Privacy & Data Policy

PRIVACY & DATA PROTECTION NOTICE

Effective: February 2026
Davis Nolan Ltd. trading as Next Generation (“Next Generation”, “we”, “us”, “our”)

1. Introduction

Next Generation is committed to protecting personal data and respecting privacy.

This Privacy & Data Protection Notice explains how and why we collect, use, store, share and protect personal data in accordance with:

  • The EU General Data Protection Regulation (“GDPR”)

  • The Data Protection Acts 1988–2018

  • Applicable Irish and EU data protection law and regulatory guidance

This Notice applies to:

  • Individuals who engage directly with us

  • Individuals whose professional data we obtain from publicly available sources for recruitment purposes

  • Visitors and users of our website and digital services

  • Candidates and prospective candidates

  • Members of our Talent Community or talent pools

  • Clients and client representatives

  • Suppliers and business partners

  • Users of our content, reports, events and communications

We may update this Notice from time to time. The most current version will always be available on our website.

2. Who is responsible for your personal data?

Data Controller:
Davis Nolan Ltd. t/a Next Generation

Data Protection Contact:
Data Protection Lead
Email: mydata@nextgeneration.ie
Telephone: +353 (1) 662 9120

Depending on the activity, we may act as:

  • Data Controller (most recruitment, talent community, marketing and website processing)

  • Joint Controller with a client (e.g. where candidate data is shared for a specific opportunity)

  • Data Processor acting strictly on a client’s documented instructions

Our role depends on the specific processing context.

3. How recruitment, talent and marketing operate today

Modern recruitment involves more than responding to job applications. It may include:

  • Proactive sourcing and talent identification

  • Maintaining talent communities or long-term candidate relationships

  • Skills-based matching rather than role-only matching

  • Multi-channel communications (email, professional platforms, events, content)

  • Technology-supported workflows, analytics and reporting

  • AI-enabled tools used to assist search, organisation and communication

Where we use technology in recruitment, talent management or marketing:

  • It is designed to support human decision-making, not replace it

  • Processing is limited to what is necessary and proportionate

  • Safeguards are implemented to protect individual rights

4. Why we process personal data

A. Recruitment and talent services

We process personal data to:

  • Identify, source and assess candidates

  • Proactively contact professionals about relevant career opportunities

  • Manage applications, interviews and communications

  • Assess skills, experience, suitability and availability

  • Present candidate profiles to clients for specific opportunities

  • Maintain talent pools for future roles, where appropriate

Where we proactively contact individuals who have not directly applied to us, this is conducted under our legitimate interests and in accordance with applicable law.

B. Talent community, content and marketing

We may process data to:

  • Provide requested reports, guides, insights, events or newsletters

  • Manage subscriptions and communication preferences

  • Conduct lawful recruitment outreach relevant to professional background

  • Understand engagement with content and services (at an aggregated level where possible)

Recruitment outreach regarding specific employment opportunities is distinct from general commercial marketing. Where communications constitute marketing within the meaning of applicable electronic communications legislation, we comply with consent requirements where applicable.

All outreach communications include a clear opt-out mechanism.

C. Client and supplier relationships

We process data to:

  • Manage business relationships

  • Deliver services

  • Administer contracts, billing and compliance

D. Security, quality and compliance

We process data to:

  • Maintain information security

  • Prevent misuse, fraud or unauthorised access

  • Ensure service quality and training

  • Meet legal and regulatory obligations

We do not process personal data for purposes incompatible with the above.

5. Lawful bases for processing

We process personal data only where a lawful basis under Article 6 GDPR applies.

Common lawful bases include:

  • Legitimate Interests — for recruitment, proactive talent sourcing, candidate communications, service improvement, security and business operations, where our interests do not override your rights

  • Steps prior to entering a contract — where you apply for or progress within a recruitment process

  • Contract — for client and supplier relationships and service delivery

  • Legal obligation — for employment, tax, regulatory or compliance requirements

  • Consent — where required by law (for example, certain electronic marketing communications)

Lawful Basis for Proactive Candidate Outreach

Where we contact individuals regarding potential career opportunities based on professional background, we rely on Article 6(1)(f) GDPR — Legitimate Interests.

