How Lancor complies with PECR (Privacy & Electronic Communications Regulations)

Who are we?

Lancor MENA Ltd., registered in the Dubai International Financial Centre (DIFC) with registration no. 1874; address Unit 16, Level 1, Gate Village Building 3, DIFC, Dubai, 113355, United Arab Emirates; and telephone contact +971 4 401 9238 and email contact (“Lancor”, “we”, “us”, “our”); provides executive search services to clients who retain us to find executives, board members and advisors for their businesses.

What does this Policy cover?

Lancor takes your personal data seriously and processes it in accordance with the DIFC Data Protection Law (DIFC Law No.5 of 2020) and the associated Data Protection Regulations as amended from time to time (“Data Protection Law”). Lancor acts as the ‘controller’ (i.e. person responsible for deciding how your personal data is processed) under the Data Protection law and has adopted this privacy policy (“Policy”) to establish and maintain the privacy and security of your personal data. This Policy:

  • sets out the types of personal data we collect about you
  • explains how and why we collect and use your personal data
  • explains how long we keep your personal data
  • explains how we will share your personal data - when, why and who with
  • sets out the legal bases we have for using your personal data
  • explains the effect of refusing to provide the personal data requested
  • explains the different rights and choices you have when it comes to your personal data
  • explains how we may contact you and how you can contact us.

What personal data do we collect about you?

Through the different stages of our search, we collect the personal data necessary to assess your professional experience against our clients’ requirements. This personal data may include CVs/resumés you have sent us (which include such personal data as names, addresses, telephone numbers and/or email addresses), educational records, references and outlines of your work history, including summaries available on publicly-available web sites, including social media sites, such as LinkedIn.

We do not normally collect special categories of personal data (as defined in the Data Protection Law). This may include health information or information on your racial or ethnic origin or religious beliefs. However, in the exceptional case in which we may be required to collect and process such personal data, we would only collect it from you, and further process it, when you have given your explicit consent if necessary or under one of the other lawful bases available to us as per the Data Protection Law (and as set out in more detail below).

Where do we collect personal data about you from?

The following are the different sources from which we may collect personal data about you:

  • Directly from you. This is personal data you provide to us.
  • From an agent/third party acting on your behalf. e.g. an outplacement firm.
  • Through publicly available sources. We use the following public sources:
  • LinkedIn
  • Company web sites, online news outlets or event web sites (e.g. conferences)
  • Alumni directories
  • Any other online or offline resource typically used to support executive search research.
  • By Reference or word of mouth. For example, you may be recommended by a friend, a former/current employer or a former colleague.

How and why do we use your personal data?

We use your personal data for the purposes of assessing whether your skills, experience and education are a fit with a client’s search requirements. We will initially collect basic personal data about you, such as contact details, current title and, if available, past professional experiences and then pass this on to our client. If your profile is a match with our client’s requirements, we will then be collecting more personal data from you at the screening and interview stage.

How long do we keep your personal data for?

We keep your personal data in accordance with our data retention policy. Basically, we follow the following approach:

  • Candidate personal data: 6.5 years from the last update
  • Client contact details: 6.5 years from the last update

We also may elect not to keep your personal data on file.

Who do we share your personal data with?

Your personal data is gathered and assessed in order to determine if you are a good fit with our client’s requirements. It may also be shared with the client. We may also verify the personal data you have provided and, in these cases, we may share that personal data with our clients and companies in the Lancor group of companies.

What legal bases do we have for using your personal data?

For prospective candidates, referees and clients: our processing is necessary for our legitimate interests in that we need the personal data in order to be able to assess suitability for potential roles, to identify potential candidates and to contact clients and referees.

If you are shortlisted as a candidate, this may involve the processing of more detailed personal data, including special categories of personal data (e.g. health information) that you may provide or others may provide about you. In that case, we will always ask for your explicit consent before undertaking such processing unless we can rely on another lawful basis available to us under the Data Protection Law including where:

  • such personal data has been made public by you;
  • processing is necessary for the establishment, exercise or defence of legal claims; or
  • processing is necessary for compliance with a specific requirement under laws applicable to Lancor (in which case we will notify you as soon as reasonably practical to the extent that we are allowed to).

For clients: we may also rely on our processing as necessary to perform a contract for you, for example, in contacting you.

What happens if you do not provide us with the personal data we request or ask that we stop processing your personal data?

