Privacy Notice.



This version dated: 14 June 2021 


 1           Introduction

1.1       We, Spencer Road LLP, trading as ‘The Omerta Group’ (and ‘Omerta‘, ‘we‘, ‘us‘ or ‘our‘ will be interpreted accordingly), take your privacy very seriously.

1.2       Please read this privacy notice carefully as it contains important information on how and why we collect, store, use and share personal information relating to you (our clients, candidates, suppliers and other valued contacts), from which you can be identified (called ‘Personal Data‘).

1.3       This privacy notice also explains your rights in relation to your Personal Data and how to contact us or the relevant regulatory authority in the event you have a complaint.

2           Changes to this privacy notice

2.1       This version of our privacy notice is effective on the above date.

2.2       We may change this privacy notice from time to time — when we do we will post the updated version on our website or, if the changes are significant, at our discretion, we may decide to inform our clients or those candidates we have contact details for by letter or email.

3           What Personal Data do we collect and use?

3.1       Omerta may collect and use the following Personal Data:

          For individual contacts within our client organisations and individual candidates:

(a)        Your name and contact information, including email address and telephone number(s);

(b)        Details of your contact with us and our clients, including correspondence and notes of meetings or calls; and

(c)        Other Personal Data that you as an individual may provide to us from time to time.

          In relation to candidates:

(a)        Your current job role and employer;

(b)        Details of your qualifications, experience, employment history (including job titles and salary);

(c)        Publically available online information regarding your work and professional interests e.g. company website or LinkedIn profile;

(d)        Your personal or professional interests and qualities;

(e)        Your referees, if any; and

(f)         Your nationality and immigration status.

3.2       Please also note that some of the Personal Data a candidate may supply may include what is known as ‘sensitive’ or ‘special category’ data, for example, information provided on a CV regarding health, sexual orientation or ethnic origin would fall into this category although we will only hold and use this data if we have a legal basis for doing so (see below).

3.3       If you choose not to provide Personal Data we request, it may delay or prevent us from responding to a request or query or providing services to you.

4           How your Personal Data is collected

4.1       We collect most Personal Data directly from you when

4.1.1   you interact with us in person, by telephone or email;

4.1.2   you submit an enquiry – for example, through our website; or

4.1.3   you provide information on a form.

4.2       However, we may also collect candidate information in the following ways:

  •           from publicly accessible sources e.g. LinkedIn, company website, reputable news websites;
  •           from specialist business intelligence suppliers, such Bloomberg or others;
  •           directly from third parties e.g. referees, former employers, acquaintances or former colleagues or your education providers, if we have your permission;
  •           if applicable, a public database held by a regulatory authority (such as the Financial Conduct Authority) or relevant professional body; and
  •           if you visit our office, via our CCTV and access control system and reception logs.  

5           How and why we use your Personal Data

5.1       We may use your Personal Data for one or more of the following lawful basis:

  •           Contract and providing our services to clients: where we agree to provide services to you or your organisation, to take steps at your request before entering into a contract, and then to perform our contractual obligations to you, we will process your Personal Data as needed to ensure effective contract performance.
  •           Legitimate Interests: For our legitimate interests of being able to:

(a)        promote and operate our human capital business, identifying and researching candidates who may match client requirements via online research, contracting with our clients, communicating with client and candidate contacts to discuss suitability and making notes regarding such communications;

(b)        keeping records of our research, communications, job application/ search progress and outcome and other information;

(c)        provide you with direct marketing communications about what we are doing as well as services and/or campaigns which may be of interest to you by post or phone. If required under applicable law, where we contact you by personal (as opposed to corporate) email, fax, social media and/or any other similar electronic communication channels for direct marketing purposes, this will be subject to you providing your express consent. You can object or withdraw your consent to receive direct marketing from us at any time, by contacting us using the email address below.

We will always seek to pursue these legitimate interests in a way that does not unduly infringe on your other legal rights and freedoms and in particular your rights to privacy.

  •           Legal claims: to enforce and/or defend any of our legal claims or rights;
  •           Legal and regulatory obligations: for any other purpose required by applicable law, regulation, the order of any court or regulatory authority;
  •           Consent: we may send a candidate’s details to a client or hirer if we have their freely given and specific consent to do so.

