Privacy Policy

Last updated May 2026.

Privacy Policy

Who are we?

We are Sigma Recruitment Ltd, Titan House, Cardiff Bay Business Centre, Cardiff, CF24 5BS. Company Registration Number 05659374. We are registered with the Information Commissioner’s Office (ICO) under registration number Z9312187. We provide recruitment services to clients/prospective clients looking to recruit personnel for their businesses.

What does this Policy cover?

This Privacy Policy explains our use of personal data for the individuals listed below. It is published under UK GDPR and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025.

Scope of Sigma’s controllership

Sigma Recruitment Ltd is the controller of personal data held in its business systems, including the Sigma email environment, the Sigma CRM, candidate and client records, finance and HR systems, and recordings of business meetings and calls. Sigma is not the controller of personal correspondence carried by Sigma directors on company devices for purely personal or household matters (for example, a director arranging private services at their home address). That correspondence is processed by the director as an individual data controller, not by Sigma, and is outside the scope of any subject access request made to Sigma.

What personal data do we collect, and why do we use it?

The following information explains who we collect personal data about, what that personal data is and the purpose we process it for. We also set out the ‘lawful basis’ we rely on for processing that personal data, which is a requirement of UK GDPR and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025). Companies may only process personal data if they can identify a lawful basis from a list set out in the legislation.

Candidates/Prospective Candidates

Personal Data – Including but not limited to name, contact details (address, email, phone numbers), CVs, identification documents, educational records, profile picture, work history, telephone call recordings including AI-generated transcripts, links to social media profiles, employment record, video (where a video interview is completed), recording of online meetings via Teams, Zoom or similar (audio and video) and references, correspondence, meeting transcripts and notes including AI-generated, remuneration details and other personal data provided by you as part of the recruitment or engagement process. To opt out of recording please inform Sigma during the telephone call or meeting. We do not routinely process special category data and instruct candidates not to supply it. Notes made by Sigma consultants are internal working documents that may contain subjective observations and opinions formed at the time. They are held in our systems and are accessible under your SAR rights. We will consider any request for rectification of inaccurate notes under Article 16 UK GDPR.
Source and Purpose – We mainly collect this information directly from you during the recruitment, engagement and onboarding stages. Where you apply directly to a Sigma job advert placed on a job board, we will receive your application details from that job board and treat this in the same way as a direct application. We will add your details to our candidate database and may contact you about the role you applied for, other current or future roles relevant to your experience, and related recruitment services, unless you ask us not to. Sometimes we may also source candidates via job boards (Totaljobs, Jobsite, CV-Library, Indeed, Reed, or similar) on which you have posted a CV. Sometimes we collect information from other third parties, such as an agent acting on your behalf, an interim manager or from a third-party recommendation or a person giving a reference for you. We do use some publicly available sources to find information about potential candidates, specifically LinkedIn and company websites.
Attention is drawn to the following: 1) where we present your details to a client, the client will act as its own separate data controller under UK GDPR and the Data Protection Act 2018; 2) if you apply for a job that is no longer live, we may retain your details and contact you about other jobs in the future unless you ask us not to; and 3) if you apply for a position and don’t hear from Sigma within 14 days, then you have not been successful in your application.
Lawful Basis for Processing – Most of the processing is necessary for our legitimate interests of assessing suitability for potential roles and finding potential candidates for clients. Outreach to you about roles is based on our legitimate interests where you have submitted your details via our website, applied to a Sigma job advert placed on a job board, made your CV publicly available on a job board, been recommended by an agent representing you, or provided your contact details in a professional context, and the outreach is relevant to your experience and job-seeking activity. On first contact we provide a data collection notice. This is delivered through one or more of the following channels: a welcome email sent within a few days of your application or your details being added to our database, the privacy information included in our standard email signature, the opt-out wording in our SMS messages, or verbal information provided by a consultant on a phone call. All channels reference this Privacy Policy and explain how to opt out of further communications.
Retention Period: Where we present your details/CV to a client, then we keep your relevant details for up to 6.5 years, if we add you to our candidate database, up to 3.5 years. If you apply for a position and are not added to the database, records are only kept for up to 6 months. Note that these retention periods are based on your last activity date with us.