Our legitimate interests include:

  • Matching professionals with relevant client opportunities

  • Informing individuals of career opportunities aligned to their experience

  • Maintaining a responsible and proportionate talent pipeline

We maintain a documented Legitimate Interest Assessment (LIA) to ensure:

  • The processing is necessary for recruitment purposes

  • The impact on individuals is proportionate

  • Individuals would reasonably expect professional outreach in this context

  • Individual rights and freedoms are not overridden

You have the right to object to such processing at any time.

6. Special category (sensitive) data

We may process limited special category data only where lawful and necessary, such as:

  • Work authorisation / immigration status (where relevant to eligibility)

  • Information you voluntarily disclose (e.g. accommodations or accessibility needs)

  • Limited assessment outputs where permitted by law

We rely on appropriate Article 9 GDPR conditions, such as employment-related obligations or explicit consent where required.

We do not request or require sensitive data unless it is lawful and relevant.

7. What personal data we collect

A. Candidates and Talent Community

  • Name and contact details

  • CVs, resumes, cover letters

  • Employment and education history

  • Skills, experience and role preferences

  • Interview notes and communications

  • Compensation expectations (where provided)

  • Availability and notice periods

  • Right-to-work indicators (where relevant)

  • Referee details (where provided)

  • Professional online profile links (where relevant)

  • Assessment or evaluation data (where used)

We collect only data relevant to professional recruitment purposes and aim to keep data accurate, relevant and up to date.

B. Website, content and digital channels

  • IP address and device information

  • Usage data, cookies and similar technologies

  • Form submissions and downloads

  • Subscription and communication preferences

  • Engagement metrics (where applicable)

C. Clients and suppliers

  • Business contact details

  • Communications and engagement history

  • Billing and payment information (suppliers)

8. Where we obtain personal data

A: We collect data from:

  • You directly (applications, forms, emails, calls, events)

  • Our website and digital services

  • Job boards, CV databases and professional platforms

  • Social and professional networks

  • Referrals

  • Publicly available sources

This may include verifying or updating publicly available professional information such as current employer, role title, or business contact details.

Where professional contact information is publicly available in a professional context (including business or publicly listed contact details), we may use such details to make role-specific outreach.

B: Proactive Candidate Sourcing

We may obtain professional contact details (including business email addresses and, where publicly available, other professional contact information) from publicly accessible sources for recruitment purposes.

We do not engage in unlawful scraping, covert data extraction, or practices that override platform terms or individual rights.

Where personal data is obtained indirectly, we provide appropriate transparency information in accordance with Article 14 GDPR. In some cases, where a personal email address is publicly available in a professional context or has been made publicly accessible for professional contact purposes, we may use that address for role-specific outreach.

Where we first contact you using data obtained from publicly available or third-party sources, our initial communication will provide a link to this Privacy Notice and explain the category of source from which your data was obtained, together with a clear opportunity to object or opt out.

9. How we share personal data

A. With clients

Candidate data may be shared with a client only for a specific recruitment purpose.

We and the client generally act as separate controllers for our respective processing activities.

B. With service providers (processors)

We use trusted service providers (e.g. ATS/CRM systems, hosting, business communication tools, email systems, analytics, telephony, recruitment workflow platforms, data enrichment tools) who process data on our behalf under written agreements and confidentiality obligations.

C. Legal and regulatory

Where required by law, regulation or legal proceedings.

We do not sell personal data.

D. Recruitment Technology, Outreach and Data Enrichment Tools

We use recruitment technology platforms and cloud-based tools to support:

  • Business communications and documentation

  • Recruitment workflows and candidate communications

  • Lawful outreach and sequencing

  • Organising, validating or verifying professional information from lawful sources

  • Managing communication preferences, opt-outs and suppression lists

Where such tools are used:

  • Processing is carried out on appropriate lawful bases

  • Data is limited to what is relevant and proportionate

  • Opt-outs and objections are respected

  • Personal data is not repurposed incompatibly

Providers act under written data processing agreements. We retain responsibility as Data Controller.

