Privacy Notice | Eden Scott

Listen To The Latest Episode of The Recruitment and Beyond Podcast

Privacy Notice

Find what you are looking for quickly 

  • Who we are
  • How do we collect data
  • What data is used, why we use it, the level of access and retention
  • Change of Purpose
  • “Special category” & “Criminal offence” personal data
  • Marketing
  • Who do you share my data with?
  • Do you transfer my data outside the United Kingdom?
  • How do you keep my personal data secure?
  • What are my rights?
  • How do I exercise my rights?
  • What if I wish to withdraw my consent?
  • Client Confidentiality
  • How do I make a complaint?
  • Contact us

Keeping your personal data safe

The privacy and protection of your personal data is important to us.

Our Privacy Notice describes how we collect, use and look after your personal data in accordance with data protection legislation (including but not limited to the General Data Protection Regulation 2016/679, the UK Data Protection Act 2018, any amending or implementing regulations or legislation, and all other relevant EU and UK data protection legislation). It explains the purposes for which your personal data is collected, who we share it with, and what rights you have in relation to our handling of your personal data.

This notice applies to all clients, candidates, employees, workers, contractors, suppliers, referees, and individuals using the services of Eden Scott, including website users (regardless of where you visit the website from). Our website is not intended for children, and we do not knowingly collect data relating to children.

Please read this Privacy Notice carefully. It is important that you read it together with any other privacy information we may provide on specific occasions when we are collecting or processing your personal data so that you are fully aware of how and why we are using your data. This Notice supplements other notices and policies and is not intended to override them. It is provided in a layered format, so you can click through and easily access the specific areas listed below.

We keep our Privacy Notice under regular review. This version was last updated in October 2023. Historic versions can be obtained by contacting us. Your continued use of the website indicates acknowledgement of the changes made to this notice.

It is important the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Who we are

Eden Scott Limited and Eden Scott (Aberdeen) Limited are Recruitment Businesses and Employment Agencies delivering recruitment solutions specialising in professional, technical, and executive markets across permanent, contract and temporary roles.

We have offices in 3 locations (Edinburgh, Glasgow and Aberdeen). We are private limited companies (company numbers SC243605 and SC362015). Both companies are registered at 132 Princes Street, Edinburgh EH2 4AH 

Under data protection laws, an organisation that decides how personal data is collected and used is a data controller. We are separate controllers for the purposes set out in this Notice and, in limited situations, Eden Scott Limited also acts as a processor on behalf of some clients who are the data controller.

We comply with data protection law, which says that personal data we hold about you must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have told you about.
  • Kept securely and protected against unauthorised or unlawful use and against loss, destruction or damage using appropriate technology and procedures.

If you have any queries or concerns, you may contact us as explained in the contact us section below.

How do we collect data?

We collect data directly from people, in particular those who give us personal data when choosing to apply for work opportunities with and through Eden Scott or who register via the website or submitting application forms or a C.V., as well as those contacting the business directly (for example, by telephone) in order that we can provide a recruitment service.

We may also receive personal data about you indirectly from third parties, namely

  • On-line professional directories and social media platforms, e.g. LinkedIn, S1Jobs, C.V. Library 
  • External screening providers collecting personal data directly from you in order to conduct assessments, such as on-line personality assessments, after which information is shared with Eden Scott as part of the Assessment Centre service we offer clients.

Where applicable, we notify candidates beforehand and explain we will receive data indirectly to provide an assessment service in accordance with our client’s instructions. Those external organisations operate independently, and their own websites may include links to plug-ins, applications and third-party websites. Clicking on those links or enabling those connections may allow those third parties to collect and share data about you. We do not control those websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

As you interact with Eden Scott’s website, it automatically collects technical data about your equipment, browsing actions and patterns using cookies and other similar technologies. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. 

For more information about these automated technologies or interactions, please see our Cookie Policy.

What data is used, why we use it, the level of access and retention

Personal data, or personal information, means any information about an individual from which that person can be identified.  It does not include data where the identity has been removed (anonymous data).  