References/Referees

Personal Data – Contact details (address, email, phone numbers), links to social media profiles, profile picture, and correspondence details. Telephone call recordings including AI-generated transcripts, links to social media profiles, video (where a video interview is completed), and recording of online meetings via Teams, Zoom or similar (audio and video), meeting transcripts and notes, including AI-generated. To opt out of recording please inform Sigma during the telephone call or meeting. Notes made by Sigma consultants are internal working documents that may contain subjective observations and opinions formed at the time. They are held in our systems and are accessible under your SAR rights.
Source and Purpose – Reference contact details may be given to us by candidates as part of the recruitment process. Other personal data about referees are given to us by you directly.
Lawful Basis for Processing – Our legitimate interest as a business in obtaining references on candidates.

Individuals who contact us with general queries

Personal Data – Any details provided, correspondence, links to social media profiles, profile picture, and any other data supplied. Telephone call recordings including AI-generated transcripts, links to social media profiles, employment records, video (where a video interview is completed), and recordings of online meetings via Teams, Zoom or similar (audio and video), meeting transcripts and notes, including AI-generated. To opt out of recording please inform Sigma during the telephone call or meeting. Notes made by Sigma consultants are internal working documents that may contain subjective observations and opinions formed at the time. They are held in our systems and are accessible under your SAR rights.
Source and Purpose – This information is given to us by you. It is used to respond to the query and keep a record of it. We may respond via LinkedIn/social media messages, email, SMS (to mobiles and landlines), and phone calls (including voicemails), depending on the contact details you have provided to us for this purpose.
Lawful Basis for Processing – Our legitimate interests as a business in responding to and keeping a record of correspondence.

Clients, prospective clients, previous clients

Personal Data – Name, contact details (address, email, phone numbers), job title, company name, correspondence and notes. Recordings of Teams, Zoom or similar meetings (audio and video), meeting transcripts, including AI-generated notes, telephone call recordings, including AI-generated transcripts, profile pictures, and links to social media profiles. To opt out of recording, please inform Sigma during the telephone call or meeting. Notes made by Sigma consultants are internal working documents that may contain subjective observations and opinions formed at the time. They are held in our systems and are accessible under your SAR rights.
Source and Purpose – This information is given to us by you directly or by your company. For information about information we source from third parties, see the section below. We use this personal data to enter into and fulfil contracts and engage in business discussions, business development and promotional activities to make clients and potential clients aware of our recruitment services and candidates. Contact may be made via LinkedIn/social media messages, email, SMS (mobiles and landlines), and phone calls (including voicemails), depending on the contact details that we have for you.
Lawful Basis for Processing – Our legitimate interests as a business in responding to and keeping a record of correspondence, marketing to and sourcing clients. Some limited information is also necessary for us to enter into and perform any contract we have with you.
Retention Period: For as long as we believe you to be working at the company and potentially involved with recruiting the types of roles we recruit for. Contract information is retained for 6 years post-termination in line with statutory contractual limitation periods.

