This is a Privacy Statement for the use of www.mallardoutsourcing.co.uk

This Privacy Statement may be updated by us at any time with the latest version being published on this page. This policy was last updated on 29.01.2021.

This Website Privacy Statement details how Mallard Outsourcing Limited uses the data you supply to us when you use this website. If you are asked to provide data on this website, the data you provide will be used in the ways detailed in this Privacy Statement.

Mallard Outsourcing Limited confirms that any personal data we obtain from you will be gathered, stored and processed in compliance with all relevant data protection legislation including the Data Protection Act 1998 and the General Data Protection Regulations (GDPR).

If you have any queries about this Privacy Statement, please direct them to david@mallardoutsourcing.co.uk.

In the use of this website, data will be provided by you, the user. We may request your data to enable or aid the provision of recruitment, training or consultancy services. This includes us being able to match your skills to job vacancies, market your profile to prospective employers, place you in a new job with an employer, keep you informed of suitable opportunities, connect you with training opportunities, offer business consultancy services, to keep you informed of our services. We also gather information to better understand how this website is used.


The data we gather may include, but is not limited to:

Name, address, employer, email address, telephone numbers, employment information, references, work examples, CV’s, cover letters, application forms.

We will never disclose data about you to any party(s) outside of Mallard Outsourcing Limited without your consent, or unless we are required or permitted to do so by law. If you are a job applicant, we may ask you if you consent to your data being shared with one of our Clients (your prospective employer). If you are a learner signing up for or seeking information on a training course or a co-ordinator of training activity for your employer, we may ask you if you consent to your data (and/or data you provide) being shared with a 3rd party such as a training provider. We will never do so without gaining your consent first.


We will not hold your data for longer than is required. We have provisions in place to ensure data is kept up to date. We may re-request your consent to hold your data from time to time to ensure we remain compliant, as data protection legislation dictates.

You have a right to request a copy of the data an organisation holds on you in the form of a Subject Access Request (SAR) as detailed in the Data Protection Act 1998.

To request a copy of the data we hold on you, please send your request to david@mallardoutsourcing.co.uk. A small fee may be apply.

If you wish for Mallard Outsourcing to permanently delete your data from our systems, please send your request to david@mallardoutsourcing.co.uk.

Mallard Outsourcing Limited additionally makes you, the user, aware of your rights as a data subject under GDPR, including:

-    The right to be informed
-    The right of access
-    The right to rectification
-    The right to erasure
-    The right to restrict processing
-    The right to data portability
-    The right to object
-    Rights in relation to automated decision making and profiling

You also have a right to complain to the Information Commissioners Office (ICO) if you feel your data has not been processed legally. Further information can be found on the ICO website.


A cookie is a small file placed on your computer’s hard drive. It enables our website to identify your computer as you view different pages on our website.
Cookies allow websites and applications to store your preferences in order to present content, options or functions that are specific to you. They also enable us to see information like how many people use the website and what pages the tend to visit.

We may use cookies to:

Analyse our web traffic using an analytics package. Aggregated user data helps us to improve website structure, design, content and functions.

Identify whether you are signed into our website. A cookie allows us to check whether you are signed into the site.

Test content on our website. For example, 50% of our users might see one piece of content, the other 50% a different piece of content.

Store information about your preferences. The website can then present you with information you will find more relevant and interesting.

To recognise when you return to the website. We may show your relevant content or provide functionality you used previously.

Cookies do not provide us with access to your computer or any data about you other than that which you choose to share with us.

You can use your web browser’s cookie settings to determine how our website uses cookies. If you do not want our website to store cookies on your computer or device, you should set your web browser to refuse cookies.

However, please note that doing this may affect how our website functions. Some pages and services may become unavailable to you.

Unless you have changed your browser to refuse cookies, our website will issue cookies when you visit it.


Mallard Outsourcing is committed to holding your personal data securely. To prevent unauthorised disclosure or access, we have implemented strong physical and electronic security safeguards.


www.mallardoutsourcing.co.uk contains links to other 3rd party websites. Please note that we have no control over websites outside of the www.mallardoutsourcing.co.uk domain name. If you provide data to a website to which you have navigated by following a link, we are not responsible for it’s protection and privacy. We recommend that you review the Privacy Statements of any websites you visit.



Mallard Outsourcing Limited is registered with the Information Commissioners Office and takes data protection very seriously.

General Data Protection Regulation (GDPR) 

For data subjects who have voluntarily provided their personal data to Mallard Outsourcing Limited, our lawful basis for processing is “Consent” from the individual data subject. With consent, we will process personal data provided to us for the specific purposes outlined in the Privacy Statement (i.e. the fulfilment of our services as a business).

If you have received direct marketing from the @mallardoutsourcing.co.uk domain, Mallard Outsourcing Limited has, in accordance with the GDPR and guidance from the Information Commissioners Office and Data & Marketing Association determined that a legitimate interest for direct marketing exists. “Legitimate Interest” is a lawful basis for processing personal data as outlined in Article 6 of the GDPR:

Lawfulness of processing

“Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

The application of “Legitimate Interest” as a lawful basis for data processing in a direct marketing context is additionally highlighted in Recital 47 of the GDPR:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Mallard Outsourcing Limited occasionally uses 3rd party specialised search engines to identify data publicly available online and uses it for direct marketing purposes in Business to Business sales communications.

