insofar as it pertains to the assignment you are a part of. Providing this additional information is voluntary and declining to do so will not affect any assessment or search.
If you participate in our Individual Style Profile, Executive Intelligence (ExI) evaluation, Coaching Programmes, Organizational Culture Evaluations, or are assessed as part of our services, in addition to the information listed above, we may collect information regarding your responsibilities at work, character traits, details regarding your employment and development preferences, as well as any other information and responses you may provide through evaluative measures or surveys. Providing additional personal data such as age, gender, and ethnicity is voluntary and will not affect the assessment results.
Referee or Source
If you provide a personal reference or feedback for an individual (depending on the circumstances we may classify you as a Referee or Source), we may collect and process your name, contact details, certain professional and employment details (such as title, occupation, qualifications and employment history), references and feedback, and your connection to the individual. We may collect this information directly from you, the individual, or publicly available sources. Any reference or feedback you provide about an individual would not be attributed to you if shared with third parties unless you allow us to do so.
Client or Supplier
If you are a Spencer Stuart client or supplier, data collected will typically comprise your contact details (such as name, telephone number, address, email address, job title, and business record related to the services).
How Do We Use Your Personal Data?
We will process your personal data in the context of providing our Services and maintaining our business relationship with you. This may include contacting you about an assignment, verifying profile details, identifying, assessing and evaluating individuals, and/or presenting our insights, analysis or reports to our clients.
We may also use the data in circumstances such as the following:
as part of a press check or background check, including; verification of educational or professional credentials;
to help support and improve our business operations (e.g. interview transcription (if applicable), audit procedures, security processes, document storage, maintenance of our systems and infrastructure, data analytics, benchmarking, statistics, creating knowledge pieces, determining the effectiveness of our Services);
to share marketing and promotional materials (e.g., intellectual capital, thought leadership pieces, etc.);
to invite you to an industry and/or role-specific event (e.g., forum, charity event, etc.);
to work with partners, sponsors and vendors, including third-party travel agencies;
maintaining business records, including those related to our Services;
to exercise our legal rights, protect your interests or as required by applicable law;
We strive to ensure that your personal data is accurate, complete, and current. Your data will only be used in a way that is compatible with its intended use and will not be processed in any way that is contrary to what is outlined in this policy. We will not sell your personal data.
What is our Legal Basis for Processing your Personal Data?
Spencer Stuart’s legal basis for processing your personal data in the context of providing its Services will depend on the personal information and processing activity involved and the specific context in which it was obtained. This can be:
our legitimate business interest, provided the processing of such information is not overridden by your own interests or your fundamental rights and freedoms. For example: managing, operating or promoting our business, building and maintaining relationships with you, our clients and vendors, analysing and improving our Services, managing our IT systems (including audits);
your consent, where required by applicable law. For example: for background checks, for any potentially sensitive information that may come to light during interviews, for employment diversity requirements, for recorded interview sessions; or
- our compliance with legal and regulatory requirements under applicable laws such as: keeping records for tax purposes or for accounting, or providing information to public authorities.
Where the Personal Data is Held and How It Is Transferred
Personal information is held on Spencer Stuart’s secure global proprietary database, which is accessible to Spencer Stuart offices worldwide. A list of our offices can be found on our website (www.spencerstuart.com/locations). In order to guarantee that the appropriate and suitable safeguards for the protection of your personal data are in place, in addition to the privacy practices set out in this policy, Spencer Stuart has a set of Binding Corporate Rules. These Binding Corporate Rules are a commitment by Spencer Stuart to adequately protect personal information of data subjects, regardless of where the data resides. A full copy of our Binding Corporate Rules can be found here.
Spencer Stuart may, in the course of our business, transfer your information to clients, partners, or approved third-party providers (such as background check providers, or travel/catering related service providers) in the context of the activities outlined in this policy.
We may disclose personal information where required by law or in connection with any legal claims, subpoenas, warrants or other governmental/regulatory/judicial requests. If Spencer Stuart receives a lawful access request from a third-country authority, our best efforts will be made to use all legal, technical, organizational, and supplementary measures available to limit the data that can be accessed in order to support the protection of your rights. We may disclose data where necessary to exercise, establish, or defend our legal rights, or to protect your vital interests or those of any other person.
Information Security and Integrity
Spencer Stuart has implemented appropriate legal, physical, organizational, and technical security measures and procedures to safeguard personal information collected, ensure its proper use and prevent against accidental loss, unauthorized access, or unlawful processing. These measures are periodically reviewed and updated to remain aligned with legal and technological developments. Such measures include but are not limited to contractual provisions (e.g., Binding Corporate Rules, Standard Contractual Clauses, standardised data protection clauses), encryption, pseudo-anonymisation, logical separation, and access security.
How Long Do We Retain Your Personal Data?
Spencer Stuart will retain your personal data for as long as the data is needed in connection with the purposes for which it is being processed and depending on the nature of our relationship with you.
