We are part of an international group of businesses (referred to as “the Leyton Group”) and this Privacy Notice relates to the UK business, Leyton UK Limited.  Below, we refer to the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK-GDPR”) and the Data Protection Act 2018 (“DPA 2018”), and we outline how we collect and process your personal data, who we share it with and what rights and options you have in relation to your personal data.  This Privacy Notice was up-dated in February 2022.


THÉSÉE S.A.S (referred to as “the Leyton Group”) is made up of different legal entities, details of which can be found at: https://leyton.com/uk/about-us/ 

Leyton UK Limited forms part of the Leyton Group.  For the purposes of this Agreement reference to “we” or “us” is intended to refer to Leyton UK Ltd which is the controller responsible for your personal data.

We have appointed a data protection officer (DPO) based in the UK and the Leyton Group benefits from a committee of professionals that work across the group to harmonise information handling practices.  If you have any questions about this notice or our data protection practices please contact the UK DPO:

Legal EntityLeyton UK Limited
ICO RegistrationZA495904
AddressHarmsworth House
13-15 Bouverie Street
DPO Emaildpm@leyton.com
Telephone0207 432 300

We will comply with data protection law and principles, which means that your data will be:

  • * Used lawfully, fairly and in a transparent way
  • * Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • * Relevant to the purposes we have told you about and limited only to those purposes.
  • * Accurate and kept up to date.
  • * Kept only as long as necessary for the purposes we have told you about.
  • * Kept securely.


The UK-GDPR defines personal data as any information relating to an identified or identifiable natural person who can be identified (directly or indirectly) with reference to that information.  That information may be an identifier such as those listed below, or some other factor specific to the physical, physiological, genetic, mental, economic, cultural identify of a natural person.

We may collect, use, store and transfer different kinds of personal data as follows:

  • * Basic Identity Data – this may include your first name, surname, date of birth, tax status, marital status, nationality, educational history and academic qualifications.
  • * Employment Data – this may include your employment history, job title or other information about your profession / occupation, your position within your organisation, national insurance number, salary, benefits, expenses claimed, training and payroll.
  • * Contact Data – this may include your contact telephone number(s), postal address including work address, personal and/or work email address.
  • * Financial Data – this may include bank account details, payment information, liabilities, loans and assets.
  • * Transaction data – this will typically include details about the services you have sought from us.
  • * Profile Data and Usage Data – this will include information about your marketing preferences and details of marketing campaigns you have been involved in, your communication preferences, your login information where you have interacted with us using our online solutions, as well as information regarding your behaviour / use of our online solutions.
  • * Technical data – this will include information such as your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website or online solutions.  For further information, please see our Cookie Notice

The above is not representative of data collected routinely; the data collected will depend on the nature of our transaction.

We may also process information about the business or organisation you represent and whilst this may include some personal data it may also be made up entirely of corporate information.  We are resolved to treat personal data and corporate information with the same degree of care and attention, and where possible apply similar technical and operational measures to safeguard both from unauthorised access and use.

Personal data provided to us by you or on your behalf, or generated by us in the course of providing our services, will not typically include special categories of personal data or data belonging to children.

In addition to the data-types listed above, we may also record and store samples of your voice and image through recorded telephone calls and video conferencing.  Calls may be recorded without prior notice in order to record evidence of an exchange, to review quality standards, to ensure compliance with regulations, to prevent or detect a crime, or to investigate the misuse of our telecommunications system.

If you provide us with personal data about another individual (such as an employee, contractor, supplier or client) you must ensure that those individuals understand how their data may be used and shared, and that you are otherwise to share their personal data with us.


We use different methods to collect data. Typically this is provided by you through your interactions with us directly or via our website, mailing lists, marketing initiatives or events (whether hosted by us wholly or in conjunction with another).

We may also obtain your personal data from third party sources including public repositories and databases (such as Companies House and Duedil), social media platforms (such as LinkedIn) or third parties where you have consented to the sharing of your personal data by that third party (for example, lead generation suppliers, or via a partnership with another entity for the purpose of marketing and business development).

We use an automated solution provided by CreditSafe to fulfil our anti-money laundering obligations on client inception however depending on the circumstances we may require additional information from you.  This may include passport details, drivers licence details or other details held within identification and address verification documents, as well as details of sanctions, embargos, enforcement action against you and adverse media about you.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.


We will only process your personal data where we have a lawful basis to do so.  This will typically be because one of more of the following apply:

  • * Where you have consented for us to process your personal data.
  • * For the performance of a contract where your information is necessary to enter into or perform our contract with you or another.
  • * Where we need to use your information to comply with our legal or regulatory obligations.
  • * Where we use your information to achieve a legitimate interest in circumstances where our reasons for using it outweigh any prejudice that may occur to your data protection rights.
  • * Where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.
  • * Where you have provided informed consent for us to use of your personal data in the knowledge that you may withdraw your consent.


We will only use personal data for the purpose for which we collected it, including:

  • * To register you as a contact or to otherwise record your involvement within an organisation or business which has instructed us to provide services to it, or to whom we intend to market.
  • * To negotiate contractual terms and to process and deliver the service contemplated in the contract.
  • * To manage your relationship with us and the relationship between us and the business or organisation which you represent.
  • * To recommend products or services which may be of interest to you as a representative of a business or organisation we are contractually engaged with or wish to communicate details of our goods and services to.  This may include cross-selling to and sharing your information as described above with other Leyton Group businesses.
  • * To administer and protect our business interests, website and online functions.  This may include using your personal data for our insurance purposes, to undertake background checks, to exercise / defend our legal rights, to audit performance of our staff / services and to improve our quality of communications with you.
  • * To use data analytics to improve our website, our products and services, our marketing, our customer relationships and experiences, and to deliver appropriate training to our staff.
  • * We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (marketing).  You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing. You may opt out of receiving marketing or surveying at any time by emailing dpm@leyton.com

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. We may process your personal data without your knowledge or consent but only in compliance with the above rules or where this is required or permitted by law.