If you do not provide us with the necessary personal data, or ask us not to process your personal data, we may not be able to consider you as a candidate either now or in the future.

Do we make automated decisions concerning you?

No. Lancor does not carry out processing based on automated decision making, including profiling.

Do we use your personal data for direct marketing?

We may process your personal data for direct marketing purposes. For example, to contact you to publicize our recruitment services, or to keep you informed about Lancor news or to invite you to our events. We will notify you before we disclose your personal data for the first time to third parties or use it on their behalf for direct marketing purposes. You can object to such disclosures or processing at any time by using the ‘unsubscribe’ option in communications sent to you or contacting us on

Do we use cookies to collect personal data on you?

To provide better service to you on our websites, we use cookies to collect your personal data when you browse. See our cookie policy here for more details.

Do we transfer your data outside the DIFC?

To better match your professional profile with current searches, we may transfer your personal data to clients and Lancor offices in countries outside the DIFC. These countries’ privacy laws may be different from those applicable to us in the DIFC. When we transfer personal data to a country which has not been deemed to provide adequate data protection standards under the Data Protection Law, we always have security measures and approved model clauses in place to protect your personal data. To find out more about how we safeguard your personal data as related to transfers and/or to request a copy of the model clauses, please contact us on

How do we secure your personal data?

We are required, under the Data Protection Law, to implement appropriate technical and organizational security measures to ensure your personal data is properly protected. This is done in a manner proportionate to the risks faced by you if your personal data is compromised. We protect personal data we hold against unauthorized and unlawful processing and against accidental loss, destruction or damage.

We have access controls in place that restrict who can access your personal data within our organisation. These controls ensure that only those who need to have access to personal data are given access. The controls are restricted by function and role. All our online filing and database systems are password protected so only authorised personnel have access. We have access logs in place which record who accesses personal data in the systems and actions performed on such data when accessed. We have good off-boarding processes to ensure that once an employee leaves our business, all access of that employee within the business is revoked.

If storing personal data electronically, we use encryption to ensure this personal data is secure.

We prohibit the use of portable storage devices within our organization, unless they are encrypted.

Where possible, we use pseudonymisation to secure your personal data, especially when special categories of personal data are involved and for note taking. Additionally, we anonymise personal data where possible and especially in situations where we do not require the identity of the person who the data is about and where the purposes for keeping personal data have elapsed but the data is of value to our business.

Our staff is trained on the actions to take in the event of a security breach. This involves who to contact immediately, who is in charge of the investigations that follow and who escalates the incident to the DIFC’s Commissioner of Data Protection and to affected individuals, where necessary.

What rights do you have in relation to the personal data we hold on you?

Under the Data Protection Law, you have a number of rights when it comes to your personal data. Further information and advice about your rights can be obtained from DIFC’s Commissioner of Data Protection.


What does this mean?

1. The right of access

You have the right to obtain access to your personal data (if we’re processing it), and certain other information (similar to that provided in this Policy). This is so you’re aware and can verify that we’re using your personal data in accordance with the Data Protection Law.

2. The right to rectification

You are entitled to have your personal data corrected if it’s inaccurate or incomplete.

3. The right to erasure

This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your personal data if there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.

4. The right to restrict processing

You have rights to ‘block’ or suppress further use of your personal data. When processing is restricted, we can still store your personal data, but may not use it further. We keep lists of people who have asked for further use of their personal data to be ‘blocked’ to ensure the restriction is respected in future.

5. The right to object to processing

You have the right to object to certain types of processing, including processing for direct marketing (i.e. if you no longer want to be kept informed of Lancor news or be invited to events).

6. The right to lodge a complaint

You have the right to lodge a complaint about the way we handle or process your personal data with DIFC’s Commissioner of Data Protection.

7. The right to withdraw consent

If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your personal data for marketing purposes.

We usually act on requests and provide personal data free of charge, but may charge a reasonable fee to cover our administrative costs of providing the personal data for:

  • baseless or excessive/repeated requests, or
  • further copies of the same personal data.

Alternatively, we may be entitled to refuse to act on the request.

Please consider your request responsibly before submitting it. We’ll respond as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we’ll come back to you and let you know.

How will we contact you?

We may contact you by phone, email or social media. If you prefer a particular contact means over another, please just let us know.

How can you contact us?

If you are unhappy with how we’ve handled your personal data, or have further questions on the processing of your personal data, contact us here: or by telephone at +971 4 401 9238.