Last updated: May 2026
The responsible body within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
Poppy Lane Placements Ltd
74 Golborne Road
London W10 5PS
United Kingdom
Email: info@poppylaneplacements.com
Phone: +44 20 7243 9049
In accordance with Article 13 GDPR, we will inform you of the legal basis for our data processing. If the legal basis is not specified in this privacy notice, the following applies: the legal basis for obtaining consent is Article 6(1)(a) in conjunction with Article 7 GDPR.
The legal basis for processing in order to provide our services and fulfil contractual measures, as well as answering enquiries, is Article 6(1)(b) GDPR.
The legal basis for processing in order to fulfil our legal obligations is Article 6(1)(c) GDPR.
If the processing of your data is necessary to safeguard the legitimate interests of our company or a third party and if your interests, fundamental rights and fundamental freedoms as the data subject do not outweigh the first interest, Article 6(1)(f) GDPR serves as the legal basis for the processing.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.
We adhere to the principles of data minimisation in accordance with Article 5(1)(c) GDPR and storage limitation according to Article 5(1)(e) GDPR.
We only store your personal data for as long as is necessary to achieve the purposes stated here, or as stipulated by the retention periods provided for by law. After the respective purpose no longer applies or after these retention periods have expired, the corresponding data will be deleted as quickly as possible.
This website may contain links to third-party websites or to other websites under our responsibility. If you follow a link to any of the websites outside our control, please note that these websites have their own privacy notices.
We do not assume any responsibility or liability for these external websites and their privacy notices. Before using these websites, please check whether you agree with their privacy policies.
You can recognise external links either by the fact that they are displayed in a colour which is slightly different from the rest of the text or that they are underlined. Your cursor will show you external links when you move it over such a link.
Only when you click on an external link will your personal data be transferred to the destination of the link. The operator of the other website will then receive your IP address, the time at which you clicked on the link, the website you were on when you clicked on the link, and other information that you can find in the respective provider’s privacy notice.
Please note that individual links may result in data transfer outside the European Economic Area. This could give foreign authorities access to your data. You may not be entitled to any legal recourse against such data access.
If you do not want your personal data to be transferred to the link destination or potentially even accessed by foreign authorities against your will, please do not click on any links.
As a data subject within the meaning of the GDPR, you have the opportunity to assert various rights.
The rights of data subjects arising from the GDPR are the right of access under Article 15, the right to rectification under Article 16, the right to erasure under Article 17, the right to restriction of processing under Article 18, the right to object under Article 21, the right to lodge a complaint with a supervisory authority, and the right to data portability under Article 20.
Some data processing can only be carried out with your explicit consent. You have the option of revoking your consent at any time. The lawfulness of the data processing until the revocation is not affected by this.
If the processing is based on Article 6(1)(e) or Article 6(1)(f) GDPR, you as a data subject can object to the processing of personal data concerning you at any time for reasons arising from your particular situation.
You are also entitled to this right in the case of profiling based on these provisions within the meaning of Article 4(4) GDPR.
If we cannot prove a legitimate interest for the processing that outweighs your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims, we will refrain from processing your data after an objection has been made.
If the processing of personal data serves the purpose of direct marketing, you also have the right to object at any time. The same applies to profiling which is related to direct advertising. Again, we will no longer process personal data as soon as you object.
If you believe that the processing of personal data concerning you infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged infringement, without prejudice to any other administrative or judicial remedy.
If your data is processed automatically on the basis of consent or performance of a contract, you have the right to receive this data in a structured, commonly used and machine-readable format.
You also have the right to request the transfer and provision of the data to another controller, insofar as this is technically feasible.
You have the right to obtain information about your processed personal data regarding the purpose of the data processing, the categories, the recipients and the duration of storage.
If you have any questions on this topic or on other topics regarding personal data, you can contact us via the contact options given in the imprint.
You can assert the restriction of the processing of your personal data at any time. To do this, you must meet one of the following requirements:
Restriction of processing means that, apart from storage, the personal data may only be processed with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
Our website is hosted by:
Webflow, Inc.
