Privacy Policy

This Privacy Policy explains how The Malton Group collects, uses, shares and protects personal data in the course of providing legal and compliance recruitment and search services to candidates and corporate clients in Hong Kong and across the Asia-Pacific region.

1. Introduction and who we are

The Malton Group is a Hong Kong-based legal and compliance recruitment and search consultancy. We support individual candidates and corporate clients with permanent, contract and interim recruitment and search assignments.

We are committed to handling personal data in a professional, transparent and responsible manner, in line with applicable data protection laws.

2. What personal data we collect

The personal data we collect will depend on whether you are a candidate or a client contact, and on the nature of our relationship with you.

For candidates

We may collect, store and use some or all of the following types of personal data about candidates:

  • Identity details, such as your name, title, nationality and, where relevant, right to work or visa status.
  • Contact details, such as email address, telephone number, postal address and online professional profiles.
  • Professional information, such as your CV or résumé, employment history, current role and responsibilities, reporting lines, qualifications, certifications, language skills and areas of expertise.
  • Remuneration details, such as current and expected salary, bonus, benefits, notice period and any contractual restrictions (for example, non-compete or non-solicitation obligations).
  • Recruitment process information, such as interview notes, feedback, assessment results, communications relating to offers and negotiations, and your preferences regarding roles, locations and employers.
  • Compliance information that may be relevant to certain roles, such as information collected during background checks where permitted, and only to the extent necessary for the role.
  • Any other information you voluntarily provide to us during calls, meetings or correspondence that is relevant to your career or job search.

For clients and other business contacts

We may collect, store and use some or all of the following types of personal data about our clients and other business contacts:

  • Identity details, such as your name, title, organisation and role.
  • Contact details, such as business email address, telephone number and office address.
  • Information about your organisation, team structure, hiring needs, search mandates and preferences.
  • Communications with you, including emails, meeting notes, call records and feedback relating to assignments and candidates.
  • Billing and payment information relating to our services (for example, for invoicing contacts).
  • Marketing and event preferences, such as your interest in receiving insights, updates or invitations.

3. How we collect personal data

We collect personal data in a number of ways, including:

  • CV and profile submissions – when you send us your CV, profile or other information directly, whether through our website, by email or via another channel.
  • Contact forms – when you complete contact or enquiry forms on our website or other platforms.
  • Email and telephone – when you email, call or message us, or when we contact you using details you have provided or that are publicly available.
  • Meetings and events – when we meet you in person or virtually, for example at interviews, client meetings, conferences, seminars or networking events.
  • Referrals and recommendations – when you are referred to us by colleagues, former employers, clients or other professional contacts, or when you refer candidates or contacts to us.
  • Public and third-party sources – from publicly accessible sources such as LinkedIn and professional directories, from job boards, and from specialist data providers where this is appropriate and permitted.

Where we obtain your details from public or third-party sources, we aim to let you know that we are processing your personal data within a reasonable time, unless this would be disproportionate or is not required under applicable data protection laws.

4. How we use personal data

We use personal data only for legitimate business purposes in connection with our recruitment and search activities. Typical purposes include:

  • Providing recruitment and search services – to identify and assess suitable opportunities for candidates; to identify and assess suitable candidates for clients; to manage recruitment and search assignments; and to provide advice and support to candidates and clients.
  • Managing our relationship with you – to respond to your enquiries; to arrange and conduct calls, interviews and meetings; to obtain feedback; and to keep our records up to date.
  • Communications and updates – to send you information about roles, market insights, events and other content that may be relevant and of interest to you, in line with your communication preferences.
  • Improving our services – to analyse how we source and place candidates; to improve the quality, relevance and efficiency of our services; and to develop our business and service offerings.
  • Compliance and risk management – to comply with applicable data protection laws, record-keeping obligations, tax and accounting requirements, and other regulatory or professional obligations; and to establish, exercise or defend legal claims.

5. Legal bases for processing

We will only process personal data where we have a valid legal basis to do so under applicable data protection laws. Depending on the circumstances, we may rely on one or more of the following legal bases:

  • Your consent – where you have given clear consent for us to process your personal data for a specific purpose, for example to keep you informed of suitable roles or market updates. You can withdraw your consent at any time (see the section on your rights below).
  • Legitimate interests – where processing is necessary for our legitimate business interests or those of a third party, and these interests are not overridden by your interests or fundamental rights and freedoms. This may include our interests in providing and improving recruitment and search services, maintaining business relationships and ensuring the security of our systems and information.
  • Legal obligations – where processing is necessary for us to comply with obligations under applicable laws and regulations, for example in relation to record keeping, tax and accounting, or responding to lawful requests from regulators or public authorities.