We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.


Where we are required by legislation to do so (for fraud and crime prevention purposes), we may share your personal data and other information about you and the business or organisation with law enforcement agencies or other regulatory bodies (such as the National Crime Agency and HM Revenue and Customs).

In order to provide our services to you we may share your personal data with other entities within the Leyton Group which may include your personal data and corporate information.  We share this for cross-selling and marketing purposes, to improve our products and services, and for IT support and administration services.

Outside of the Leyton Group, we may share your personal data with third parties where:

  • * you have consented
  • * we are under a legal or regulatory obligation to do so
  • * it is necessary in order to apply or enforce our terms
  • * where we have another legitimate interest in doing so that is not overridden by your interests and fundamental rights

It may be necessary to share your personal data with third party service providers in which case we will only do so with appropriate security measures in place to protect your personal data. We do not allow our third-party service providers to use your personal data for their own purposes, and we only permit them to process your personal data for specified purposes and in accordance with our instructions.


Our data centres are controlled by the Leyton Group and are located in France.  They are managed by Moroccan based Leyton Group employees and certified ICO 270001, SOC 2 PART II. We have automatic alerts which prevent intrusions as well as malware protection, firewall and SSL inspection, anti-spyware, application control, antivirus.

Where we share your personal data within the Leyton Group but outside of the UK and EEA, we do so pursuant to group level data sharing agreements.

Where we have lawful reason to do so, we may also share your personal information with third parties who are based outside of the UK / EEA.  These transfers will only be permitted where there are appropriate mechanisms and security measures in place which ensure the personal data is protected in the international territory to the same level as we would expect it to be protected in the UK and EEA.

Where we procure the goods or services of providers based outside of the EEA, we scrutinise their IT infrastructure to ensure that any personal data transferred to them in the course of our transactions is adequately protected.  Such providers are required to enter into contractual terms which oblige them to take appropriate operational and technical measures to secure the personal data we transfer to them from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data and client confidential information.


We retain the personal data in accordance with a Retention Schedule which assesses the nature of the personal data, the purpose of its processing and the reasonableness of its retention.  Personal data will not be retained for longer than is necessary to fulfil the purpose for which it was collected and where personal data is required to be held in a dormant state to satisfy legal or regulatory obligations it will be minimised.


Under certain circumstances, by law you have the right to:

  • * Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • * Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • * Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • * Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • * Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • * Request the transfer of your personal information to another party.

The right of access and/or right of erasure may not apply where we are processing your personal for tax obligations or assessments, for example, or for the purposes of management forecasting or management planning in relation to a business or other activity.  Exemptions are subject to specific conditions detailed at Schedule 2 of the Data Protection Act 2018 and if you would like to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our DPO or email dpm@leyton.com 

If you wish to make a complaint about the manner in which you believe your data is being processed, we would encourage you to raise this with our DPO in the first instance.  Ultimately, complaints may be made to the Information Commissioner’s Office (ICO), the UK regulator for data protection (www.ico.org.uk / Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom).


The foregoing applies specifically where individuals have applied to us for work (whether paid or unpaid, permanent or temporary).  In addition to the categories of data outlined above, in relation to candidates it is likely that we will also process the following which will likely contain your personal data:

The information you have provided to us in your curriculum vitae and covering letter or email

  • * The information you have provided on our application form on the Leyton Recruitment portal, including name, title, address, telephone number, personal email address, date of birth, gender, CV including employment history, qualifications.
  • * Information relating to your right to work, proof of address, passport or driving licence.
  • * Any information you provide to us during an interview.
  • * Information provided in voicemails, emails, correspondence and other communications created, stored or transmitted by you in order to progress your application through the recruitment process.  This may include voice and image samples should you be invited to interact with our talent acquisition tools which require recordings to be made.

Your personal data will have been collected from you directly or via recruitment agencies, referees and publicly accessibly sources such as LinkedIn, S1 Jobs, CV Library, Indeed or other job boards.

We will use your personal data to assess your skills, qualifications, and suitability for the work or role you have applied for or any other role that might be suitable for you in the event of a speculative application.  We may also use your personal data to undertake background and reference checks, to communicate with you regarding the recruitment process, and to otherwise comply with our legal and regulatory requirements.  Ultimately, your personal data will be used to determine whether to appoint you to a role within our business and this will inevitably include processing your data for the purpose of evaluating your suitability, arranging and conducting interviews of you and negotiating contractual terms with you.

“Automated decision-making” takes place when an electronic system uses information to make a decision without human intervention.   You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making. However, we will notify you in writing if this position changes.  We may however use anonymised data of applicants and candidates for analytical purposes and to ensure that we are complying with our legal, regulatory and corporate social responsibility obligations and requirements.

We may share your personal data as outlined above.  We may also transfer your personal date outside of the EEA as outlined above.

As a candidate or speculative applicant, you possess the same data subject rights detailed above.  We will retain your personal information for a period of 6 months after we have communicated to you our decision about whether to appoint you to the role. After this period, we will securely destroy your personal information in accordance with our Retention Schedule.  Notwithstanding this, you may withdraw your consent to our processing your personal data by emailing: dpm@leyton.com