top of page

WRM Legal Limited Privacy Policy 
Last Updated January 2025

1) Who we are and how to contact us

Controller: WRM Legal Limited (“WRM Legal”, “we”, “us”, “our”)
Registered office: 128 City Road, London, United Kingdom, EC1V 2NX
Company number: 10852680
ICO registration number: ZA813850
Telephone: +44 (0)20 3488 1240

WRM Legal Limited is a recruitment consultancy focused on the legal services sector. For the purposes of UK data protection law (UK GDPR and Data Protection Act 2018), we are the data controller of your personal data. If you have questions about this policy or how we use your data, contact us using the details above.
 

2) Scope & quick summary

​

This Policy explains how we collect, use, share and protect personal data of candidates, prospective candidates, referees, clients, suppliers and website visitors.

- We collect professional details (e.g., CVs, experience, contact details), process them to provide recruitment services, and share them with clients only with your permission.
- Lawful bases include legitimate interests, contract, legal obligation, and consent (e.g., for certain marketing or any special category data).
- You have UK GDPR rights (access, rectification, erasure, objection, etc.).
- We don’t make recruitment decisions using solely automated processes.
- We keep data only as long as necessary (see Section 10).
- How to complain: see Section 15 (ICO).
 

3) The data we collect

​

3.1 Contact & profile


- Name and preferred name; email; phone; postal address
- Current role/title, employer, practice area, PQE/seniority
- Professional profiles (e.g., LinkedIn), publications, speaking engagements

3.2 Career & professional


- CVs and cover letters; employment history; education and qualifications
- Professional memberships and registrations (e.g., SRA/Law Society where relevant)
- Skills, specialisms, language capabilities
- Remuneration history and expectations; notice period; availability
- Referees and reference content (with your permission)
- Right-to-work documentation (passport/visa/share code as applicable)

3.3 Recruitment process


- Interview notes, assessments and client feedback
- Role preferences and career aspirations
- Details of introductions made, interviews arranged, offers and outcomes
- For temporary/contract workers: assignment history, timesheets, pay information

3.4 Website/technical


- IP address, device/OS, browser type, pages visited, time on site, referral source
- Cookies and similar technologies (see our Cookie Policy)

3.5 Special category & criminal record data (limited use)


We do not routinely collect special category data. Where necessary and lawful, and always with your explicit consent or another valid condition, we may process:
- Health/disability information (e.g., to make reasonable adjustments, SSP)
- Diversity monitoring information (optional; anonymised where possible)
- Criminal records (DBS/overseas equivalent) only where role-relevant and lawful

 

4) How we collect your data

​

- Directly from you: calls/meetings, emails, messages, interviews, forms, CVs

- Public sources: professional networking sites (e.g., LinkedIn), firm websites, directories, press and legal publications

- Third parties: referees (with your permission), background check providers (where lawful), prior agencies (with permission), clients who provide feedback

 

We do not use automated scraping tools to harvest personal data from platforms that prohibit such activity.

​

5) Why we use your data (lawful bases)

 

5.1 Recruitment services (candidates & agency workers)

 

- Assess suitability, identify and discuss roles, introduce you to clients, manage interviews/offers, provide market insights

- Lawful bases: Legitimate interests (operate a legal recruitment business); Contract (steps at your request prior to entering a contract); Legal obligation (e.g., right-to-work)

 

5.2 Temporary/contract workers

 

- Administer assignments; verify identity/right-to-work; process timesheets, pay and taxes; manage compliance (e.g., Working Time, tax, pensions)

- Lawful bases: Contract; Legal obligation

 

5.3 Client and supplier management

 

- Maintain client contacts, proposals, assignments, invoicing and service delivery

- Lawful bases: Legitimate interests (operate and grow our business); Contract

 

5.4 Improving our services & operations

 

- Training, quality assurance, analytics, reporting, market trend analysis

- Lawful basis: Legitimate interests

 

5.5 Marketing & events

 

- Job alerts, newsletters, insights, and event invitations

- Lawful bases: Legitimate interests (existing clients/candidates) and consent where required under PECR for electronic marketing to new contacts. You can opt out at any time (see Section 12).

 

5.6 Legal/regulatory

 

- Compliance with applicable laws and regulatory/financial reporting, fraud and AML prevention, establishment/exercise/defence of legal claims

- Lawful bases: Legal obligation; Legitimate interests (protect our business)

 

5.7 Special category/criminal records

 

- Only where necessary and lawful, and typically with explicit consent, or as otherwise permitted by UK GDPR/DPA 2018 (e.g., employment law obligations, equality of opportunity)

 

6) Sharing your data

 

6.1 With your consent

- We will only share your CV or discuss your candidacy with specific clients after you agree.