We only use your personal data where there are lawful reasons to do so. Most commonly, it is in the following circumstances:

  • Where we need to perform a contract, we have entered into, or are trying to enter into, with you.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights, do not override those interests.

There are also circumstances where your consent is the lawful basis.

Please note we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Contact us if you need details about the specific legal ground we rely on. Also, note that we do not sell your personal data.  

We may use different kinds of personal data about you, which we have grouped in categories as follows:



  • Contact data
  • address, email address and telephone numbers
  • Criminal offence data
  • personal data relating to criminal convictions and offences or related security measures
  • Education data
  • information which relates to the education and skills, such as professional training and qualifications
  • Employment (including worker) data
  • Information relating to work or employment of a data subject, including eligibility to work in the UK, current work/employment and career history, references, interview notes, pay and pension and compensation history, leave records (such as maternity, paternity, adoption and annual leave) and also information related to work or employment of interest to candidates, such as minimum rate of pay and type of work sought and geographical range within which seeking to work.
  • Family, lifestyle and social circumstances data
  • Contact details for next of kin and/or emergency contact details, any information relating to the family of the data subject, such as details of family and other household members, as well as information about the data subject’s lifestyle and social circumstances, including whether vehicle owner or car details (for those who use the car parking facilities), travel details, leisure activities, membership of charitable or voluntary organisations, and (in the case of some data subjects) current marriage and partnerships and marital history, and any additional information about family, lifestyle and social circumstances which is provided voluntarily by candidates or staff within a resume or CV, including social media information
  • Financial data
  • Bank account and payment card details. It may also include personal data about earnings arrestment (for example for student loans and child support)
  • Identification document data
  • Information issued as an identifier by a public authority, such as passport details, national insurance numbers, identity card numbers, driving licence details, visa information
  • Identity data
  • First name, maiden name, last name, username or similar identifier, marital status, title, gender, age, date of birth and any information that identifies an individual and their personal characteristics, including physical description
  • Image data
  • Images and/or photographs, for example provided within a CV
  • Marketing and Communications data
  • Preferences in receiving marketing and communications, such as areas of interest (permanent or temporary, sector)
  • Profile data
  • Online username and password, information provided about interests and preferences, online survey responses and feedback.
  • Special category data
  • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), sexual orientation, information concerning a person’s sex life or health
  • Technical data
  • Internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices used
  • Transaction data
  • Details about payments to and from a data subject and other details of services purchased
  • Usage data
  • Information about how website services are used

If you share personal data with Eden Scott to engage our commercial services or provide us with service, the table below explains in summary: 

  • why we use personal data
  • what categories of personal data we use for that purpose
  • potential recipients of that personal data.

Retention periods depend on what categories of data are used and why.  Generally, we only keep personal data for as long as we provide you with our services or to achieve the purposes for which it was collected (unless you have asked us to retain your personal data for longer). We do this in accordance with our internal retention procedures, in line with our statutory obligations and good practice, after which time we securely erase or delete the personal data.

Eden Scott’s own staff, and those applying for work opportunities at Eden Scott itself, please click here for that information.