Prospective Clients Obtained from 3rd Party Data Sources

Personal Data – Name, contact details (email, phone numbers), job title, company name, LinkedIn profile URL.
Source and Purpose – We have obtained your data from a Third-party data provider (for example, Apollo.io), or from the public domain. See below for more details of these third-party sources. Note that sometimes sources are used in conjunction with each other to enrich the data. We use the data for business development and marketing to make you aware of our recruitment services and candidates via LinkedIn/social media messages, email, SMS (mobiles and landlines), and phone calls (including voicemails). It might be that we contact you on a personal mobile if you are using this in a business capacity/or if we think you are. You always have the right to opt out of being contacted – refer to opting out below for details. Notes made by Sigma consultants are internal working documents that may contain subjective observations and opinions formed at the time. They are held in our systems and are accessible under your SAR rights.
Lawful Basis for Processing – Our legitimate interests as a business in responding to and keeping a record of correspondence. And also for our legitimate interest of direct marketing, marketing recruitment services and/or candidates to you.
Retention Period – we store 3rd party & public corporate subscriber data for 24 months – if our data collection notification email sent within the first 30 days hard bounces, then we will delete your details within 30 days of the hard bounce. If you unsubscribe or ask for your details to be deleted, we will delete all your details other than contact details for the purposes of putting on our suppression list for the means of contact you have unsubscribed from. If you interact with us via phone or email, we may store your data for longer than 24 months. Where you do not engage with us, your data will be deleted within 90 days of the 24-month period being reached.

Coaching clients (i.e. where you are a client of ours, we are providing coaching services to)

Personal Data – Contact details, correspondence, assessments, profile picture, links to social media profiles, the information provided, analysis and recommendations and opinions. Special category information, such as health, disability, ethnicity or racial information, is only processed if provided by you. To opt out of recording please inform Sigma during the telephone call or meeting. Notes made by Sigma consultants are internal working documents that may contain subjective observations and opinions formed at the time. They are held in our systems and are accessible under your SAR rights.
Source and Purpose – This information is given to us by you. Occasionally, we undertake feedback sessions as part of coaching, which may involve the provision of information about you from other people known to or nominated by you. We use the information to provide our coaching services to you.
Lawful Basis for Processing – Our legitimate interests as a business in providing coaching services. Some information may also be necessary specifically for us to perform the contract. We only process special category data with your express consent.

Suppliers and contractors (and prospective suppliers/contractors)

Personal Data – Name, contact details (address, email, phone numbers), job title, company name, correspondence and notes. Recordings of Teams, Zoom or similar meetings (audio and video), meeting transcripts, including AI-generated notes, telephone call recordings, including AI-generated transcripts, profile pictures, and links to social media profiles. To opt out of recording please inform Sigma during the telephone call or meeting. Notes made by Sigma consultants are internal working documents that may contain subjective observations and opinions formed at the time. They are held in our systems and are accessible under your SAR rights.
Source and Purpose – This information is given to us by you or from publicly available information (for example, on your website).
Lawful Basis for Processing – Our legitimate interests as a business in responding to and keeping a record of correspondence. Some information is also necessary for us to perform our contract – for example, certain contact details.

Website Visitors

Personal Data – Information from cookies. For more details, see our Cookie Policy.
Source and Purpose – This information is collected via cookies when you use our website. Necessary, functional, analytics, performance, advertisement, and others. For more details, see our Cookie Policy.
Lawful Basis for Processing – We only install non-essential cookies with your consent. For more details, see our Cookie Policy.

Third Parties We Source and Share Data With

Who do we share your personal data with?

Data may be shared with the following parties:

  • Where you are a candidate/prospective candidate, we share your personal data with the client or prospective client who has a position to fill in order to determine with the client whether you are a good fit for an available position;
  • Where you are a candidate/prospective candidate and agree to our candidate focus/example candidate scheme or speculative CV marketing scheme, we share your personal data with 3rd parties, including clients or prospective clients, your details could also be available publicly on our website;
  • Where you are a client/prospective client, with candidates as part of a recruitment process or other services that we are providing to you;
  • With professional advisors;
  • In the event of a sale of the company or its assets;
  • With suppliers, but only subject to contractual protections;
  • Various software tools see list under “Where we obtain data, third-party data, and software/tools used”;
  • Other companies in our group; and
  • AI software tools, see “AI software tools section”.