398 11th Street, 2nd Floor
San Francisco, CA 94103
USA
When you access our website, we automatically collect and store information in so-called server log files. Your browser automatically transmits this information to our server or our hosting company’s server.
This information may include:
This data is not merged with other data sources.
Instead of operating this website on our own server, we may also commission an external service provider, a hosting company, to operate it on their own server, which we have named above in this case. The personal data collected by this website will be stored on the hosting company’s servers.
In addition to the data mentioned above, the web host also stores for us, for example, contact requests, contact details, names, website access data, meta and communication data, contract data and other data generated via a website.
The legal basis for processing this data is Article 6(1)(f) GDPR. Our legitimate interest is the technically error-free presentation and optimisation of this website.
If the website is called up in order to enter into contract negotiations with us or to conclude a contract, this serves as a further legal basis under Article 6(1)(b) GDPR.
In the event that we have commissioned a hosting company, an order processing contract will have been agreed with this service provider.
Our website uses local storage items, session storage items and/or cookies.
Local storage is a mechanism that enables data to be stored within the browser on your end device. This data usually includes user preferences, such as the day or night mode of a website, and is retained until you manually delete the data.
Session storage is very similar to local storage, whereas the storage duration only lasts during the current session, so until the current tab is closed. The session storage objects are then deleted from your end device.
Cookies are information that a web server, meaning the server that provides web content, stores on your end device in order to be able to identify this end device. They are either temporarily deleted for the duration of a session, known as session cookies, and after your visit to a website, or permanently stored on your end device, known as permanent cookies, until you delete them yourself or they are automatically deleted by your web browser.
These objects can also be stored on your end device by third-party companies when you visit our site. These are known as third-party requests. This allows us, as the operator, and you, as a visitor to this website, to make use of certain third-party services installed on this website. Examples include payment processing services or displaying videos on a website.
These mechanisms have a variety of uses. They can improve the functionality of a website, control shopping cart functions, increase the security and comfort of website use and carry out analyses regarding visitor flows and behaviour.
Depending on their individual functions, they must be classified in terms of data protection legislation. If they are necessary for the operation of the website and intended to provide certain features, such as a shopping cart feature, or serve to optimise the website, such as cookies to measure visitor behaviour, then their use is based on Article 6(1)(f) GDPR.
As a website operator, we have a legitimate interest in storing local storage items, session storage items and cookies in order to ensure the technically error-free and optimised provision of our services.
In all other cases, local storage items, session storage items and cookies are only stored with your express consent under Article 6(1)(a) GDPR.
If local storage items, session storage items and cookies are used by third-party companies or for analysis purposes, we will inform you about this separately in this privacy notice. When required, your consent will be requested and can be revoked at any time.
We use external services on our website. External services are services provided by third parties that are used on our website. This can be done for a variety of reasons, such as embedding videos or website security.
When using these services, personal data is also passed on to the respective providers of these external services. If we have no legitimate interest in using these services, we will obtain your revocable consent as a visitor to our website before using them under Article 6(1)(a) GDPR.
In order to comply with data protection requirements, we use a consent management tool on our website. This tool enables us to obtain the necessary consents for the setting of cookies or the use of external services. We then store these consents.
The data processing is necessary for compliance with a legal obligation to which the data controller, meaning the website operator, is subject. Article 6(1)(c) GDPR is therefore used as the legal basis for the processing.
We use the service CookieHub on our website. The provider of the service is CookieHub ehf, Hafnargata 18, 230 Reykjanesbær, Iceland.
Further information can be found in the provider's data protection information at the following URL:
https://www.cookiehub.com/legal/privacy-policy
We use a content delivery network, also known as a CDN, to optimise the performance and availability of our website.
For this purpose, the service provider who makes this network available will process your IP address and information about when you visited our website. All further information on data processing by this service provider can be found in the company’s privacy notice.
This processing is based on our legitimate interest under Article 6(1)(f) GDPR.
Our legitimate interest in using a content delivery network is to be able to display our website as quickly, securely and reliably as possible.