Categories of Data used

Categories of potential recipients

Retention of data by Eden Scott

  • Providing services to candidates and clients (including communication such as updates on recruitment progress and timesheets, sending documentation, administration of wage payment including tax, national insurance and pension contribution deductions)
  • Contact
  • Education
  • Employment 
  • Family, Lifestyle and Social Circumstances 
  • Financial 
  • Identification document 
  • Identity 
  • Marketing and Communications 
  • Profile 
  • Special category 
  • Technical
  • Transaction
  • Clients, by which we mean businesses or organisations recruiting and/or utilising Eden Scott services 
  • Third Party providers of services such as our pension, benefits, screening, IT (including website, database, finance systems,  payroll) and other professional advisors, such as legal advisors
  • Seven years for candidates where Eden Scott services involved work
  • For other candidates, personal data is retained for no more than two years from data of last contact with Eden Scott
  • Audit and due diligence checks, which include credit and criminal record checks in some instances, and checks to detect and prevent fraud
  • Contact
  • Criminal offence
  • Education
  • Employment
  • Family, lifestyle and social circumstances
  • Financial Identification document
  • Identity
  • Transaction
  • Disclosure Scotland and DBS
  • Credit Reference Agencies (such as Experian, Equifax, HireRight, Sterling
  • In relation to candidates where Eden Scott services involved work:
  1. up to two years for personal data within credit and criminal record checks
  2. Seven years for all other personal data 
  • For all other candidates, personal data is retained for no more than two years from data of last contact with Eden Scott
  • Direct marketing (to candidates but also on occasion clients)
  • Contact
  • Education Employment 
  • Family, lifestyle and social circumstances
  • Financial
  • Identity
  • Marketing and communications
  • Transaction
  • Kulea
  • Vincere
  • Seven years for candidates where Eden Scott services involved work
  • For other candidates, personal data is retained for no more than two years from data of last contact with Eden Scott
  • Administration of prize draws, competitions and surveys
  • Contact,
  • Employment,
  • Family,
  • lifestyle and social circumstances,
  • Financial,
  • Identification document,
  • Identity,
  • Marketing and communications,
  • Transaction,
  • Usage
  • None
  • Seven years for candidates where Eden Scott services involved work
  • For other candidates, personal data is retained for no more than two years from data of last contact with Eden Scott
  • Delivering  website content & using data analytics to measure the effectiveness of the website and improve it
  • Profile, 
  • Technical, 
  • Transaction, 
  • Usage
  • Bold Identities (website provider);  
  • Google Tag Manager
  • Personal data automatically transferred to Vincere and kept in line with GDPR. 
  • Data stored on the website database for three months 

Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If you wish to get an explanation as to how such processing is compatible, please contact us.

If ever we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, or propose to enter into, and you fail to provide the data requested, we may not be able to provide you with services. In such situations, we may have to cancel a service you request from us, but if this is the case we will notify you at the time.

“Special category” & “Criminal offence” personal data

These types of particularly sensitive personal data (described in the section above) require higher levels of protection. 

We ensure that we meet legal requirements in relation to the collection, use and storage of personal data including any additional protections or measures that may be required for any special category and criminal offence personal data.  It may be processed when necessary to take steps, at your request, prior to entering a contract with you, or when necessary for the performance of a contract with you (for example when performing pre-employment background checks requested by our clients, such as financial or criminal history checks) and when you have given explicit consent.

Other examples of the further justifications which may permit its lawful use in some circumstances include 

  • For employment, social security and social protection purposes (when authorised by law)
  • To protect your vital interests
  • For reasons of substantial public interest (with a basis in law) such as preventing or detecting unlawful acts, for example fraud, suspicion of terrorist financing or money laundering, or to meet regulatory requirements or ensure equality of opportunity or treatment.  

Less commonly, we may process this type of data where it is in our legitimate interests and needed in relation to legal claims, or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the data public.


We provide you with choices regarding certain uses of personal data, particularly around direct marketing and advertising.   Our Engagement Hub gives you control of what personal data is shared with Eden Scott and at any time you can delete information using the ‘Request to be forgotten’ function.

If you’ve given us your consent, we may use data we’ve collected about you to send marketing offers and news about our services using various channels such as mail, phone, email and SMS. If you prefer not to receive any future marketing communications, you can at any time remove your consent by deleting your personal data from our Engagement Hub or alternatively writing or sending an email to our Director, Lindsey Boxall.

We won’t sell your personal data to other organisations outside of Eden Scott for marketing purposes.

Who do you share my data with?

Eden Scott Limited and Eden Scott (Aberdeen) Limited may share your personal data with one another, and the companies may also share personal data with third parties to administer the working relationship with you or, where we have another legitimate interest in doing so (for example such as enforcing our contracts and agreements, where we may pass your personal data to a third party to assist us in this enforcement, obtaining professional advice).  "Third parties" includes service providers (including contractors and designated agents). The following activities involve sharing personal data with third-parties: 

  • Pension Administration
  • Benefits Provision
  • Screening providers
  • IT Services (including storage)
  • Delivering website content and data analytics 
  • Receiving professional advice, such as legal advice and audit services.