Software & Other Tools Used to Store and Process Data

We use a variety of vendor software and related tools to provide our services and run our business. Most of these are data processors who only process your personal data on our behalf in order to provide the service to us. We ensure that appropriate contractual restrictions are in place with such processors as required under UK GDPR and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025) to protect your personal data and ensure they won’t use it for any other purpose.
There are some tools we work with where the supplier acts as a separate data controller in relation to the processing of your personal data. For example, LinkedIn and social networks, where you may correspond with us or provide information about your experience. Those sources provide you with privacy information and settings and controls which will impact how third parties like us can use your personal data and interact with you.

Data sources, including third-party data providers

Where we collect, enhance, compare or screen data through third parties, we may work with third parties, including Apollo.io, ZeroBounce, NeverBounce, Pipl, ZenLeads Inc, ZenProspect, ZoomInfo, BoardEx, Kaspr, Coresignal, Selectabase, Clearbit Data, SignalHire, Rocket, Clay.com, LinkedIn, People Data Labs, Highr Pattern Inc, Angellist, Gravatar, and Deeptrace (Coresignal). These third parties generally act as separate data controllers and therefore will have their own privacy notices, which detail more about how they process personal data.
Where we use these suppliers to collect, enhance or compare data these programs/suppliers are given parameters and search through available sources to find candidate/prospective candidate and client/prospective client data. These programs/suppliers are instructed to only output information that meets the search criteria. The parameters of this program/suppliers are restricted to only searching for information/data from sites where there is a reasonable expectation that such information may be collected and further processed by recruiters for the purpose of sourcing candidates/prospective candidates for job roles or making clients/prospective clients aware of candidates, recruitment services and market information, including direct marketing of recruitment services.
If you would like more information on how and where we obtained your data, please email info@sigmarecruitment.co.uk and quote “data source”.

AI Software Tools

We use certain third-party AI software tools from time to time as part of our business. These tools include: ChatGPT (including via Candidately CV portal), OpenAI, Raycast AI, Claude, Gemini, Motion, Anthropic, Perplexity, Groq, Together AI, Mistral, xAI, Replicate, Turbopuffer, MS Co-Pilot, otter.ai, Apple AI, Superhuman Email AI, Grammarly, Granola (AI note taking) and other AI tools. These tools are not used for fully automated decision-making regarding candidates or prospective candidates. A human will always make the final decision on candidate suitability and selection.
Generally, these tools are used to help us evaluate data including but not limited to: matching candidates to job vacancies, companies or potential job vacancies; marketing; salary benchmarking; assisting with the keywording and skill coding of CVs that we add to our database (where we do this our software may use AI to train our internal software for future keywording accuracy and predictions); improving job advertisements; formatting CVs, CV profiles, and overviews; producing candidate focus profiles (where we have consent); reviewing answers to questions asked; and generating meeting notes and transcripts. We also use AI tools to search and retrieve candidate records from our CRM (Bullhorn) as part of the candidate matching process. In all cases, a human reviews the results and makes the final decision.
We use Claude (provided by Anthropic) with access to our Microsoft 365 environment to assist with reviewing and triaging candidate applications received by email. This helps our consultants by summarising application content, identifying relevant skills or experience, and flagging applications for consultant review. A Sigma consultant reviews every output and makes the final decision on whether to progress an application, decline it, or contact a candidate. Claude is not used to reject applications, and no decision about a candidate is made without a consultant’s review.
We also use Microsoft 365 (including Outlook, Teams, SharePoint, and OneDrive) and Claude (via Anthropic’s Teams plan) as part of our day-to-day operations. Microsoft and Anthropic act as data processors on our behalf for these services. They process personal data only on our instructions and are bound by written Data Processing Agreements. They do not use personal data processed under these agreements to train AI models. This is distinct from other AI tools listed above, which may act as separate data controllers and will have their own privacy notices.
For US-based AI and software tools, personal data may be transferred to the United States. The transfer mechanism depends on the supplier. For Anthropic (Claude Teams and Claude API), we rely on Standard Contractual Clauses together with the UK International Data Transfer Addendum, as incorporated into Anthropic’s Data Processing Addendum. For suppliers that are self-certified under the UK Extension to the EU-US Data Privacy Framework (such as Microsoft, Google, Calendly, Cloudflare, Twilio, Apollo.io, ZoomInfo, Superhuman and Grammarly), we rely on that adequacy mechanism. Further details on international transfers are set out in the data transfers section below.
Where we review public social media profiles (for example LinkedIn) as part of the candidate sourcing or assessment process, we do so only to the extent necessary to assess professional suitability. We do not screen private social media content.