The Information Commissioners Office recommends that an organisation citing “Legitimate Interest” as a lawful basis for its data processing activities completes and records a Legitimate Interest Assessment (LIA) and keeps the outcome on record to create an audit trail of the decision-making process and justification for processing on the basis of legitimate interest. There is no obligation under GDPR legislation for an organisation to complete an LIA but the Information Commissioners Office recommends it as good practice. Mallard Outsourcing has taken the decision to voluntarily complete and LIA and make it publicly available.

Mallard Outsourcing Limited Legitimate Interest Assessment on the processing of personal data for direct marketing purposes.


Mallard Outsourcing processes data for the purposes of direct business to business marketing to raise awareness of products and services offered. For Mallard Outsourcing Limited, there is a clear benefit of being able to communicate its legitimate and demonstrably useful products and services (cost-effective recruitment solutions, discounted accredited training programmes, free government and European Social Fund-funded training programmes, brokerage services and business consultancy services). For the data subjects, the marketing is clear, unintrusive and of genuine use to their organisation in their specific professional capacity (i.e. it is highly targeted, personalised and specific). If Mallard Outsourcing Limited was unable to process data in this way, it would be unable to effectively market it’s legitimate and competitive products and services and organisations would not be made aware of a legitimate and competitive product that is relevant and potentially of great commercial benefit to them.

Mallard Outsourcing Limited is complying with all relevant and applicable data processing, protection and e-privacy laws and legislation when it processes data.


The processing of data is necessary for Mallard Outsourcing Limited to market its legitimate and competitive products and services. The purpose of processing the data could not reasonably be achieved by other means and processing data in a lower volume would not facilitate the achievement of the data processing purpose. Mallard Outsourcing Limited processes a limited amount of data on any given data subject and all data processed is pertaining to data subjects in their professional capacity (i.e. corporate subscribers). Only the data that is processed is collected and held, demonstrating that the processing is proportionate. By processing the data using a GDPR-compliant Customer Relationship Management system, Mallard Outsourcing Limited is able to store and manage the data securely and offer all data subjects the option to opt out on every communication.


-    The data held and processed by Mallard Outsourcing Limited is limited to 1) The full name of the data subject which is information available in the public domain 2) The organisation by which the data subject is employed or affiliated which is information available in the public domain 3) The e-mail address of the data subject (limited to corporate subscriber e-mail addresses which excludes private e-mail domains such as @gmail.com, @yahoo.com for example) which is information available in the public domain or deduced from information available in the public domain.

-    The personal data is not special category or criminal offence data.
-    The personal data is not children’s data or data relating to vulnerable people.
-    The data is in relation to the data subject’s professional capacity.
-    Data subjects will not lose control over the use of their personal data and are advised that they have 1) a right of access, 2) a right to rectification, 3) a right to erasure/to be forgotten, 4) right to data portability, 5) a right to object to direct marketing, 6) a right to restrict processing, 6) a right to make a complaint.
-    There is a minimal impact upon privacy.
-    The direct marketing is unintrusive and provides the data subject the opportunity to opt out of future communications. 
-    The data processed is unlikely to be considered sensitive.
-    Data subjects are likely to have a reasonable expectation to be contacted with relevant and lawful marketing material relating to their professional roles.
-    Appropriate safeguards have been taken by Mallard Outsourcing Limited to ensure that data is effectively safeguarded.

The completion of a Data Protection Impact Assessment (DIPA) is not required because the nature of Mallard Outsourcing Limited’s data processing activity is not “likely to result in a high risk” as defined by Information Commissioners Office guidelines and the GDPR:

“You must do a DIPA if you plan to:

-    use systematic and extensive profiling with significant effects; (NOT APPLICABLE)
-    process special category or criminal offence data on a large scale; or (NOT APPLICABLE)
-    systematically monitor publicly accessible places on a large scale.” (NOT APPLICABLE)

Privacy and Electronic Communications Regulations (PECR)

PECR is not applicable to the business to business (B2B) direct marketing activity conducted by Mallard Outsourcing Limited whereby electronic marketing is sent to corporate subscribers. The Information Commissioners Office and Data & Marketing Association are very clear on the distinction between marketing to corporate bodies (and their employees) and marketing to individuals.

Consent for business to business marketing is not required under PECR where the marketing is to staff members of limited companies, public limited companies, incorporated partnerships, trusts and foundations, local authority and government institutions. This is confirmed by the Data & Marketing Organisation: “B2B marketing to staff members of limited companies, public limited companies, incorporated partnerships, trusts and foundations, local authority and government institutions is exempt from PECR but subject to GDPR”.

For corporate e-mail addresses that can personally identify an individual employee (constituting personal data under GDPR), the individual employee in question has rights under GDPR including the right to not be contacted again. For corporate e-mail addresses that do not identify an individual employee, no right to opt out exists and there is no option to register with a preference service.

Further information on this can be found on the Information Commissioners Office website.