Effective date: 24 May 2018


Carnall Farrar Ltd (“CF”, “we”, “us”, or “our”) is dedicated to protecting personal data. We comply with the EU General Data Protection Regulation (GDPR). This Privacy Policy describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us by individuals themselves or by others. CF may use personal data provided to us for any of the purposes described in this Privacy Policy or as otherwise stated at the point of collection.

Personal data means any information relating to an identified or identifiable natural person. CF processes personal data for a number of reasons, and the means of collection, lawful basis of processing, use, disclosure and retention periods for each reason will differ.

Who can you contact for privacy questions or concerns?

If you have questions or comments about this Privacy Policy or how we handle personal data, please contact [email protected] or write to 12th Floor, 1 Lyric Square, Hammersmith, London, W6 0NB.

You may also contact the UK Information Commissioner’s Office at https://ico.org.uk/concerns/ to report concerns you may have about our data handling process.

How do we collect personal data?


We obtain personal data directly from individuals in a number of different ways. These can include from:

  1. Business cards
  2. Job applications
  3. Office visits
  4. Meeting attendances

We may also obtain personal data directly when we are establishing a business relationship, performing professional services through a contract, or through our hosted cloud applications.


We obtain personal data indirectly from a number of sources. These can include from:

  1. Recruitment services (such as agencies and former employers)
  2. Bought-in marketing lists
  3. Public registers
  4. Framework agreements
  5. Internet searches
  6. News articles

We may also obtain personal data indirectly from our business clients. This will be in the event that our business clients engage us to perform professional services and personal data that they control will be shared as part of that engagement. For example, we may need to review workforce data that will inevitably contain personal data. Our services may also include processing personal data under our clients’ control of our hosted cloud applications, which may be governed by different privacy terms and policies. As part of our work with the NHS we process pseuodnymised data from NHSE. This data covers attendance, appointments and contacts from A&E, Inpatients, Outpatients, Critical Care, Community Services and Diagnostic imaging data.

What are the categories of personal data that we collect?

We may obtain the following three categories of personal data through either direct interactions, client engagements, suppliers, job applications or other situations including those described in this Policy.

Personal data

Personal data we commonly collect to conduct our business activities include:

  1. Financial information (e.g. bank details)
  2. Family and beneficiary details for insurance and pension planning services (e.g. names and dates of birth)
  3. Professional details (e.g. career history, education, professional memberships)
  4. Contact details (e.g. name, job title, contact number, email address, postal address)

Special categories of personal data

We usually do not collect special categories of personal data about individuals. In the event that we do process special categories of personal data, it is with the explicit consent of the individual unless it is obtained indirectly for legitimate purposes. Examples of special categories of personal data we may obtain include:

  1. Information provided to us by clients in the course of a professional engagement
  2. Dietary restrictions or access requirements when registering for in-person events that reveal religious beliefs and/or physical health information
  3. Personal identification documents that may reveal race or ethnic origin

Personal data relating to criminal convictions

We may obtain personal data about employees that reveal information about criminal convictions.

What are the lawful bases we use for processing personal data?

In order to process personal data, we must have a lawful basis for doing so. We may depend on the following lawful bases when collecting and using personal data to perform our business activities and provide our services:

  1. Legal obligations and public interests: We may process personal data to meet certain regulatory and public interest obligations or mandates
  2. Legitimate interests: We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced. Examples include:
  3. Direct marketing – to deliver insights and knowledge we believe is welcomed by our clients, subscribers and those who have interacted with us
  4. Provision of employee benefits such as eye care vouchers – to raise staff morale and satisfaction
  5. Consent – we may rely on your freely given consent
  6. Contract – we may process personal data in order to perform contractual obligations
  7. Why do we need personal data?

We will always endeavour to explain our rationale for collecting personal data and maintain transparency throughout. Reasons can include:

  1. Providing professional advice and delivering reports related to our professional services
  2. Promoting our professional services to existing and prospective business clients
  3. Travel arrangement assistance
  4. Seeking qualified candidates
  5. Fulfilling employment or contractual obligations 

Do we share personal data with third parties?

Sometimes we may share personal data with trusted third parties to help us deliver effective and quality services.

These recipients are either contractually bound to safeguard the data we entrust them or will sign an agreement to ensure this is the case.