In certain circumstances we may also need to process personal data to establish, exercise or defend legal claims.

6. Who we share personal data with

We do not sell personal data. We may share personal data with carefully selected third parties for the purposes described in this Privacy Policy, including:

  • Clients – we may share candidate information with our client organisations in connection with specific opportunities, searches and assignments, or where we believe a candidate may be of interest to a client, in line with our understanding of the candidate’s preferences.
  • Service providers – we may share personal data with third parties who provide services that support our business, such as IT and cloud service providers, database and CRM providers, email and communications platforms, event management services and background screening providers (where appropriate).
  • Professional advisers – we may share personal data with our professional advisers, such as lawyers, accountants and auditors, where necessary for the provision of their services to us.
  • Regulators and public authorities – we may disclose personal data where we are required or permitted to do so under applicable laws, regulations or professional rules, or in response to lawful requests.
  • Other third parties – in the context of a business transaction, such as a merger, restructuring or sale of all or part of our business, in which case personal data may be transferred to the relevant third parties subject to appropriate safeguards.

Where we share personal data with third parties, we aim to ensure that they only process it on our instructions and with appropriate confidentiality and security protections in place, where required.

7. International transfers

Given the international nature of legal and compliance recruitment and our focus on the Asia-Pacific region, personal data may be transferred to and processed in countries or territories outside Hong Kong. These locations may have different data protection standards from those in Hong Kong.

Where we transfer personal data internationally, we aim to ensure that appropriate safeguards are in place to protect it, in line with applicable data protection laws. These safeguards may include contractual protections, such as data transfer agreements, and other measures designed to ensure that your personal data remains adequately protected.

8. Data retention

We keep personal data only for as long as is reasonably necessary for the purposes for which it was collected, including to meet any legal, regulatory, tax, accounting or reporting requirements, and to be able to respond to queries or complaints.

When determining appropriate retention periods, we consider the nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, whether we can achieve those purposes through other means, and applicable legal requirements and professional obligations.

In practice, this means that we generally retain candidate and client records for a period that allows us to support ongoing and future recruitment and search activities, unless you request that we delete or anonymise your personal data sooner, subject to any legal or regulatory requirements that may apply.

9. Your rights over your personal data

Depending on where you are located and subject to certain conditions and exceptions, you may have rights under applicable data protection laws in relation to the personal data we hold about you. These may include the right to:

  • Access – request confirmation of whether we process your personal data and, if so, request a copy of that personal data.
  • Correction – request that we correct or update any inaccurate or incomplete personal data we hold about you.
  • Deletion – request that we delete or remove your personal data in certain circumstances, for example where it is no longer needed for the purposes for which it was collected.
  • Restriction – request that we restrict the processing of your personal data in certain circumstances, for example while we verify its accuracy or consider an objection you have raised.
  • Objection – object to our processing of your personal data where we are relying on legitimate interests, including profiling based on those interests, or object to processing for direct marketing purposes.
  • Withdrawal of consent – where we rely on your consent, withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

If you wish to exercise any of these rights, please contact us using the details in the “How to contact us” section below. We may need to request specific information from you to help us confirm your identity and process your request. We aim to respond to all legitimate requests within a reasonable timeframe.

10. How we protect your personal data

We take appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, misuse, alteration or disclosure. These measures are designed to provide a level of security appropriate to the risks associated with the personal data we process.

Examples of the measures we may use include:

  • Restricting access to personal data to those employees and service providers who need to know it for legitimate business purposes.
  • Using secure systems, tools and platforms to store and transmit personal data, with access controls in place.
  • Maintaining reasonable safeguards to protect our IT systems and communications from unauthorised access.
  • Providing guidance to our team on the importance of confidentiality, data protection and information security.

Although we take reasonable steps to protect personal data, no system or transmission of information via the internet can be completely secure. We cannot guarantee the security of information transmitted to us electronically and any such transmission is at your own risk.

11. Third-party links

Our website and communications may contain links to third-party websites, platforms or services. These third parties have their own privacy policies and practices, which we do not control and for which we are not responsible. We encourage you to review the privacy information provided by any third party before submitting personal data to them.

12. Updates to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our services, our practices or applicable data protection laws. Any updates will be posted on this page. We encourage you to review this Privacy Policy periodically to stay informed about how we handle personal data.

13. How to contact us

If you have any questions about this Privacy Policy or how we handle personal data, or if you wish to exercise your rights, please contact us using the details below:

Email: info@themaltongroup.com