10. External sourcers and authorised support

We may engage authorised third parties to support recruitment, sourcing and marketing activities.

They:

  • Act solely as data processors

  • Process data only on our documented instructions

  • Are prohibited from using data for their own purposes

  • Are subject to written agreements and confidentiality obligations

We retain oversight and responsibility as Data Controller.

11. Automated processing, AI and profiling

We may use AI-assisted tools to support recruitment and marketing workflows.

Safeguards include:

  • No recruitment or hiring decisions based solely on automated processing producing legal or similarly significant effects

  • Meaningful human involvement in recruitment outcomes

  • Human discretion and accountability retained

  • No covert profiling to determine employment outcomes

In the context of recruitment, AI-assisted tools may analyse CVs or professional profiles to extract structured information such as skills, job titles, industries, qualifications and years of experience. This information may be used to assist consultants in identifying potentially relevant candidates for review.

Such processing may involve categorisation or matching of professional experience against job requirements. This does not independently determine suitability or progression and is always subject to meaningful human review and discretion.

This may constitute “profiling” within the meaning of Article 4(4) GDPR, limited to analysing professional experience for recruitment matching purposes.

Individuals may request further information and exercise their rights.

12. International data transfers

Where personal data is transferred outside the EEA, we implement appropriate safeguards, including:

  • EU Standard Contractual Clauses

  • Transfer impact assessments where required

  • Additional technical and organisational safeguards

13. Call recording and communications monitoring

Where calls are recorded:

  • Processing is carried out on a lawful basis

  • Recording is proportionate

  • Notice is provided where required

  • Access and retention are restricted

14. Data retention

We retain personal data only as long as necessary:

  • Candidates and Talent Community: generally up to 24 months from last meaningful interaction

  • Proactively sourced individuals: up to 24 months from last contact unless objected

  • Opt-outs: suppression records retained to prevent further contact

  • Placed contractors/employees: retained in line with legal obligations

  • Clients and suppliers: retained for relationship duration and statutory periods

  • Marketing subscriptions: until unsubscribed or reviewed

Retention periods are periodically reviewed.

Where an individual objects to processing or requests not to be contacted, we will remove their personal data from active sourcing systems and retain minimal information necessary to ensure that further outreach does not occur.

15. Your rights

You have the right to:

  • Be informed

  • Access your data

  • Rectification

  • Erasure

  • Restriction of processing

  • Data portability

  • Object to processing

  • Rights relating to automated decision-making and profiling

Requests may be made to mydata@nextgeneration.ie.

You also have the right to lodge a complaint with the Irish Data Protection Commission.

16. Data security

We implement appropriate technical and organisational measures including:

  • Role-based access controls

  • Secure cloud services and encryption where supported

  • Staff training and confidentiality obligations

  • Vendor due diligence and contractual safeguards

  • Incident detection and response procedures

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Irish Data Protection Commission and affected individuals where required by law.

Controls are reviewed regularly.

17. Cookies and website technologies

Our website uses cookies and similar technologies for:

  • Essential functionality

  • Security

  • Analytics and performance

  • Marketing preferences where applicable

Details are available in our Cookie Policy.

18. Use of AI and Technology-Assisted Tools

We may use AI and automation to support recruitment services, communications, analytics and website content.

AI tools:

  • Assist with organising information

  • Support search and matching workflows

  • Assist communications drafting

  • Support lawful outreach management

  • Do not replace human judgement

We do not make autonomous hiring decisions or undisclosed automated employment determinations.

We maintain meaningful human oversight.

19. Contact

For questions regarding this Notice:

📧 mydata@nextgeneration.ie
📞 +353 (1) 662 9120

Governance & Liability Statement

This Notice provides transparency regarding our processing activities.
It does not create contractual rights beyond those required by applicable law.

We review and update our governance framework as recruitment practices, automation technologies and regulatory requirements evolve.