Communications – Online Meetings & Phone Calls

Meetings and phone calls are recorded and/or transcribed, utilising various AI tools. See above for details on these tools.

Monitoring Tools

We use computer, network, software, telephone and CCTV monitoring tools, which can include screen recordings on business devices and in our office to ensure that our employees act according to our company policies, including UK GDPR, the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025) and PECR. Details are stored in the monitoring software for up to 6 months.

Opting out of communications & Removal of Details (Right to be Forgotten)

Pause – to pause messages via email or SMS, please reply “pause” to the email or SMS we’ve sent, stating the number of months to pause for.
Email Opt Out – to unsubscribe from emails, please reply to any email we’ve sent you with “unsubscribe”.
SMS & Messaging Apps, e.g. WhatsApp Opt Out – to unsubscribe, please reply “end” or “stop” to any SMS we’ve sent you.
Phone Calls Opt Out – email “no calls” to info@sigmarecruitment.co.uk
Applied Job Only – if you only want us to contact you about the job you have applied for, email Job Only and quote the reference number to info@sigmarecruitment.co.uk
Removal of details/deletion* – if you wish us to delete your details from our database, please email info@sigmarecruitment.co.uk with your full name and state “delete”. This will not apply to personal data provided to us as a result of recruitment services we have provided to you or a potential employer.
LinkedIn – to stop messages from Sigma on LinkedIn, you can block Sigma Recruitment staff. First, use the search bar at the top of LinkedIn and type “Sigma Recruitment”, then click on the company page; from there, select “People” to view employees. Open the profile of any individual you wish to block, click the “More” button (three dots) near the top of their profile, and choose “Report/Block” > “Block [Name]”, then confirm. Repeat this process for each Sigma Recruitment employee you want to block, and stop messages from.
Flexible opt-out – if you wish to opt out of one or more methods of contact but are happy to be contacted by another, please email info@sigmarecruitment.co.uk with your full name and state which methods you want to unsubscribe from, for example, please unsubscribe from SMS/text, but continue to email and call me. Or please unsubscribe from email and SMS, but continue to call me.
*Caution on opt-out/unsubscribe and removal of details/deletion for Candidates/Prospective Candidates – If you opt out/unsubscribe, or delete/remove your details, but we see you are active again on the job boards, apply for a position handled by Sigma Recruitment, submit details on our website, engage with us on LinkedIn or submit details via email, we may contact you again as it is reasonable to assume that you wish to be made aware of new jobs and recruitment services again. If you don’t want to be contacted by Sigma or other recruitment agencies, remove your details from all the job boards you registered with; if you are active on the job boards, there is a risk that recruiters will contact you.
If you never want to hear from Sigma Recruitment again
If you don’t want to be contacted specifically by Sigma Recruitment, then email info@sigmarecruitment.co.uk with “permanent unsubscribe”.
For parties who use the permanent unsubscribe option, please refer to the LinkedIn opt out where you also wish to block messages from Sigma staff on LinkedIn.
Where you opt out/unsubscribe, delete/remove your details, we may retain your email address on our suppression list.
Clients/Prospective Clients – it’s likely that we will contact you again if you move to a new company with a new business email address, and/or new telephone numbers.

Special Category Data

We do not routinely process special category data and we instruct candidates and other individuals not to supply it unless we specifically request it as part of a client’s recruitment or onboarding process (which you have the right to refuse). The categories of special category data we will not collect unless specifically required are:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life;
  • data concerning a person’s sexual orientation; and
  • details of criminal allegations, proceedings or convictions.