Specifically, we will retain personal data for as long as we have your consent or a legitimate interest to do so. We may also be required to retain certain personal information (i) for our business records (ii) to show that we have fulfilled our obligations towards relevant parties such as our clients and candidates, or to continue meeting any of our obligations once we have completed an assignment in which you may have been involved in, (iii) for us to be able to establish, exercise or defend our legal rights, or (iv) to otherwise comply with our legal obligations.
Once the need to retain your data has expired, we will delete or anonymize it in accordance with data minimization principles. If this is not possible at the time, (for example, because your personal information has been stored in backup archives) then we will securely store your personal information and isolate it from any further processing until deletion is possible.
You have the right to access, erase, correct, update, or complete your personal data, or to request no further contact from Spencer Stuart. Additionally, to the extent permittable under applicable laws, you have the right to request the transfer of your personal data to a third party, to object to our use of your personal information, or to object to certain types of processing of your personal information. You can also withdraw your consent at any time; however, such withdrawal will not affect any processing performed prior to your withdrawal, nor will it affect processing on the basis of other lawful grounds. Should you request that we delete your personal information, please note that we may keep a minimal amount of data for record keeping purposes (for example, to record your wish for your data to be deleted). If you wish to exercise any of these rights, you may contact firstname.lastname@example.org. Additionally, you may bring a complaint to the relevant data protection authority about our processing of your personal information
If you are a California resident, you have certain rights under the California Consumer Privacy Act of 2018 (“CCPA”). Specifically, you may request the categories of personal data we have collected, the sources of such personal information, and the specific pieces of personal data we have collected about you. If applicable, you may also request the business or commercial purpose we have for collecting your personal data, the categories (outlined above) of your personal data we have shared or disclosed, and the categories of third parties to whom we have shared or disclosed such personal data. You also have the right to request the deletion of your personal data. To exercise any of your rights, you may contact the email address above (email@example.com), or you may call us at 1 (844) 390-CCPA (1-844-390-2272). We will not discriminate against you for exercising any of your rights pertaining to your personal data.
Data Privacy Framework (“DPF”) Certification
For certain personal data we receive as a data controller on behalf of certain clients or candidates, Spencer Stuart has certified its compliance under the EU-U.S. Data Privacy Framework (“EU DPF”), the United Kingdom Extension to the EU-U.S. Data Privacy Framework (“UK DPF”), and the Swiss-U.S. Data Privacy Framework (“Swiss DPF”). We refer to these three programs collectively as the “DPFs.” The DPFs are designed in accordance with the principles required by the relevant location sending data to the US (“DPF Principles”).
Accordingly, Spencer Stuart receives transfers of personal data from certain clients and candidates under (1) the DPFs, (2) under our Binding corporate Rules, (3) under Standard Contractual Clauses, or (4) through one or more derogations under GDPR Article 49, or its UK or Swiss equivalent, depending on the situation and our contract with our client.
In more detail:
Spencer Stuart has certified to the U.S. Department of Commerce that it adheres to the DPF Principles with regard to the processing of personal data received from the relevant DPF, i.e., personal data within the scope of that certification that we receive from enterprise customers in reliance on that certification.
Pursuant to the DPF, individuals whose personal data is transferred to us under the DPF have the right to obtain our confirmation of whether we maintain personal data relating to them in the United States. They also have the right to access, correct, amend, or delete the data we hold about them. An individual who seeks access to their data, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the DPF should direct their query to firstname.lastname@example.org.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Spencer Stuart’s accountability for personal data that it receives from such data subjects under the DPF and subsequently transfers to a third party is described in the DPF Principles. In particular, Spencer Stuart remains responsible and liable under the DPF Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the DPF Principles, unless Spencer Stuart proves that it is not responsible for the event giving rise to the damage.
In compliance with the DPF Principles, Spencer Stuart commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF. As such, Spencer Stuart is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Individuals with DPF inquiries or complaints should first contact Spencer Stuart by email at email@example.com. If we do not respond to your DPF complaint within 45 days or resolve your DPF complaint to your satisfaction, Spencer Stuart has further committed to cooperate with one of two different independent dispute resolution mechanisms for resolution of your DPF complaint (depending on the context), both of which are provided to you free of charge:
For DPF complaints not in the context of the employment relationship: Spencer Stuart will cooperate with the dispute resolution mechanism operated by BBB National Programs. You can visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint.
For DPF complaints in in the context of the employment relationship: In compliance with the EU DPF, the UK DPF, and the Swiss DPF, Spencer Stuart commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (“DPAs”), the UK Information Commissioner’s Office (“ICO”) and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with regard to unresolved complaints concerning our handling of human resources data received in reliance of the EU DPF, the UK DPF, or the Swiss DPF in the context of the employment relationship.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See the EU DPF Annex 1 at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf and the Swiss DPF Annex 1 at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-sw-dpf.
Changes to this Policy
We may occasionally update this policy. Any material changes made will be posted on this page and the appropriate measures will be taken to keep you informed. Please visit this page on a regular basis to ensure that you remain up to date with our policy.