Skip to main content
RecXchange Logo
GLOBAL DATA PROTECTION POLICY

GDPR Compliance

Comprehensive data protection compliance framework for UK GDPR, EU GDPR, and 8 major international privacy standards.

Last updated: September 2025

Purpose and Scope

This Global Data Protection Policy outlines how RecXchange Portal LLC protects personal data in compliance with applicable data protection laws worldwide. RecXchange is a recruiter-to-recruiter collaboration platform headquartered in the United Arab Emirates (Dubai) and operating under the laws of England and Wales.

Applicable Laws

This Policy meets or exceeds the requirements of major data protection regulations globally:

  • UK GDPR and EU GDPR: UK General Data Protection Regulation, EU GDPR, UK Data Protection Act 2018
  • United States: California Consumer Privacy Act (CCPA/CPRA), Virginia, Colorado state laws
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Brazil: Lei Geral de Proteção de Dados (LGPD)
  • Australia: Privacy Act 1988 (Australian Privacy Principles)
  • South Africa: Protection of Personal Information Act (POPIA)
  • Singapore: Personal Data Protection Act (PDPA)
  • UAE: Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law)

This Policy applies to all processing of personal data by RecXchange globally, including data of platform Members, candidates/clients shared via the platform, employees, contractors, and any identifiable individuals whose data we handle.

This Policy complements our Privacy Policy and Terms & Conditions, providing a comprehensive compliance framework.

1. Definitions

For purposes of this Policy:

Personal Data

Any information relating to an identified or identifiable natural person. This includes names, contact details, identification numbers, IP addresses, or any data that can identify a person when combined.

Processing

Any operation performed on personal data, including collection, recording, organizing, storing, adapting, retrieving, consulting, using, disclosing, erasing, or destroying data.

Data Subject

The individual to whom personal data relates. May include Members, candidates, client representatives, or any person whose data is shared on the platform.

Data Controller

The entity that determines the purposes and means of processing personal data. RecXchange Portal LLC is the primary Data Controller for platform operations.

Data Processor

An entity that processes personal data on behalf of a controller. RecXchange acts as a processor when hosting candidate data shared between Members.

Member

An approved user of the RecXchange platform, typically an independent recruitment professional or agency collaborating via split-fee arrangements.

Special Category (Sensitive) Data

Personal data about racial/ethnic origin, health, biometric identifiers, or criminal background. RecXchange avoids collecting sensitive data unless absolutely necessary and with explicit consent.

2. Data Protection Principles

RecXchange upholds the core data protection principles found in GDPR, UK GDPR, and mirrored in laws like LGPD, POPIA, and PDPA:

  • Lawfulness, Fairness, and Transparency: We process personal data lawfully (with valid legal basis), fairly (in expected ways), and transparently (with clear notices via Privacy Policy).
  • Purpose Limitation: We collect data for specified, explicit purposes and do not process it for unrelated purposes without additional consent.
  • Data Minimization: We collect only the minimum data necessary for recruitment collaboration. No excessive or irrelevant data collection.
  • Accuracy: We ensure personal data is accurate and up-to-date, with prompt rectification when notified of inaccuracies.
  • Storage Limitation: Personal data is retained only as long as necessary for its purpose, then securely deleted or anonymized.
  • Integrity and Confidentiality: Appropriate security measures protect against unauthorized processing, accidental loss, or damage.
  • Accountability: RecXchange demonstrates compliance through documentation, training, risk assessments, DPIAs, and continuous monitoring.

3. Lawful Bases for Processing

RecXchange processes personal data only where we have a valid legal basis as required by GDPR and analogous laws:

  • Consent: Clear and affirmative consent for marketing communications. Members must obtain candidate consent before uploading or sharing personal details on RecXchange.
  • Contractual Necessity: Processing necessary to perform our contract with Members (account setup, facilitating communications, payment processing).
  • Legal Obligation: Where law requires data processing (court orders, tax/accounting requirements, regulatory compliance).
  • Legitimate Interests: Platform security, fraud prevention, service improvement, dispute resolution - balanced against individual rights.

Important: RecXchange does not use personal data for automated decision-making with legal/significant effects without human involvement. If this changes, we will obtain explicit consent and inform Data Subjects of their rights.

4. Data Subject Rights

We respect and uphold all data subject rights under UK/EU GDPR and analogous global privacy laws:

  • Right to Be Informed: Clear, transparent information about data collection and use via this Policy and Privacy Policy.
  • Right of Access: Request confirmation and copies of personal data we hold, with supplementary information (purposes, categories, recipients).
  • Right to Rectification: Correct inaccurate or incomplete personal data. Members can update profile information directly.
  • Right to Erasure (Right to be Forgotten): Request deletion when data is no longer necessary, consent withdrawn, or no legal ground exists.
  • Right to Restrict Processing: Limit processing in certain scenarios (contesting accuracy, objection pending evaluation).
  • Right to Data Portability: Receive personal data in structured, machine-readable format (CSV) and transmit to another controller.
  • Right to Object: Absolute right to opt-out of direct marketing. Object to processing based on legitimate interests or public interest.
  • Right to Withdraw Consent: Withdraw consent at any time for consent-based processing (e.g., unsubscribe from newsletters).
  • Right to Non-Discrimination: No denial of services, different pricing, or lower quality for exercising privacy rights.
  • Right to Lodge a Complaint: File complaints with local data protection authority (UK ICO for GDPR, or relevant supervisory authority).

