LEYTON ADVISORY IRELAND LIMITED PRIVACY NOTICE

We are part of an international group of businesses (referred to as “the Leyton Group”) and this Privacy Notice relates to the Irish business, Leyton Advisory Ireland Limited. This Privacy Notice was updated in June 2025.

Click to download

1 – ABOUT US 

THÉSÉE S.A.S is made up of different legal entities, details of which can be found at: https://leyton.com/uk/about-us/  (referred to as “the Leyton Group”). 
Leyton Advisory Ireland Limited forms part of the Leyton Group.  For the purposes of this notice, reference to “we”, “us” or “our” is intended to refer to Leyton Advisory Ireland Limited, which is the controller responsible for your personal data.
We have appointed a data protection officer (“DPO”) based in the UK and the Leyton Group benefits from a committee of data protection professionals that work across the Group to harmonise information handling practices. 

If you have any questions about this notice or our data protection practices, or wish to exercise your data subject rights, please contact the UK DPO:

Legal EntityLeyton UK Limited
ICO RegistrationZA495904
Address Harmsworth House
13-15 Bouverie Street
London
EC4Y 8DP
DPO Emaildpm@leyton.com
Telephone0207 432 300
EU Representative EEA-based data subjects may exercise their data subject rights by contacting the UK business at the details above or our EU Representative via dpo@leyton.com or https://leyton.com/fr/donnees-personnelles/.

We will comply with applicable data protection law and principles, which means that your data will be: 

  • Used lawfully, fairly and in a transparent way 
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes 
  • Relevant to the purposes we have told you about and limited only to those purposes 
  • Accurate and kept up to date 
  • Kept only as long as necessary for the purposes we have told you about 
  • Kept securely. 

2 – THE DATA WE COLLECT 

Reference to personal data in this notice is intended to mean any information relating to an identified or identifiable living person who can be identified (directly or indirectly) with reference to that information.  That information may be an identifier such as those listed below, or some other factor specific to the physical, physiological, genetic, mental, economic and/or cultural identity of a natural person. 

We may collect, use, store and transfer various kinds of personal data as follows: 

  • Basic Identity Data – this may include your first name, surname, date of birth, tax status, marital status, nationality, educational history and academic qualifications 
  • Employment Data – this may include your employment history, job title or other information about your profession / occupation, your position within your organisation, national insurance number, salary, benefits, expenses claimed, training and payroll 
  • Third Party Employment Data – the nature of our services requires us to advise on the impact of our clients’ payroll expenditure and to do this we may process salary information including names and job roles relating to employees / suppliers of our clients 
  • Contact Data – this may include your contact telephone number(s), postal address including work address, personal and / or work email address 
  • Financial Data – this may include bank account details, payment information, liabilities, loans and assets 
  • Transaction Data – this will typically include details about the services you have sought from us 
  • Profile Data and Usage Data – this will include information about your marketing preferences and details of marketing campaigns you have been involved in, your communication preferences, your login information where you have interacted with us using our online solutions, as well as information regarding your behaviour / use of our online solutions 
  • Technical data – this will include information such as your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website or online solutions. For further information, please see our Cookies Policy

The above is not representative of data collected routinely; the data collected will depend on the nature of our transaction. 

We may also process information about the business or organisation you represent and, whilst this may include some personal data, it may also be made up entirely of corporate information.  We are resolved to treat personal data and corporate information with the same degree of care and attention, and where possible we will apply similar technical and operational measures to safeguard both from unauthorised access and use. 

Personal data provided to us by you or on your behalf, or generated by us while providing our services, will not typically include special categories of personal data or data belonging to children.  If we do process any special categories of data, then we will do so where we have a legal obligation to do so or where we have your explicit consent. 

In addition to the datatypes listed above, we may also record and store samples of your voice and image through recorded telephone calls and video conferencing.  Calls may be recorded without prior notice to record evidence of an exchange, to review quality standards, to ensure compliance with regulations, to prevent or detect a crime, or to investigate the misuse of our telecommunications system. 

If you provide us with personal data about another individual (such as an employee, contractor, supplier or client), you must ensure that those individuals understand how their data may be used and shared, and that you will share their personal data with us. 

