As of Friday May 25th 2018, all organisations working with the data of EU citizens must be GDPR (General Data Protection Regulation) compliant.

Privacy, confidentiality and trust are integral to Nurole and we believe that the intention of the GDPR to ensure transparency, fairness and an increased confidence in the security of individuals’ data we hold is a positive step.

If you don’t wish us to hold any data on you or would prefer that we do not contact you for any reason, please email us on

To help address any questions about Nurole and GDPR we have compiled a list of frequently asked questions which can be found below. For further details please review our Privacy Policy

Nurole have been verified by IASME as meeting the UK Government Cyber Essentials standard

Frequently asked questions

Is Nurole GDPR compliant?

Based on our self-assessment of the requirements under GDPR supported by external legal counsel, we believe we are currently compliant. For further information on our approach to Privacy and GDPR, please read our Privacy Policy.

Where is our data stored?

The information you provide to us or that we hold about you is stored, where possible, electronically in our databases in a secure EU-based private cloud server. We may also transfer your personal data to clients and partners in countries outside the EEA. These countries’ privacy laws may be different from those in your home country. Where we transfer data to a country which has not been deemed to provide adequate data protection standards we take care to put in place security measures and approved model clauses to protect your personal data.

Does Nurole provide a standard Data Processor Agreement?

As Nurole determines the means and purpose of processing subject data it is a Data Controller. Clients using Nurole’s platform, including both headhunters and organisations recruiting directly through the platform, are also Data Controllers since they also determine the means and purpose of processing the data for their own process. Both Nurole and Nurole Clients therefore have both independent and shared responsibilities under GDPR for the protection of data subjects. These are covered in more detail in our Terms and Conditions for organisations and our Privacy Policy.

What is the lawful basis of organisations processing Nurole data subjects under GDPR?

Applicants on Nurole consent to their data being processed by Nurole upon joining the platform and in the case of each application they consent to the processing of their personal data by the organisation to whom they apply and any third parties running that process on the organisation’s behalf.

Organisations may also process subject data based on a contract with the applicant, their own legitimate interests or to comply with a legal or regulatory obligation.

What are the categories of personal data that Nurole processes?

Categories of personal data may include sign in details (e-mail, password) and related information (Linkedin profile, photo, CVs uploaded), ancillary service interests, contact details (title, first name, surname, birth year, nationality, gender, your current main role, whether you have ever sat on a commercial board, your country, postcode, contact number and alternate contact number), the types of roles you are interested in, your expertise including roles you have held, organisations you have worked for, sectors you have experience in, geographic expertise, languages, your application and your recommendation history, your CV, references, third party assessments, IP address (automatically collected), web browser type and version (automatically collected), operating system and version (automatically collected) and a list of URLs starting with a referring site, your activity on this Website, and the site you exit to (automatically collected).

What security does Nurole have in place?

Nurole is committed to protecting the security of your personal information. We use a variety of measures (including, but not limited to regular employee education, data protection and information security policies, firewalls, self service password recovery, two factor authentication, regular backups, access rights management and encryption to protect data in transit and at rest. Data in transit to Nurole’s website is protected using HTTPS which is required for all users. Nurole encrypts content stored at rest, without any action required from users, using AES-256 encryption) to ensure that personal information is protected from:

  • unauthorised access;
  • improper use or disclosure;
  • unauthorised modification or alteration; and
  • unlawful destruction or accidental loss.

What is GDPR?

The EU's General Data Protection Regulation 2016/679 (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection Directive 95/46/EC (which was implemented in the UK under our Data Protection Act 1998) to suit the changing times. This law creates a comprehensive list of regulations that govern the processing of EU residents' personal data.

Who does GDPR apply to?

GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.

Where does GDPR apply?

This law doesn't have territorial boundaries. It doesn't matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.

Does the GDPR require EU personal data to stay in the EU?

No, the GDPR does not require EU personal data to stay in the EU provided appropriate measures are put in place to protect that data.

Can I access or delete all our data at any time?

Yes, we can provide a full data deletion or export on request. This also includes any data held by our 3rd party providers.

Do you have a process in place for reporting personal data breaches within 72 hours of having become aware of it?

Yes we do.

Is Nurole registered with the ICO?

Nurole is a registered ICO data controller (Registration number ZA138894).

Who can I speak with about data protection questions?

Nurole’s DPO (data protection officer) can be contacted on