Exercising Your Rights

Contact legal@recxchange.io to exercise rights. We respond within 30 days (GDPR requirement). Identity verification required to prevent unauthorized disclosure.

5. Controller Accountability

RecXchange Portal LLC (Dubai, UAE) is the principal Data Controller with the UK ICO as lead supervisory authority for cross-border matters.

Policies and Governance

Privacy by Design and Default integrated into all business processes. Data Protection Impact Assessments (DPIAs) for high-risk processing.

Record-Keeping

GDPR Article 30 records maintained covering categories of data, purposes, recipients, transfers, retention, and security measures.

Training and Awareness

Regular training for all employees handling personal data. Confidentiality agreements and culture of privacy awareness.

Audits and Monitoring

Periodic compliance audits and third-party assessments. Monitoring of regulatory developments and policy updates.

Vendor Management

Due diligence on all service providers (processors). Maintained list of current processors available on request.

6. Member Obligations

All RecXchange Members must uphold high data protection standards when handling personal data through the platform:

  • Compliance with Laws: Adhere to all applicable data protection laws in your jurisdiction (GDPR, POPIA, PDPA, CCPA, etc.).
  • Obtain Consent Before Sharing: Do not upload or share candidate data without explicit consent. Inform candidates about RecXchange and obtain permission. Document consent.
  • Use Data Only for Intended Purpose: Personal data must be used solely for the specific recruitment purpose shared. No repurposing for unrelated roles or clients.
  • Confidentiality and Security: Treat all personal data as confidential. Implement adequate security measures. No data scraping or mass downloading.
  • No Circumvention: Never use data to bypass another Member. 24-month non-circumvention period applies. No poaching candidates or clients.
  • Cross-Border Compliance: Ensure lawful international data transfers. Inform candidates if data shared outside EEA/home country.
  • Honour Data Subject Rights: Comply with candidate requests to delete, correct, or stop processing their data. Inform RecXchange of such requests.

Consequences of Non-Compliance

Misuse of personal data results in account suspension/termination, potential regulatory fines, legal liability, and indemnification obligations to RecXchange. Professional reputation damage from privacy violations is irreparable.

7. Data Sharing & Disclosures

RecXchange shares personal data in controlled, secure ways. We do not sell or rent personal data to third parties.

Other RecXchange Members

Data shared between Members as part of core collaboration functionality (job opportunities, candidate profiles). All exchanges logged and monitored.

Service Providers (Processors)

Cloud hosting (AWS), payment processors (Stripe, PayPal), analytics (Google Analytics), communication tools, customer support software. All bound by data processing agreements.

Legal and Regulatory Disclosure

Court orders, subpoenas, law enforcement requests, data protection regulator inquiries. Disclosure to protect rights, prevent harm, or defend legal claims.

Safeguards

  • • Least privilege: minimum data shared for purpose
  • • Contractual obligations: GDPR Article 28 data processing clauses
  • • No unauthorized third-party access without consent
  • • International transfer compliance (see Section 8)

8. International Data Transfers

RecXchange is a global platform. All international data transfers comply with applicable laws to ensure adequate protection:

Standard Contractual Clauses (SCCs)

EU Commission-approved SCCs and UK International Data Transfer Addendum for transfers from UK/EEA to third countries. Template contractual commitments binding data importers to EU/UK privacy standards.

Adequacy Decisions

Reliance on EU/UK adequacy decisions for countries officially recognized as providing adequate protection (e.g., Canada under PIPEDA, Switzerland, Japan).

Transfer Impact Assessments

Evaluation of legal environment in data importing countries post-Schrems II. Ensuring SCCs can be complied with in practice.

Technical Measures

All data in transit protected by HTTPS/TLS encryption. Data at rest encrypted in foreign servers. Confidential even if physically in another country.

Member-to-Member Transfers

Platform terms incorporate clauses ensuring recipient Members protect data to GDPR/PDPL standards. Candidate consent should include international transfer acknowledgment.

By using RecXchange, Members acknowledge personal data may be transferred internationally as needed for the service, always in accordance with this Policy and applicable laws.

9. Data Retention & Deletion

RecXchange retains personal data only as long as necessary for its purpose or as required by law:

Active Member Accounts

Account information, profile data, and transaction history retained for duration of membership.

Former Members

7-year retention from end of membership for statutory limitation periods, financial record-keeping, and dispute resolution. Then deleted or anonymized.

Prospective Members

Data from non-completed applications or inquiries retained up to 12 months, then deleted if no further engagement.