3 – HOW WE COLLECT YOUR DATA 

We use different methods to collect data.  Typically, this is provided by you through your interactions with us directly or via our website, mailing lists, marketing initiatives or events (whether hosted by us wholly or in conjunction with another).
We may also obtain your personal data from third party sources including public repositories and databases (such as Companies House), social media platforms (such as LinkedIn) or third parties where you have consented to the sharing of your personal data by that third party (for example, lead generation suppliers, or via a partnership with another entity for the purpose of marketing and business development).

We use an automated solution provided by CreditSafe to fulfil our anti-money laundering obligations on client inception; however, depending on the circumstances, we may require additional information from you.  Further information about how CreditSafe processes your personal data can be found at https://www.creditsafe.com/ie/en/legal/privacy-policy.html.

The additional information we request may include passport details, driving licence details or other details held within identification and address verification documents, as well as details of sanctions, embargos, enforcement action against you and adverse media about you.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services).  In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

4 – LAWFUL BASIS FOR PROCESSING 

We will only process your personal data where we have a lawful basis to do so.  This will typically be because one of more of the following apply: 

  • Where you have consented for us to process your personal data 
  • For the performance of a contract where your information is necessary to enter into or perform our contract with you or another (which may include the business you work for) 
  • Where we need to use your information to comply with our legal or regulatory obligations 
  • Where we use your information to achieve a legitimate interest in circumstances where our reasons for using it outweigh any prejudice that may occur to your data protection rights 
  • Where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party 
  • Where you have supplied informed consent for us to use your personal data in the knowledge that you may withdraw your consent. 

5 – HOW WE USE PERSONAL DATA 

We will only use personal data for the purpose for which we collected it, including: 

  • To register you as a contact or to otherwise record your involvement within an organisation or business which has instructed us to provide services to it, or to whom we intend to market 
  • To negotiate contractual terms and to deliver the service contemplated in the contract 
  • To manage your relationship with us and the relationship between us and the business or organisation which you represent 
  • To recommend products or services which may be of interest to you as a representative of a business or organisation we are contractually engaged with or wish to communicate details of our services to.  This may include cross-selling to and sharing your information as described above with other Leyton Group businesses 
  • To administer and protect our business interests, website and online functions.  This may include using your personal data for our insurance purposes, to undertake background checks, to exercise / defend our legal rights, to audit performance of our staff / services and to improve our quality of communications with you 
  • To use data analytics to improve our website, our products and services, our marketing, our customer relationships and experiences, and to deliver appropriate training to our staff 
  • We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you.  This is how we decide which products, services and offers may be relevant for you (marketing).  You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing. 

6 – SECURITY MEASURES 

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.  In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know.  They will only process your personal information on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 

7 – SHARING YOUR PERSONAL DATA 

Where we are required by legislation to do so (for fraud and crime prevention purposes), we may share your personal data and other information about you and the business or organisation with law enforcement agencies or other regulatory bodies (such as the National Crime Agency and HM Revenue and Customs). 

To provide our services to you, we may share your personal data with other entities within the Leyton Group which may include your personal data and corporate information.  We share this for cross-selling and marketing purposes, to improve our products and services, and for IT support and administration services.  Some of the entities within the Leyton Group are outside of the UK; however, all inter-Group transfers of personal data are subject to security standards set by our French parent company and covered by internal data sharing agreements.  Our Group’s data centres are in France and are certified ICO 270001 and SOC 2 Type II.   

Outside of the Leyton Group, we may share your personal data with third parties where: 

  • You have consented 
  • We are under a legal or regulatory obligation to do so 
  • It is necessary to apply or enforce our terms 
  • Where we have another legitimate interest in doing so that is not overridden by your interests and fundamental rights. 

It may be necessary to share your personal data with third party service providers, in which case we will only do so with appropriate security measures in place to protect your personal data.  We do not allow our third-party service providers to use your personal data for their own purposes, and we only permit them to process your personal data for specified purposes and in accordance with our instructions. 

8 – INTERNATIONAL PROCESSING

Where we have lawful reason to do so, we may also share your personal information with third parties who are based outside of the EEA.  These transfers will only be permitted where there are appropriate mechanisms and security measures in place which ensure the personal data is protected in the international territory to the same level as we would expect it to be protected in the EEA.
Where we procure the goods or services of providers based outside of the EEA, we scrutinise their IT infrastructure to ensure that any personal data transferred to them during our transactions is adequately protected.  Such providers are required to enter contractual terms which oblige them to take appropriate operational and technical measures to secure the personal data we transfer to them from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data and client confidential information.