 

6.2 Service providers (processors)

 

- IT, hosting and cloud services; CRM/ATS; communications tools; background screening; payroll/accounting (for workers); marketing platforms

- We execute data processing agreements and require confidentiality, security and use only for our instructions.

 

6.3 Legal and compliance

 

- Courts, regulators, law enforcement or advisers where required or permitted by law, or to protect rights, privacy, safety or property.

 

6.4 Corporate transactions

 

- In a merger, acquisition or reorganisation, data may transfer to the successor, subject to equivalent protections.

 

7) International transfers

 

Some providers or clients may be located outside the UK. Where we transfer personal data internationally, we ensure appropriate safeguards, such as:

- UK adequacy regulations (if the destination has been deemed adequate), or

- UK International Data Transfer Agreement/Standard Contractual Clauses, or

- Other UK-recognised transfer mechanisms.

 

You can request details of the safeguards we rely on.

 

8) Children

 

Our services are aimed at adults. We do not knowingly collect data from anyone under 18.

 

9) Data security

 

We use appropriate technical and organisational measures, including:

- Encrypted transmission and, where appropriate, encrypted storage

- Role-based access controls and least-privilege permissions

- Secure, monitored cloud infrastructure and regular patching

- Staff training and confidentiality obligations

- Vendor due diligence and contractual data protection commitments

 

No system is 100% secure. We have a breach response process and will notify you and the ICO where legally required.

 

10) How long we keep your data (retention)

 

We keep personal data only as long as necessary for the purposes described, considering legal, regulatory and contractual requirements. Typical periods are:

 

Active candidates

Duration of engagement + up to 3 years for suitable future opportunities (unless you opt out earlier)

Unsuccessful/declined processes

Up to 2 years from last meaningful contact (unless you request deletion earlier)

Temporary/contract worker records

6 years after last assignment (tax/employment record keeping)

Client/supplier records

Duration of relationship + 6 years (limitation period)

Right-to-work copies

In line with legal requirements (usually up to 2 years after employment/engagement ends)

Marketing contacts

Until you opt out or we detect sustained inactivity, then deleted or suppressed

Opt-out/suppression lists

Kept indefinitely (minimal data) to honour your preferences

 

When retention expires, we securely delete or anonymise the data.

 

11) Your rights

 

Under UK GDPR, you have the right to:

- Access your data and get a copy

- Rectify inaccurate or incomplete data

- Erase data (in certain circumstances)

- Restrict processing (in certain circumstances)

- Object to processing based on legitimate interests, including direct marketing

- Data portability (data you provided to us, processed by automated means and based on consent/contract)

- Not be subject to solely automated decisions that have legal or similarly significant effects — we do not make such decisions in our recruitment services

- Withdraw consent at any time where we rely on consent (this won’t affect processing already carried out)

 

12) Exercising your rights & opting out

 

To exercise your rights or opt out of marketing, contact +44 (0)20 3488 1240 or write to our registered address.

 

- We will respond within one month (may extend by two months for complex requests; we will tell you if so).

- No fee is charged unless a request is manifestly unfounded, repetitive or excessive.

- Marketing opt-out links are included in our emails; you can also tell your consultant directly.

 

13) Cookies and similar technologies

 

We use cookies and similar technologies to operate and improve our website, personalise content and analyse traffic. For details (types, purposes, retention and choices), see our Cookie Policy

 

14) Sourcing and fairness information

 

Where we collect data from public sources or third parties, we will contact you within applicable timeframes to provide this privacy information unless doing so would be impossible or involve disproportionate effort (in which case we take alternative transparency measures).

 

15) Complaints

 

We’d welcome the chance to resolve your concerns first — Use our contact form or call +44 (0)20 3488 1240

 

You also have the right to complain to the UK supervisory authority:

 

Information Commissioner’s Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113

Website: https://ico.org.uk/make-a-complaint/

 

16) Changes to this Policy

 

We may update this Policy to reflect changes in law or our practices. We will post the updated version with a new “Last updated” date and, where appropriate, notify you by email or a website notice.

 

17) Additional information for specific situations

 

17.1 Background checks & references

 

Where a role requires it and it’s lawful to do so, we may conduct ID/right-to-work checks, qualification verification, references (with your permission), and (where appropriate) criminal records checks. If you decline, it may affect our ability to progress an application.

 

17.2 Diversity & inclusion

 

Any equality monitoring is optional and, where feasible, anonymised and reported at aggregate level. It will never be used to make placement decisions.

 

17.3 Executive search

 

For senior/executive roles, we may proactively identify potential candidates from public sources. If you tell us you’re not interested, we will respect that and suppress future contact.

 

18) Third-party links

 

Our website may link to third-party sites. Those sites have their own privacy policies. We are not responsible for their content or privacy practices.

© 2023 WRM Legal Limited

  • LinkedIn Social Icon
  • Twitter Social Icon
bottom of page