Privacy Policies

Data Privacy & Protection Policy: Owen Thomas

This Privacy Notice explains how Owen Thomas collects, uses, and protects your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

Owen Thomas is the data controller responsible for the processing of your personal data. This policy covers all recruitment and operational activities under the Owen Thomas and The Bio Collective brands.

We are registered in England and Wales and are registered with the Information Commissioner’s Office (ICO). If you have any questions regarding your information, please contact us using the details at the end of this notice.

2. Personal Data We Collect

We collect various types of personal data to deliver recruitment services within the tech and life sciences sectors. This includes:

  • Contact Information: Name, address, email, and phone number.
  • Professional Background: CVs, work history, education, and qualifications.
  • Financial Information: Payment details for invoicing, payroll, or contract placements.
  • Demographic & Diversity Data: Gender, location, and age (collected to support our B Corp ESG targets and ensure inclusive hiring).
  • Digital Usage: IP address and browser type to improve our website functionality.
3. Purpose and Legal Basis for Processing

We process your data to:

  • Provide Recruitment Services: Matching candidates with suitable roles at our client companies.
  • Fulfill Contracts: Managing placements, payroll, and service agreements.
  • Communication: Responding to inquiries and providing industry updates.
  • Improve Diversity: Analyzing our placement splits (e.g., male/female ratios) to meet our B Corp ESG commitments.
  • Legal Compliance: Meeting tax, right-to-work, and employment regulation requirements.

Legal Bases:

  1. Contractual Necessity: To fulfill our service agreements with you.
  2. Legitimate Interests: To run and grow our business, including marketing and service improvement.
  3. Consent: Where you have explicitly opted-in (e.g., for marketing materials).
4. Data Sharing and Disclosure

We may share your data with:

  • Prospective Employers: Sharing candidate profiles with clients during the recruitment process.
  • Service Providers: Trusted partners who support our operations (e.g., Bullhorn, Microsoft 365, Revolut).
  • Legal Authorities: When required by law or valid legal requests.

We do not sell or rent your personal data to third parties for marketing purposes.

5. Data Retention & Security
  • Retention: We keep your data only as long as necessary to provide our services or meet legal obligations.
  • Security: We use high-standard technical measures (including cloud-native encryption and restricted access) to protect your data. As a digital-first company, we prioritize providers like Google and Microsoft who maintain industry-leading security certifications.
6. Your Rights

Under the GDPR, you have the right to Access, Rectify, Erase, or Restrict the processing of your data. You also have the right to Data Portability and the right to Object to specific processing activities.

To exercise any of these rights, please contact our Operations Manager.

7. Data Scraping and AI

We take active steps to protect our candidates’ and clients’ data from unauthorised automated collection (scraping). Any data obtained via unauthorized bots is not intentionally provided by Owen Thomas and may be inaccurate. We reserve the right to take technical and legal action against unauthorized scraping.

clare@owenthomas.io

Last Updated: February 2026

GDPR Policy

Owen Thomas (“the Company”) is committed to protecting the privacy and personal data of individuals in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy covers all operations under the Owen Thomas and The Bio Collective brands.

2. Scope

This policy applies to all personal data processed by the Company, including recruitment for tech and life sciences, marketing, compliance, HR, and contractor services. It applies to all employees, contractors, and third parties who process or have access to personal data on behalf of the Company.

3. Data Collection and Processing

The Company shall collect and process personal data only where it is necessary for legitimate business purposes.

  • Source: Personal data will be obtained directly from the individual or from verified third-party sources with appropriate consent.
  • Accuracy: All personal data collected shall be accurate, kept up to date, and securely stored in line with internal retention protocols.
  • Diversity Data: We may collect demographic data to support our B Corp social impact goals and ensure inclusive hiring practices.
4. Lawful Basis for Processing

The Company shall ensure that personal data is processed lawfully and transparently. Lawful bases include:

  • Consent: Explicit consent from the individual.
  • Contract: Necessary for fulfilling employment or recruitment contracts.
  • Legal Obligation: To comply with tax, right-to-work, or employment laws.
  • Legitimate Interests: To run and improve our recruitment services, provided these do not override the individual’s rights.
5. Data Subject Rights

Owen Thomas respects all data subject rights under the UK GDPR, including the rights to:

  • Access & Informed: To know what data we hold and why.
  • Rectification & Erasure: To correct errors or request deletion (“Right to be Forgotten”).
  • Object & Restrict: To stop or limit specific processing activities.
  • Portability: To receive data in a machine-readable format.
6. Data Security

We implement high-standard technical measures to protect data from unauthorized access or loss.

  • Cloud Security: We prioritize industry-leading, secure platforms such as Bullhorn, Microsoft 365, and Google.
  • Training: All staff and contractors receive regular data protection training.
  • Audits: We conduct regular internal reviews to ensure our data practices remain resilient.
7. Data Retention

The Company shall retain personal data only for as long as necessary to fulfill the recruitment or legal purpose for which it was collected. Specific retention periods are defined in our internal Data Retention Schedule.

8. Data Breach Response

In line with Article 33 of the UK GDPR, any suspected data breach will be escalated immediately. Where necessary, the Company shall notify the Information Commissioner’s Office (ICO) within 72 hours.

9. Third-Party Processors

We only engage third-party processors who provide sufficient guarantees regarding GDPR compliance. All partnerships are governed by binding contractual clauses covering confidentiality and security.

10. Compliance Monitoring

This policy is reviewed annually or in response to changes in legislation. Non-compliance may result in disciplinary action or termination of contracts.

11. Contact Information: clare@owenthomas.io

Last Updated: February 2026

Scroll to Top