How long do we keep your personal data for?

Unless specified specifically for a category of data subject, we keep your information only for as long as is necessary for the relevant purpose. We use a number of criteria for determining the retention period, including obligations under the law, our need to defend or bring contractual claims within the statutory limitation period and consideration of the original purpose we collected it for. For more details on the specific retention periods we apply, see the relevant sections above.

What happens if you do not provide us with the information we request?

If you do not provide the personal data necessary, we may not be able to respond to your query or consider your application or request or match you with available role opportunities or provide the relevant services to you.

Do we make automated decisions concerning you?

Automated decisions are decisions taken without meaningful human involvement that have a legal or similarly significant effect on you. The rules are set out in Articles 22A to 22D of the UK GDPR (as inserted by the Data (Use and Access) Act 2025). For candidates, we may make automated decisions about you during the assessment stage of any recruitment process. We put candidates through a structured screening process to assess whether each candidate meets the specific criteria for a particular position. These assessments may be fully automated, for example online pre-screening tests. As these assessments may result in a candidate being deemed not suitable for a position by means of a solely automated assessment, we only undertake this activity with the candidate’s explicit consent. We also carry out personality profiling on candidates with the candidate’s consent.
Where we use AI tools to search or retrieve candidate records from our CRM, or to review and triage applications received via email, this does not constitute a solely automated decision. A member of the Sigma team reviews all AI-generated results and makes the final judgement on candidate suitability and whether to progress an application.

Candidate Focus Newsletter, Example Candidate Profile Scheme

  • You may be included in our free Candidate Focus newsletter or Example Candidate Profile scheme only if you give explicit permission. Participation means we may create and share a short profile (no name or contact details) with clients and prospective clients, and we may display it publicly on our website and social media. These profiles are searchable by sector, job title/skills, location, and keywords. We will not share your full CV without your permission.
  • Profile content may include details such as experience, industry sectors, education, qualifications, achievements, location, job titles, and salary expectations. You can see examples of how profiles appear on our site here and here (please scroll to the Featured Candidates section).
  • To create and distribute profiles, Sigma Recruitment may upload your personal details to AI tools to draft content and to identify relevant companies to receive your profile.
  • You may request a copy, amendment, or removal of your profile at any time by emailing info@sigmarecruitment.co.uk and quoting “example candidate remove”. Once permission is granted, later applications or online bookings where you do not re-confirm participation will not automatically remove your profile; you must contact us using the phrase “example candidate remove”. Please contact us urgently if you did not agree to be included.
  • Sigma is not obliged to create a profile and may remove it at any time. If you are no longer open to career opportunities please let us know and we can remove your profile, where you don’t do this we will assume you are still interested in career opportunities and are happy for us to market your profile. There is a small chance a third party (including your current employer) could infer your identity from the profile; if you are unhappy with this, you can not agree to take part or withdraw permission at any time. Sigma will not confirm profile identities to third parties without your express permission. If there are any companies that you do not wish us to send your profile to then you must make us aware, however you should note that these companies can still see any profiles that we place on our website.

Speculative CV Marketing Scheme

  • If you give permission to join the Speculative CV Marketing scheme, we may market your CV to third parties, including clients and prospective clients, and may make details available publicly on our website and social media. These details are searchable by sector, job title/skills, location, and keywords. There is a small chance a third party (including your current employer) could infer your identity from the details; if you are unhappy with this, you can not agree to take part or withdraw permission at any time.
  • To facilitate this marketing, Sigma Recruitment may upload your personal details to AI tools to help create supporting content and identify suitable companies to receive your profile or CV.
  • You can request removal, amendments, or a copy of the information shared under this scheme at any time by emailing info@sigmarecruitment.co.uk and quoting “stop cv marketing”. Once you give permission, later applications or bookings where you do not agree to the scheme will not automatically halt activity; you must contact us using the phrase “stop cv marketing”. Please contact us urgently if you did not agree to be included.
  • Sigma is not obliged to market any CVs and may cease marketing at any time. If you are no longer open to career opportunities please let us know and we can stop marketing your details, where you don’t do this we will assume you are still interested in career opportunities and are happy for us to market your details. If there are any companies that you do not wish us to send your details to then you must make us aware, however you should note that these companies can still see any details that we place on our website.