We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. We ensure that we have written agreements in place with all such service providers who process any personal data on our behalf which require that they will comply with obligations that meet the terms of this Privacy Notice. All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies.

We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business.  Any new owners may use your personal data in the same way as set out in this privacy notice.

We may be under a duty to disclose or share personal data to comply with any legal obligation or regulatory compliance, for example sharing information with HMRC. This may include where for example we are subject to a court order to disclose your personal data, or if we believe a crime or fraud is being committed, or assets are being used to fund terrorism or bribery, or where we believe that the safety of another person is at risk.

Do you transfer my data outside the United Kingdom?

Yes.  All personal data we collect is stored on our secure servers, and our CRM servers are hosted in Frankfurt.

In limited circumstances, in order to provide services to you, we may need to transfer your data outside the United Kingdom for

  • background screening checks if you have worked outside the UK
  • overseas recruitment, since some of our divisions recruit for organisations outside the UK
  • providing our services using software providers located outside the EEA, although we use providers in the EEA as much as possible 

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it.  When a country or territory is not deemed by the UK government to provide an adequate level of protection, we use specific contracts approved for use by the UK regulator giving personal data the same protection it has in the UK.  Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

How do you keep my personal data secure?

We have technical and operational security policies and procedures in place to protect the personal data we collect, use and store, against unauthorised or unlawful access or disclosure, improper use, alteration and unlawful or accidental destruction or loss.

Within Eden Scott, access to your personal data is limited to those who have a business need to know and they will only process your data on our instructions and under strict conditions of confidentiality. All Eden Scott staff who handle personal data are aware of their responsibilities under this Privacy Notice and are adequately trained and supervised. In addition, we have in place internal policies and procedures including the following:

  • We encourage a clear desk policy and do not use or retain paper files and records except where this is necessary;
  • We use all appropriate encryption and password protection and up to date anti-virus software on our systems.

What are my rights?

Under certain circumstances, by law you have the right to make the following requests:

Request access to your personal data (commonly known as a "data subject access request")

This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it 

Request correction of the personal data that we hold about you.

This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data.

This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).  Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data

Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground unless, we can demonstrate compelling legitimate grounds for the processing which override your individual interests or for the establishment, exercise or defence of legal claims. You also have the right to object where we are processing your personal data for direct marketing purposes.

Request the restriction of processing of your personal data.

This enables you to ask us to suspend the processing of personal data about you, for example, if you want us to establish its accuracy or the reason for processing it.

Request the transfer of your personal data.

This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.  You can request transfer to you or to a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.

For the avoidance of doubt, we do not use automated decision making in the processing of personal data.

How do I exercise my rights?

If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer an electronic copy of your personal data to another party, please contact Lindsey Boxall, Director –, 132 Princes Street, Edinburgh, EH2 4AH in writing.

All requests will be considered without undue delay and within one month of receipt as far as possible .No fee is usually required, however, we may charge a reasonable fee if your request for access is requires extreme or unique measures. Please note that we may in limited circumstances refuse a request, where we have compelling legitimate grounds, or where prevented by obligations of confidentiality or legal privilege.

What if I wish to withdraw my consent?

In the limited circumstances where you may have provided your consent to use of your personal data for a specific purpose, you have the right to withdraw consent at any time. To do so, please contact Lindsey Boxall, Director. 

Client Confidentiality

Nothing in this notice affects our professional obligation to keep the affairs of our clients confidential.

How do I make a complaint?

You have the right to make a complaint about anything regarding the processing, storage, retention of your data. We would hope to resolve any complaint internally and if you would like to lodge a complaint with us in the first instance please contact Lindsey Boxall,
However, you also have the right to lodge a complaint at any time to the Information Commissioner (ICO) in respect of our processing of your personal data. Information can be found at

Contact us

If you have any queries regarding this notice, please email or write to Lindsey Boxall, Eden Scott, 132 Princes Street, Edinburgh, EH2 4AH