We use the service Amazon CloudFront on our website. The provider of the service is Amazon Web Services EMEA S.à r.l., 38 Avenue John F. Kennedy, L-1855 Luxembourg.
The use of the service may result in data transfer to a third country, the USA. The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider's data protection information at the following URL:
https://aws.amazon.com/de/privacy/
We use the service Cloudflare on our website. The provider of the service is Cloudflare Germany GmbH, Rosental 7, 80331 München, Germany.
The use of the service may result in data transfer to a third country, the USA. The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider's data protection information at the following URL:
https://www.cloudflare.com/privacypolicy/
Our website uses the service jsDelivr. The provider of this service is Prospect One Ltd., Królewska 65A/1, PL-30-081 Krakau, Poland.
The use of this service may result in data transfer to a third country, the USA. Data transmission is based on the EU Commission's Standard Contractual Clauses.
Further information can be found in the provider's privacy policy at the following URL:
https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net
We use a map service on this website. In order for the map to be used and displayed on the website, the map must be loaded from the provider's server. This results in your IP address being transmitted to the provider's server.
Depending on the provider, cookies and other technologies, including fonts, are loaded. More information on this can be found in the provider’s privacy policy.
Processing only occurs if you expressly give consent to this data processing via our consent banner on the website. The legal basis for this processing is consent under Article 6(1)(a) GDPR.
Without your consent, data processing in the manner described above will not take place. If you revoke your consent, for example via the consent banner or other options provided on this website, we will stop this data processing. The lawfulness of the processing carried out until the revocation remains unaffected.
We use the service Google Maps on our website. The provider of the service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country, the USA. The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider's data protection information at the following URL:
https://business.safety.google/privacy
Business processes run faster, more cheaply and with fewer errors if they are automated using software via interfaces. This allows them to be efficiently integrated into the company's processes via its own website or social networks.
We use interface software on our website to link different applications and to transfer personal data securely from one application to another.
We base this processing on a legitimate interest under Article 6(1)(f) GDPR. Our legitimate interest is to be able to develop and display our website as efficiently, securely and reliably as possible.
We use the service Google APIs on our website. The provider of the service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country, the USA. The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider's data protection information at the following URL:
https://business.safety.google/privacy
This site uses so-called web fonts for the uniform display of fonts, which are provided by an external provider and loaded by the browser when the website is accessed.
When web fonts are loaded, the web font provider becomes aware that our website has been accessed from your IP address, as your browser establishes a direct connection to the web font provider.
Processing only occurs if you expressly give consent to this data processing via our consent banner on the website. The legal basis for this processing is consent under Article 6(1)(a) GDPR.
Without your consent, data processing in the manner described above will not take place. If you revoke your consent, for example via the consent banner or other options provided on this website, we will stop this data processing. The lawfulness of the processing carried out until the revocation remains unaffected.
We use the service Google Fonts on our website. The provider of the service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country, the USA. The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider's data protection information at the following URL:
https://business.safety.google/privacy
You have the option to contact us via a form on the website. In order for contact to be established via this form, we need your contact details in particular.
The legal basis for data processing here is to fulfil a contract or pre-contractual measures in accordance with Article 6(1)(b) GDPR.
There may also be a legitimate interest in maintaining business relationships or answering your request for other reasons. In this case, the legal basis for the processing of your data would be Article 6(1)(f) GDPR.
The data will be deleted when we have resolved your request and no other retention obligations apply.
We have provided a telephone number and email address on our website in accordance with legal requirements.
Data transmitted in this way is automatically stored by us in order to process the corresponding enquiries or to be able to contact the person making the enquiry. We will not pass this data on to third parties without your consent.
If contact is made by telephone or via our email address for pre-contractual or contractual purposes, the legal basis for the processing of personal data is Article 6(1)(b) GDPR.
For all other contact you make, the legal basis for our processing of your personal data is our legitimate interest in accordance with Article 6(1)(f) GDPR.
Social networks process personal data of their users on a large scale. Visiting our profiles on such networks leads to the processing of your IP address and other information about the devices used, among other things, which enables the IP addresses to be reassigned to individual users.