Recipients that we engage with can include:

  1. Parties that support us as we provide services (e.g. IT system support, providers of telecommunication systems, document production services and cloud-based software services)
  2. Sub-contractors and partner organisations involved in delivering our professional services
  3. Professional advisers such as lawyers and insurers
  4. Recruitment service providers
  5. Law enforcement and regulatory agencies

Do we transfer personal data outside the European Economic Area (EEA)?

We endeavour to store personal data on servers located in the EEA. In the event that we store personal data outside the EEA, we will always ensure that appropriate safeguards are in place to guarantee individuals’ rights remain enforceable (such as the EU-US Privacy Shield).

Do we use cookies?

Our website may use cookies. Where cookies are used, a statement will be sent to your internet browser explaining the use of cookies. More information can be found on our cookie policy at http://www.carnallfarrar.com/cookie-policy/.

What are your data protection rights?

Your rights are outlined below. To submit a request, please email [email protected]

The right of access to personal data

  • You have the right to access your personal data held by us.

The right of rectification

  • You have the right to request the correction of personal data held by us to the extent that it is inaccurate or incomplete.

The right to data portability

  • You have the right (in certain circumstances) to obtain personal data in a format to allow you to transfer it to another organisation.

The right to withdraw consent

  • You have the right to withdraw consent at any time, and the process to withdraw consent will be as easy as the process to give consent.

The right to object

  • You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
  • This right also applies to direct marketing and processing for purposes of scientific/historical research and statistics.

The right to restrict processing

  • You have the right (in certain circumstances) to “block” or suppress the processing of your personal data.

The right to object to automated decision making (including profiling)

  • You have the right (in certain circumstances) to object to automated decisions (including profiling) based upon the processing of personal data and request human involvement.

The right to erasure/to be forgotten

  • You have the right (in certain circumstances) to request the deletion of personal data where there is no compelling reason for its continued processing.

We may request specific information from you to help us confirm your identity and therefore ensure your rights. This will help us guarantee that personal data is not disclosed to any person who has no right to receive it.

No fee is required to make a request. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.

Personal data security

The measures we use to ensure personal data security include:

  1. Putting in place policies and procedures to protect personal data from loss, misuse, alteration or destruction.
  2. Making sure that access to personal data is limited only to those who need access to it and that confidentiality is maintained.
  3. Applying pseudonymisation and anonymisation techniques to further protect the data.

Please be aware that the transmission of data via the Internet is not always completely secure. Whilst we will do our utmost to protect the security of your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.

How long do we retain personal data?

We retain personal data to:

  1. Provide our services
  2. Stay in contact with you
  3. Comply with applicable laws, regulations and professional obligations that we are subject to

Unless a different time frame applies as a result of business need or specific legal, regulatory or contractual obligations, where we retain personal data in accordance with these uses, we retain personal data for seven years.

We will dispose of personal data in a secure manner when we no longer require it.

Job applicants, current and former CF employees

Personal details you provide in your application for a job opening at CF, including the Consultancy Graduate Scheme, will be used by us to process your application in accordance with the GDPR and other applicable laws.

Third parties

We may also share your data with approved organisations for fraud prevention purposes or with other third-party suppliers working on our behalf, such as employment verification service providers.

Data retention

In all instances, we take steps to ensure that an adequate level of protection is given to your personal data. Any information provided will only be stored for the necessary amount of time required, after which it will be safely destroyed. By submitting your application you are agreeing to your data being processed in accordance with these terms.

Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

In exceptional cases, the personal data of candidates may be kept for a longer period than stated above. This is in the event that your application is part of a resident labour market test, the guidelines of which are determined by the Home Office.

Upon employment

Once a person has taken up employment with CF, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete or anonymise it. 

Visitors to our websites

When someone visits http://www.carnallfarrar.com:

  1. We collect standard internet log information and details of visitor behaviour patterns.
  2. We do this to find out things such as the number of visitors to the various parts of the sites.
  3. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website.
  4. We will not associate any data gathered from these sites with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, for example during the Consultancy Graduate Scheme application process, we will be upfront about this.

Links to other websites

On our website (http://www.carnallfarrar.com/) and its subdomains, we may provide links to other websites – known as external links. This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

External links are selected and reviewed when the page is published. However, we are not responsible for the content of external websites we have no control over. The content on external websites can be changed without our knowledge or agreement.

Some of our external links may be to websites which also offer commercial services, such as online purchases. The inclusion of a link to an external website from our website should not be understood to be an endorsement of that website or the site’s owners, their products or services.

People who email us

Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy.

Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

Changes to this privacy policy

We keep our privacy notice under regular review. This privacy notice was last updated on 24 May 2018.