Do we transfer your data outside the UK and Europe?

We may sometimes transfer your personal data to countries outside the UK and European Economic Area, for example, to our group companies or clients. You can find the list of European member states by clicking on the following link: https://european-union.europa.eu/principles-countries-history/country-profiles_en. The privacy laws in countries outside the UK and the European Economic Area may be different from those in your home country.
At present, we transfer personal data to the following countries outside of the UK and European Economic Area: India, Pakistan, and the USA.
Where we transfer data outside the UK and European Economic Area, we rely on appropriate safeguards under Article 46 UK GDPR. For US-based suppliers, the primary mechanism is the UK International Data Transfer Agreement (IDTA), or Standard Contractual Clauses together with the UK International Data Transfer Addendum, as incorporated into each supplier’s Data Processing Addendum. Where the supplier is also self-certified under the UK Extension to the EU-US Data Privacy Framework, we rely on that adequacy mechanism as an additional safeguard. For transfers to India and Pakistan, we rely on IDTAs or SCCs with UK Addendum incorporated into each supplier’s contract. Please contact us if you want more details about our safeguards for data transfers.

What rights do you have in relation to the data we hold on you?

By law, you have a number of rights when it comes to your personal data under UK GDPR and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025). Further information and advice about your rights can be obtained from the data protection regulator in your country. In the UK this is the Information Commissioner’s Office (ICO).
Data accuracy: We take reasonable steps to ensure the personal data we hold is accurate and up to date. You can help us by informing us of any changes to your contact details, employment status, or other personal information.
How we handle your request: We will respond within one month of receiving your request. We can extend this by a further 2 months for complex or numerous requests, and will tell you if we do. Where we ask you to confirm your identity or to clarify the request, the one-month period pauses until you reply. This is the ‘stop-the-clock’ rule under the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025. When responding, we will carry out reasonable and proportionate searches of the systems where Sigma holds your personal data.
Fees and refusal: We may charge a reasonable fee, or refuse to act, where a request is manifestly unfounded or excessive (including where it repeats a request we have already answered in full). If we refuse or charge, we will tell you why within one month and remind you of your right to complain to the ICO. We may also charge a reasonable fee for further copies of the same information.

Your Rights Explained

1. The right to be informed
What does this mean? – You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this Privacy Policy. If you have any additional questions, for example, regarding transfers and locations of data or our legitimate interests basis, do please get in touch.
2. The right of access
What does this mean? – You have the right to obtain access to your information (if we are processing it), and certain other information (similar to that provided in this Privacy Policy). This is so you’re aware and can check that we’re using your information in accordance with UK GDPR and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025). For details of how we handle access requests, see ‘What rights do you have in relation to the data we hold on you?’ above.
3. The right to rectification
What does this mean? – You are entitled to have your information corrected if it’s inaccurate or incomplete.
4. The right to erasure
What does this mean? – This is also known as the right to be forgotten and, in simple terms, enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it. This is not a general right; there are exceptions.
5. The right to restrict processing
What does this mean? – You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
6. The right to data portability
What does this mean? – You have the right to obtain and reuse your personal data for your own purposes across different services. This is not a normal scenario for companies of our nature, but if you have any questions, you can contact us.
7. The right to object to processing
What does this mean? – You have the right to object to certain types of processing, including processing for direct marketing or where we are relying on our legitimate interests for processing (e.g. if you no longer want to be contacted with potential role opportunities).
8. The right to lodge a complaint
What does this mean? – You have the right to complain about the way we handle or process your personal data. You can complain to us directly, and we will deal with your complaint under our data protection complaints process (see ‘Data Protection Complaints’ below). You can also complain to your national data protection regulator. In the UK this is the Information Commissioner’s Office (ICO); you can contact them here.
9. The right to withdraw consent
What does this mean? – If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your personal data for marketing purposes.