9 – RETENTION PERIODS

We retain personal data in accordance with a Retention Schedule which assesses the nature of the personal data, the purpose of its processing and the reasonableness of its retention.  There are categories of standard retention periods applied across the several types of personal data processed (financial / human resources related / contract related, etc.).  Personal data will not be retained for longer than is necessary to fulfil the purpose for which it was collected, and where personal data is required to be held in a dormant state to satisfy legal or regulatory obligations it will be minimised.

10 – YOUR LEGAL RIGHTS

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”).  This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it
  • Request correction of the personal information that we hold about you.  This enables you to have any incomplete or inaccurate information we hold about you corrected
  • Request erasure of your personal information.  This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.  You also have the right to object where we are processing your personal information for direct marketing purposes
  • Request the restriction of processing of your personal information.  This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
  • Request the transfer of your personal information to another party.

The above rights pertain to individuals, not Limited Companies or Limited Liability Partnerships.  If you require a copy of the information we process in relation to a Limited Company or Limited Liability Partnership, you should contact the UK DPO or our EU Representative (see section 1 of this notice for contact details).  This information will only be released where we have approval from authorised persons to do so.
The right of access and / or right of erasure may not apply where we are processing your personal data for tax obligations or assessments, for example, or for the purposes of management forecasting or management planning in relation to a business or other activity.  Restrictions are subject to specific conditions detailed in the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act 2018.  If you would like to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the UK DPO or our EU Representative (see section 1 of this notice for contact details). 
If you wish to make a complaint about the way you believe your data is being processed, we encourage you to raise this with the UK DPO or our EU Representative in the first instance.  Ultimately, complaints may be made to the Data Protection Commission, the Irish supervisory authority for such matters, or to the European Data Protection Supervisor, the EU regulator for data protection (https://www.edps.europa.eu/_en / Rue Wiertz 60, B-1047 Brussels).

11 – CANDIDATES AND SPECULATIVE APPLICATIONS

The foregoing applies specifically where individuals have applied to us for work (whether paid or unpaid, permanent or temporary).  In addition to the categories of data outlined above, in relation to candidates it is likely that we will also process the following which will contain your personal data:

  • The information you have provided to us in your curriculum vitae and covering letter or email
  • The information you have provided on our application form on the Leyton Recruitment portal, including name, title, address, telephone number, personal email address, date of birth, gender and CV, including employment history and qualifications
  • Information relating to your right to work, proof of address, passport or driving licence
  • Any information you provide to us during an interview
  • Information provided in voicemails, emails, correspondence and other communications created, stored or transmitted by you to progress your application through the recruitment process.  This may include voice and image samples should you be invited to interact with our talent acquisition tools which require recordings to be made.

Your personal data will have been collected from you directly or via recruitment agencies, referees and publicly accessibly sources such as LinkedIn, S1 Jobs, CV Library, Indeed or other job boards.
We will use your personal data to assess your skills, qualifications, and suitability for the work or role you have applied for or any other role that might be suitable for you in the event of a speculative application.  We may also use your personal data to undertake background and reference checks, to communicate with you regarding the recruitment process, and to otherwise comply with our legal and regulatory requirements.  Ultimately, your personal data will be used to determine whether to appoint you to a role within our business and this will inevitably include processing your data for the purpose of evaluating your suitability, arranging and conducting interviews of you and negotiating contractual terms with you.
“Automated decision-making” takes place when an electronic system uses information to make a decision without human intervention.  You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.  We may use anonymised data of applicants and candidates for analytical purposes and to ensure that we are complying with our legal, regulatory and corporate social responsibility obligations and requirements.
We may share your personal data as outlined above.  We may also transfer your personal data outside of the EEA as outlined above.
As a candidate or speculative applicant, you possess the same data subject rights detailed above.  We will retain your personal information for a period of six months after we have communicated to you our decision about whether to appoint you to the role.  After this period, we will securely destroy your personal information in accordance with our Retention Schedule.  Notwithstanding this, you may withdraw your consent to our processing your personal data by contacting the UK DPO or our EU Representative (see section 1 of this notice for contact details).