Puma Capital Group Recruitment and Employee Privacy Policy

Date of publication: February 2026

1. Introduction

The purpose of this Privacy Statement (“Statement”) is to explain the types of data that Puma Capital Group (“Puma” or “we”) collects about you, why we need it and how we store and handle this data in accordance with applicable data protection laws and regulations, including the UK General Data Protection Regulation (“UK GDPR”), Data Protection Act 2018 and the Data (Use and Access) Act 2025.

Puma Capital Group comprises Puma Investment Management Limited (“Puma Investments” or “PIML”), Puma Property Finance Limited, Puma Private Equity Limited and their respective affiliates. For the purposes of this Statement, the data controller will be the relevant Puma entity or entities that employ you or with whom you are engaging in the recruitment process.

This Statement applies to all individuals as defined in the “Key Terms” section below. Please read this Statement carefully. By providing your personal data to us (for example, when applying for a role or during employment), your personal data will be processed in accordance with this Statement and our Cookie Policy, which can be found at https://www.pumacapitalgroup.co.uk/cookies. If you have any queries about this Statement or how we use your data, you can contact us using the contact details below.

2. Key terms

“You” means prospective, present and past employees (including those designated as casual, temporary or work experience), contractors, consultants, agency staff, secondees, interns, apprentices, directors (executive and non-executive) and any other individuals working for or on behalf of Puma.

“Personal Data” means any information relating to a living individual who can be identified, directly or indirectly, from that information alone or in combination with other information in the possession of, or likely to come into the possession of, Puma (or its representatives or service providers). This includes factual information, expression of opinion about an individual, and any indication of intentions regarding that individual.

“Special Category Data” means any personal data revealing your racial or ethnic origin, political opinions, religious or philosophical (or similar) beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning your sex life or sexual orientation.

“Criminal Offence Data” means details of criminal convictions or offences, including the commission or alleged commission of any offence, any proceedings for any offence committed or alleged to have been committed and the disposal of such proceedings or the sentence of any court in such proceedings.

3. Privacy at Puma

Puma is committed to protecting the privacy and security of your personal data. This Statement provides information on how your personal data is processed by Puma in the course of carrying on our contractual, regulatory and commercial activities.

It is our policy to:

• Process your personal data fairly and in accordance with applicable laws;
• Tell you (either directly or in our policies) about how we will use your personal data;
• Only collect personal data from you when we need it for legitimate purposes, or legal reasons;
• Ensure that your personal data is adequate, relevant and not excessive for the purpose for which we collect it;
• Not keep your personal data for longer than we need to;
• Keep your personal data secure, and limit the people who can access it;
• Ensure that you know how to access your personal data and exercise your rights in relation to it, including being able to keep it accurate and up-to-date; and
• Ensure that any third parties we share your personal data with take appropriate steps to protect it.

4. Types of data collected

We may collect the following data and information from and about you:

• Recruitment and application process: Information provided during recruitment, including your CV, responses to application questions, communications about the process, feedback, psychometric test results, references, and pre-employment checks (such as criminal record, credit and fraud checks). We may also collect data about your interaction with our careers site and applicant tracking system, such as device details (IP address, browser type, traffic source), and communications data (email content, video recordings, message responses, survey responses).
• Identity, eligibility and contact details: Your name, current and previous addresses, telephone numbers and email addresses, date of birth, gender, marital status, nationality, national insurance or identity number, right to work details, information about any dependents, and bank account details.
• Education and professional history: Details of your education, qualifications (including certificates), skills, experience, employment history (including start and end dates and reasons for leaving), directorships or officers roles, and information obtained from background checks (such as references or employment verification).
• Criminal record and litigation history: Information about criminal records (including allegations), investigations, litigation, court proceedings, civil liabilities or criminal convictions, where permitted by law.
• Demographic and diversity data: Socio-economic background and veteran status.
• Remuneration and benefits: Details of personal wealth, previous or current remuneration, benefit entitlements (such as pensions and insurance), and payroll related documents (such as P45, payslips, tax code and status, and pension).
• Employment terms: The terms and conditions of your employment and any associated offer or termination correspondence.
• Personal trading activity and outside business interests: Disclosure of personal investments and trading activity (including that of connected persons), and details of outside business interests, such as volunteering roles or external directorships.
• Photographs and professional profile information: Photographs and profile information for internal company use and, where relevant, for external publication (e.g., website, social media, marketing).
• Health and wellbeing: Information about medical or health conditions (including disabilities requiring reasonable adjustments), dietary requirements, allergies, and emergency/next of kin contact details.
• Attendance and leave records: Data about your working schedule, attendance, and periods of leave (including reasons such as holiday, sickness, family leave, and sabbaticals).
• Performance, conduct and disciplinary records: Information about performance appraisals, reviews, improvement plans, and related correspondence, including investigations or warnings issued under disciplinary and grievance procedures.
• Technology and communications data: Data collected through your use of our telephone system (including name, work number, content, date, time, and duration of calls) and through your use of our computers and IT systems.