We cannot influence this data processing. Therefore, we have to point out that visiting our profiles on the social networks and using their functions is at your own risk. Details on data processing can be found in the operator's data protection declaration.
The purpose of our profiles on social media platforms is to increase our internet presence and the associated greater notoriety. Therefore, legitimate interest in accordance with Article 6(1)(f) GDPR is to be used as the legal basis.
With regard to the processing activities by the social networks, we refer to their own legal bases, such as consent in accordance with Article 6(1)(a) GDPR, which can be found in the respective data protection declaration.
Together with the social media platform, we are responsible for the data processing operations triggered when you visit our profile. You can therefore assert your rights as a data subject in accordance with the GDPR against the social media platform and against us.
However, we would like to point out that we cannot influence the processing of data by the social media platform.
We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Detailed information about the handling of personal data can be found in the following data protection declaration of Facebook:
https://www.facebook.com/about/privacy/
We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Detailed information about the handling of personal data can be found in the following data protection declaration of Instagram:
https://help.instagram.com/519522125107875
We have a profile on LinkedIn. The provider of this service is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.
Detailed information about the handling of personal data can be found in the following data protection declaration of LinkedIn:
https://www.linkedin.com/legal/privacy-policy
As a service provider in the field of personnel consulting, we offer our customers a professional service in the recruitment of specialists. This includes, among other things, the clarification of requirements, the search for and approach of candidates, the pre-selection and presentation of candidates, the coordination of appointments, support in the recruitment process and follow-up support, especially during the probationary period.
In the course of these services, in particular the search for and approach of candidates, we process the personal data, such as application data, that are necessary for the decision-making process in the context of your application.
We collect this data either directly from you when you apply to us, for example by email, via social platforms such as LinkedIn, via online application form or by post, or from third parties by evaluating publicly available information, such as Xing or LinkedIn profiles.
We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other legal provisions and that your data will be treated in the strictest confidence.
If you send us an application, we will process your associated personal data, such as contact and communication data, application documents and notes in the context of job interviews, insofar as this is necessary to decide on the establishment of a working relationship.
The legal basis for this is Article 6(1)(b) GDPR, meaning general contract initiation, and, if you have given consent, Article 6(1)(a) GDPR. Consent can be revoked at any time.
Your personal data will only be passed on within our company to persons who are involved in processing your application.
As part of your application, we will pass on your application data to our customers in anonymised form, with your consent, so that they can also get an idea of potential applicants.
If one of our customers is interested in you, we will contact you again separately and specifically ask for your consent to establish contact between you and our customer.
If the application is successful, the data submitted by you will be forwarded to your new customer on the basis of Article 6(1)(b) GDPR for the purpose of carrying out the working relationship.
If we are unable to make or arrange a job offer for you, if you reject a job offer or withdraw your application, we reserve the right to use the data you transmit to us on the basis of our legitimate interests under Article 6(1)(f) GDPR for up to 6 months from the end of the application process.
The data will then be deleted and physical application documents destroyed. The storage serves in particular for the purpose of providing evidence in the event of a legal dispute.
If it is evident that the data will be required after the expiry of the 6-month period, for example due to an imminent or pending legal dispute, deletion will only take place when the purpose for further storage no longer applies.
Longer storage may also take place if you have given your consent under Article 6(1)(a) GDPR or if statutory retention obligations preclude deletion.
If we do not make you a job offer, there is the possibility of including you in our applicant pool. In the event of admission, all documents and information from the application will be transferred to the applicant pool in order to contact you in the event of suitable vacancies.
Admission to the applicant pool is based exclusively on your explicit consent under Article 6(1)(a) GDPR. The submission of consent is voluntary and has no relation to the ongoing application process.
The data subject can revoke consent at any time. In this case, the data will be irrevocably deleted from the applicant pool, unless there are legal retention reasons.
We delete the data from the applicant pool as soon as the reason for the storage no longer applies, for example if you are no longer looking for a new job.
After two years at the latest, we will contact you again and check whether you want to remain in the applicant pool.