5.2       If we process sensitive or special category we will only do this in limited circumstances, namely: with your explicit consent; or, where you have already publicised such information; or, where we need to use such sensitive data in connection with a legal claim that we have or may be subject to.

6           Our legal obligations regarding your Personal Data

6.1       We collect and process your Personal Data in accordance with the EU General Data Protection Regulation (EU GDPR) and/or the UK GDPR and the UK Data Protection Act 2018 together with other applicable UK and/or EU laws that regulate the collection, processing and privacy of Personal Data (together, ‘Data Protection Law‘). 

7           Who we share your Personal Data with

7.1       We may need to disclose your Personal Data to certain third party organisations who processing Personal Data only in accordance with our instructions under contract (called ‘data processors‘) such as companies and/or organisations who provide technical support or host our data or that assist us in delivering the services that you have requested.

7.2       We only allow our data processors to handle your Personal Data if we are satisfied they take appropriate measures to protect your Personal Data. We also impose contractual obligations on data processors to ensure they protect your Personal Data.

7.3       We may also disclose your Personal Data to third parties who make their own determination as to how they process your Personal Data and for what purpose(s) (called ‘data controllers’), such as our clients who we may provide with details of a potential candidate for a role although we only do this with a candidate’s full knowledge and their permission.

7.4       The third party data controllers external to us (including our clients) with whom we deal will handle your Personal Data in accordance with their own chosen procedures and you should check the relevant privacy policies of these companies or organisations to understand how they may use your Personal Data. Since they are acting outside of our control, we have no responsibility for the data processing practices of these data controllers.

7.5       We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

7.6       We may also need to share some Personal Data with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

7.7       In all cases we always aim to ensure that your Personal Data is only used by third parties for lawful purposes and in compliance applicable Data Protection Law.

8           International transfers

8.1       To deliver services to you, it is sometimes necessary for us to share your personal data outside the UK/European Economic Area (‘EEA‘), for example:

8.1.1   with our offices or other companies within our group located outside the UK/EEA;

8.1.2   with your and our service providers located outside the UK/EEA;

8.1.3   if you are based outside the UK/EEA; or

8.1.4   with clients located outside the UK/EEA.

8.2       Under Data Protection Law, we can only transfer your personal data to a country or international organisation outside the UK/EEA where:

8.2.1   the UK government or, where the EU GDPR applies, the European Commission has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);

8.2.2   there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or

8.2.3   a specific exception applies under Data Protection Law.

9           How long your Personal Data will be kept

9.1       We only retain Personal Data identifying you for as long as you have a relationship with us; or as necessary to perform our obligations to you (or to enforce or defend contract claims); or as is required by applicable law.

9.2       We have a data retention policy that sets out the different periods we retain data for in respect of relevant purposes in accordance with our duties under Data Protection Law. The criteria we use for determining these retention periods is based on various legislative requirements; any ongoing need we have to hold data, in particular to deal with any future legal disputes which can be up to 6 years after the cause of claim arising; and guidance issued by relevant regulatory authorities including but not limited to the UK Information Commissioner’s Office (ICO). 

9.3       Personal Data we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it.

10         Security that we use to protect Personal Data

10.1     We employ appropriate technical and organisational security measures to protect your Personal Data from being accessed by unauthorised persons and against unlawful processing, accidental loss, destruction and damage.

10.2     We also endeavour to take all reasonable steps to protect Personal Data from external threats such as malicious software or hacking. However, please be aware that there are always inherent risks in sending information by public networks or using public computers and we cannot 100% guarantee the security of all data sent to us (including Personal Data).

11         Your Personal Data rights

11.1     In accordance with your legal rights under applicable law, you have a ‘subject access request’ right under which you can request information about the Personal Data that we hold about you, what we use that Personal Data for and who it may be disclosed to as well as certain other information.

11.2     We reserve the right to verify your identity if you make a subject access request. We may also require further information to locate the specific information you seek before we can respond in full and apply certain legal exemptions when responding to your request.