Data Protection Complaints

You have the right to complain to us directly if you believe we have handled your personal data in a way that breaches UK data protection law. This right applies from 19 June 2026 and sits alongside your existing right to complain to the Information Commissioner’s Office (ICO).
How to make a complaint: You can complain by email to info@sigmarecruitment.co.uk with the subject line “Data Protection Complaint”, by post to Sigma Recruitment Ltd, Titan House, Cardiff Bay Business Centre, Cardiff, CF24 5BS, or by phone on 02920 450 100. You can also raise a complaint through any other channel you use to contact us, including SMS and social media, and we will treat it as a data protection complaint.
Who handles your complaint: Data protection complaints are handled by Rhys Williams, Managing Director.
How we handle your complaint: We will acknowledge your complaint within 5 working days. We will then look into it, keep you updated on our progress, and give you our response, normally within 30 days of receipt. If we need longer, for example where a complaint is complex, we will tell you why and when you can expect a reply. We will tell you the outcome and remind you of your right to complain to the ICO.
Complaining to the ICO: You can complain to the Information Commissioner’s Office at any time, whether or not you have raised your complaint with us first. You can contact the ICO here.

Steps we take to secure your data

  • Sophos endpoint antivirus.
  • Company devices only: staff don’t use their own devices to access your data.
  • Microsoft Entra ID is used to manage access to data.
  • Where possible, all software holding personal data is configured to use MFA and/or IP locks.
  • Monitoring software, including screen recording, ensures staff compliance with UK GDPR, the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025) and data security policies.
  • Secure password management software is used to control and generate passwords.

Data breaches

We have internal procedures in place to identify, assess, and report personal data breaches in line with our obligations under UK GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.

Children’s data

Our services are not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If you believe we hold data about a minor, please contact us and we will delete it.

Updating this Privacy Policy

This Privacy Policy may be updated periodically to reflect changes in personal data protection legislation and best practices. When we make changes to this Privacy Policy, we will change the “last updated” date above, and our communications will always link to the latest version. This policy is reviewed annually. The last review date is shown at the top of this page.

How can you contact us?

SAR Officer: For subject access requests and other data rights requests, the SAR Officer is Rhys Williams, Managing Director. Send the request to info@sigmarecruitment.co.uk with the subject line “SAR”.
General queries: If you have further questions on the processing of your personal data, or how we obtained it, please contact us via info@sigmarecruitment.co.uk or 02920 450 100.
Complaints: If you are unhappy with how we’ve handled your personal data, you can complain to us directly. We will acknowledge your complaint within 5 working days, keep you updated, and give you our response, normally within 30 days. We will tell you the outcome and remind you of your right to complain to the ICO. For full details, see ‘Data Protection Complaints’ above. You can complain to the Information Commissioner’s Office at any time.
Data Protection Officer: We are not required to appoint a Data Protection Officer under UK GDPR. Data protection matters are handled by Rhys Williams, Managing Director, who is the designated contact for all data protection enquiries.
ICO registration: Sigma Recruitment Ltd is registered with the Information Commissioner’s Office under registration number Z9312187.

The Sigma Recruitment Agency

The Sigma Recruitment Agency Cardiff is one of the leading manufacturing & engineering recruitment agencies. Jobs in the Automotive, Pharmaceutical, Metals/Power, Graduate, Medical Device, Life Science, Chemical, Electronics, Semicon, Aerospace, Food, Plastics, Packaging, and STEM Skills sectors. Executive Search & Contingency recruitment across the UK & Globally.

Locations we recruit in

Contact (via email or phone)

© Sigma Recruitment Ltd. 2020 Company Number 5659374 | VAT No: 869514188 | Terms of Service | Cookie Policy | Privacy Policy