Candidate and Client Data

Placement records retained 7 years as business/financial records. CV files disposed after deal conclusion unless ongoing lawful basis exists.

Communication Records

Platform messages and support correspondence retained during active membership and 7-year former member period for dispute evidence.

Destruction and Anonymization

Permanent deletion from active databases and backups, or anonymization (stripping all personal identifiers for aggregate statistics).

Legal Hold Exception

Data preserved beyond normal retention if legal dispute, investigation, or preservation order requires it. Data isolated and used only for compliance/legal resolution.

10. Data Security Measures

RecXchange implements robust information security to prevent breaches and unauthorized access:

  • Encryption: HTTPS/TLS for all communications. Strong encryption algorithms for data at rest in databases and backups. Secure key management.
  • Secure Infrastructure: 24/7 physical security in data centers. Firewalls, intrusion detection, regular security patches, network segmentation. Encrypted data backups.
  • Access Controls: Principle of least privilege. Role-based access. Multi-factor authentication for administrative access. Hashed password storage. Access logging and review.
  • Employee Training: Confidentiality agreements for all staff. Regular training on data handling, phishing recognition, secure practices. Non-compliance enforcement.
  • Vendor Security: Vetting for security certifications (ISO 27001, SOC 2). Security requirements in contracts. Breach notification obligations.
  • Testing and Auditing: Vulnerability scanning, penetration testing by independent experts, secure code review, audit logs protected from tampering. Anomaly alerts.

User Responsibilities

Keep login credentials confidential. Use strong, unique passwords. Enable 2FA if available. Be vigilant about phishing. Logout on shared computers. Report suspected unauthorized activity to support@recxchange.io.

11. Data Breach Response

RecXchange has a defined procedure to respond to personal data breaches, minimize harm, and fulfill legal notification obligations:

Immediate Action

Incident response team rapidly assesses situation. Secure systems, patch vulnerabilities, prevent further unauthorized access within hours/minutes.

Investigation

Determine affected data, individuals, records, breach method. Engage forensic security experts if needed. Maintain detailed incident records.

Regulatory Notification

72-hour notification to supervisory authority (UK ICO, EU DPA) if breach likely risks individual rights. Initial notification with supplementary details if needed.

Individual Notification

If high risk to individuals (sensitive data, passwords, financial info), notify affected individuals without undue delay. Clear language with protective advice and contact info.

Containment and Recovery

Deploy patches, change credentials, restore from clean backups, remove malicious code, improve failed processes. Keep affected users updated.

Post-Incident Review

Root-cause analysis to learn from event. Update security measures and training. Fix identified gaps in policies or technical controls.

Transparency Commitment

RecXchange will never hide a significant data breach. Swift, factual communication is crucial to maintaining trust and limiting damage. We will be forthright about what is known and unknown during ongoing investigations.

12. Enforcement & Compliance

This Policy is a binding commitment enforced at every level:

  • Internal Enforcement: All personnel must comply. Breaches treated as serious misconduct with consequences including retraining, warnings, or termination. Audit trails and separation of duties.
  • Member Compliance Monitoring: Active monitoring of platform activity for policy violations. Investigation of complaints and red flags. Audit of Member activity when necessary.
  • Member Enforcement Actions: Warning/training for minor violations. Account suspension during investigations. Permanent termination/ban for serious violations (data misuse, scraping, poaching). Legal recourse for damages.
  • Third-Party Processor Compliance: Contractual enforcement with processors. Audits and compliance reviews. Swift corrective action or provider switching if non-compliant.
  • Regulatory Cooperation: Full cooperation with data protection authorities (ICO, Data Office, etc.). Transparency and good faith in inquiries/inspections. Compliance with directives.
  • Periodic Compliance Reviews: Regular reviews ensuring policy practices match stated commitments. Testing of response procedures. Results reported to senior management.

Penalties for Non-Compliance

GDPR/UK GDPR fines up to 4% of global annual turnover or €20 million. Other laws (PDPL, CCPA/CPRA, LGPD, POPIA) have significant fine regimes and potential criminal sanctions. Reputational harm from violations is irreparable. Non-compliance is not worth the risk.

13. Contact Information

For any questions, concerns, or requests regarding this Global Data Protection Policy or any aspect of how RecXchange handles personal data, please contact us:

Data Protection Officer

legal@recxchange.io

For data rights requests, privacy questions, or GDPR concerns

General Support

support@recxchange.io

For platform questions and general assistance

RecXchange Portal LLC
Pinnacle Building, Sheikh Zayed Road
Dubai, United Arab Emirates
Trade Licence No: 1508955

Response Times

  • Data Subject Rights Requests: Response within 30 days (GDPR requirement)
  • General Inquiries: Response within 2 business days
  • Data Breach Notifications: Within 72 hours to supervisory authority

Related Policies

Last updated: September 2025

Lead Supervisory Authority: UK Information Commissioner's Office (ICO)

Governed by the laws of England and Wales