11.3     We may charge for administrative time in dealing with any manifestly unreasonable or excessive requests for access or reject such a request altogether.

11.4     Under Data Protection Law you also have the following rights, which are exercisable by making a request to us in writing:

  •           to require us to correct Personal Data that we hold about you which is inaccurate or incomplete;
  •           to require us to erase your Personal Data without undue delay if we no longer need to hold or process it;
  •           to object to our use of your Personal Data for direct marketing;
  •           to object and/or to restrict the use of your Personal Data for purpose other than those set out above unless we have an overriding legitimate reason for continuing to use it; or
  •           to object to any automated processing (if applicable) that we carry out in relation to your Personal Data, for example if we conduct any automated credit scoring (we do not currently perform such automated processing);
  •           in certain circumstances, to require us to transfer Personal Data to another party where the Personal Data is being processed by automated means and we collected that data under contract or with your consent.

11.5     All of these requests may be forwarded on to a third party provider who is involved in the processing of your Personal Data on our behalf.

11.6     If you would like to exercise any of the rights set out above, please contact us by clicking here.

11.7     Usually we will have a month to respond to such a request, but we may, in the case of a complex request, require a further two months to respond. We will tell you if this is the case.

11.8     If you make a request and are not satisfied with our response, or believe that we are illegally processing your Personal Data, you have the right to complain to the Information Commissioner’s Office (ICO) – see

12         Contact

12.1     If you have any queries regarding this privacy notice or wish to make a further request relating to how we use your Personal Data as described above, please contact:

Andrew Hynes, Data Protection Lead,

The Omerta Group,  10 Noble Street, London, EC2V 7JX

Telephone: +44 20 7726 9357




Spencer Road LLP (trading as The Omerta Group), which processes the personal data of individuals in the European Union and European Economic Area, in either the role of ‘data controller’ or ‘data processor’, has appointed DataRep as its Data Protection Representative for the purposes of GDPR*.


If The Omerta Group has processed or is processing your personal data, you may be entitled to exercise your rights under GDPR in respect of that personal data. For more details on the rights you have in respect of your personal data, please refer to the European Commission ( protection/data-protection-eu_en) or the national Data Protection Authority in your country.


The Omerta Group takes the protection of personal data seriously, and has appointed DataRep as their Data Protection Representative in the European Union so that you can contact them directly in your home country. DataRep has locations in each of the 27 EU countries and Norway & Iceland in the European Economic Area (EEA), so that The Omerta Group’s customers can always raise the questions they want with them.


If you want to raise a question to The Omerta Group, or otherwise exercise your rights in respect of your personal data, you may do so by:


  • sending an email to DataRep at quoting <The Omerta Group> in the subject line,
  • contacting us on our online webform at, or
  • mailing your inquiry to DataRep at the most convenient of the addresses in the subsequent


PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘The Omerta Group’, or your inquiry may not reach us. Please refer clearly to The Omerta Group in your correspondence. On receiving your correspondence, The Omerta Group is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.


If you have any concerns over how DataRep will handle the personal data we will require to undertake our services, please refer to our privacy notice at


Please ensure request is addressed to ‘DataRep’ and not The Omerta Group


Country Address
Austria DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Belgium DataRep, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium
Bulgaria DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
Croatia DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
Cyprus DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
Czech Republic DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech


Denmark DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark
Estonia DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia
Finland DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland
France DataRep, 72 rue de Lessard, Rouen, 76100, France
Germany DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
Greece DataRep, 24 Lagoumitzi str, Athens, 17671, Greece
Hungary DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary
Iceland DataRep, Kalkofnsvegur 2, 101 Reykjavík, Iceland
Ireland DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Italy DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy
Latvia DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia
Liechtenstein DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Lithuania DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania
Luxembourg DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg
Malta DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
Netherlands DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
Norway DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway
Poland DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
Portugal DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal
Romania DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857,


Slovakia DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
Slovenia DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
Spain DataRep, Calle de Manzanares 4, Madrid, 28005, Spain
Sweden DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE – 211 46, Sweden
Switzerland DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland