Lascaux Partners (“Lascaux”, “we”, “us” and “our”) are committed to respecting individual’s privacy. We are registered in the UK and our registered address is 32 Church Road, Hove, East Sussex, BN3 2FN, and our company registration number is 08354319.

About this Privacy Notice

For the purposes of data protection law, we are the controller in respect of your personal data. Lascaux Parters are responsible for ensuring that we use your personal data in compliance with the data protection law. This privacy notice sets out the basis on which any personal data about you that you provide to us, that we create, or that we obtain about you from other sources, with by processed by us.

We collect and process the following personal data about you:

  • Information that you provide to us. This includes information that you give us directly by communicating with us, whether face-to-face, by phone, email or otherwise. This information may include (by way of a non-exhaustive list):
    • Basic personal data such as first name; family name; email address; phone number; occupation and job title).
  • Information that we collect or generate about you. This includes (by way of a non-exhaustive list):
    • Files that we may produce as a record of our relationship with you including contact history
  • Information we obtain from other sources. This includes (by way of a non-exhaustive list)
    • Information from publicly available sources
    • Information obtained from other agents or industry contacts.

“Legitimate Interests” means the interests of our company in conducting and managing our business to enable us to source candidates and new opportunities for our clients, in a secure manner.

We have an interest in ensuring our approaches to an individual is relevant, so we may process your information to send you information regarding mandates that is tailored to your interests and suitable to your experience.

When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests – we will not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Lascaux Partners does not use automated decision making to form decisions relating to the individual with the personal information that we may have on file.

We do not collect any special categories of personal data, as defined under the GDPR. Our products and services are not aimed at children.

Retention Policy

How long we hold your personal data for will vary but in accordance with the new GDPR regulations, data may not be stored any longer than for the sole purpose of that collection. Using legitimate interest as the primary basis of data collection and storage, we maintain that with the knowledge of the individual concerned, that we can store information in the legitimate interests of our company for the basis of processing for a period of 2 years. From this point onwards, should there not have been subsequent engagement with an individual, we will reconsider the purpose

This is with the exception of circumstances whereby the data subject has requested the erasure of data or the restriction of processing. During the retention period, we will ensure periodical reviews of the data retained to ensure the data is correct, and we will not retain any data which is considered within the specialist category

Individual Rights

You can exercise your rights by contacting us using the details:  In addition, you can find out more information about your rights by contacting the Information Commissioner’s Office, or at

Right to be Informed:  Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR. Individuals will be provided with information as part of the privacy information including; purposes for processing their personal data, retention periods for that personal data, who it will be shared with.

Right of Access:  Individuals have the right to access their personal data and supplementary information. This allows individuals to be aware of and verify the lawfulness of the processing. Individuals may request a copy of this information, and this will be provided free of charge within one month.

  • Confirmation their data is being processed
  • Access to their personal data
  • Information provided in a clear, concise and transparent manner outlined within the privacy notice.

Right of Rectification:  Individuals have the right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request may be made verbally or in writing. This right to rectification is outlined as part of the controller’s obligations under the accuracy principal.

Right of Erasure:  Individuals have a right for individuals to have personal data erased, also known as ‘the right to be forgotten’. This request could be made verbally or in writing. This right applies to:

  • The data is no longer necessary for the purpose which you originally collected or processed it for
  • Relying on consent as your lawful basis for holding the data, and the individual withdraws their consent
  • Relying on legitimate interests as the basis for processing, the individual objects, and there is no overriding legitimate interest to continue this processing
  • Processing the data for marketing purposes and the individual objects to that processing
  • Processed the data unlawfully
  • To comply with a legal obligation
  • Processed the personal data to offer information society services to a child

If disclosed the personal data to others, we will contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. Lascaux Partners has one month to comply, on receipt of a reasonable request.

Right to Data Portability:  Individuals have the right to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This right only applies:

  • Personal data an individual has provided to a controller
  • Processing is based on individual consent or for the performance of a contract
  • When processing is carried out by automated means

If requested, data must be provided in a structured, commonly used and machine-readable form, and it will be free of charge.

Right to Lodge Complaint with Supervisory Authority:  Without prejudice, every data subject shall have the right to lodge a complaint with a supervisory authority.

Detail of Transfer to Third Country / Client:  The GDPR imposes restrictions on the transfer of the personal data outside of the EU, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.



Personal Data:  Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one that can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.

Controller:  The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data, where the purposes and means of processing are determined by EU laws. The controller may be designated by those laws.

Processer:  A natural or legal person, Public Authority, Agency or other body which processes personal data on behalf of a data controller.

Processing:  Any operation or set of operations performed on personal data or on sets on personal data, whether or not by automated means. Operations performed may include collection, recording, organisation, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or deletion.

Profiling:  Any form of automated processing of personal data where personal data is used to evaluate specific or general characteristics relations to an identifiable natural person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.

Lawful Basis:  Under EU data protection law, there must be a lawful basis for all processing of personal data (unless an exemption or derogation applies). At Lascaux Partners, this pertains to Consent or Legitimate Interests as we do not process special category data.

Consent:  Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

Legitimate Interests:  Processing is permitted if it is necessary for the purposes of legitimate interest pursued by the controller (or by a third party to whom the data are disclosed) expect where the controller’s interests are overridden by the interests, rights or freedoms of the affected data subjects.

LIA:  Legitimate Interest Assessment (LIA) used to establish and assess whether or not they can rely on Legitimate Interests as a Lawful Basis for processing personal data under the GDPR. This is a balancing test to establish interests pursued by the controller vs rights and freedoms of the data subject. This will be carried out, using a template, and stored and continually updated as a basis for processing of personal data.

Special Category:   Personal data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data or biometric data.

Third Party:   A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. Any company doing business in the EU is responsible for third parties that are processing personal data on behalf of the company (controller).

Data Portability:  The right of the data subject to transfer personal data from one organisation (controller) to another organisation or to the data subject in the context of digital personal data (sets and subsets) and automated processing. The rights to data portability 1) allows data subjects to receive personal data they provided to a controller in a structured, commonly used and machine-readable format, and 2) to transmit those data to another controller.

Get in touch