This data may be provided by you or by third parties, such as former employers, background check providers, credit reference agencies, or criminal record check services (where legally permitted). It may be collected through:

Forms and documentation submitted during recruitment or employment (such as applications, assessments including online assessments via third parties, or benefit-related submissions)

Identity documents (such as your passport, driving license or other identity documents)

Interviews and communications with us (by phone, by email or in person)

Our applicant tracking system or HR information system.

Personal data is stored in a range of different places, including our applicant tracking system, HR information system, in your confidential employee file, and in other IT systems (including our email system).

5. Use of your personal data

We use candidate and employee personal data for the following purposes. Depending on the context, we rely on different lawful bases, including performance of a contract, legal obligation, and legitimate interests, and consent, where required by law for optional activities.

• Recruitment and onboarding: To assess suitability for employment, process applications, conduct background and reference checks (where lawful), communicate about the recruitment process, make offers, and complete onboarding.
• Employment administration: To manage the employment relationship, including payroll, benefits and pension administration, time and attendance, performance management, training and professional development, and general HR administration.
• Legal, regulatory and contractual obligations: To meet our obligations as an employer and a regulated firm, including maintaining statutory and HR records, responding to regulatory or law enforcement requests, making regulatory filings/applications (for example under the Senior Managers and Certification Regime), and exercising or defending legal claims.
• Internal policies, conduct and investigations: To monitor and support compliance with internal policies and procedures (such as information security, conduct and personal account dealing), to investigate disciplinary or grievance matters, and to help ensure workplace safety and security.
• IT, systems and security management: To provide, administer and monitor our IT, communication and collaboration systems (including email, telephone and other communications tools), ensure effective operation, detect and prevent fraud or misuse, and maintain business continuity.
• Communications: To contact you about recruitment and employment matters, operational updates, internal notices, and where relevant, contact your nominated emergency contact.
• Marketing, recognition and business records: To include professional details (such as name, role, business contact details and photographs) in internal directories, organisational charts, and business documents; to recognise achievements internally; and, where permitted by law and in line with your preferences, to use your professional profile (such as name, role, business photograph and email) in external materials such as our website, social media or marketing communications.
• Providing references: To provide employment or regulatory references to future employers or regulators, where requested and lawful.
• Business operations and planning: To support business management and planning, including business continuity and disaster recovery, succession planning, organisational restructuring, management reporting and audits.
• HR systems and service providers: To process and store data in HR and recruitment systems and tools (e.g., Applicant Tracking System and HR information system) and to engage third party service providers that support HR, payroll, benefits, training, background checks and IT services, under appropriate contracts. These systems may automatically share data with other tools through secure connections (APIs) and may incorporate artificial intelligence (AI).
• Other compatible purposes: For purposes that are compatible with the above (for example, internal audit, risk management, responding to disputes or regulatory enquiries, or corporate transactions), always in accordance with applicable law.

6. Use of your special category and criminal offence data

Special category data, such as information about health or medical conditions or racial or ethnic origin, is processed to carry out employment law obligations. This includes obligations relating to employees with disabilities, individuals requiring reasonable adjustments, health and safety requirements, ensuring employees are fit to work, and confirming the right to work in the United Kingdom.

Where we process other special category data, such as information about ethnic origin, sexual orientation, health, or religion or belief, it is for the purpose of equal opportunities monitoring, in accordance with UK GDPR and the Data Protection Act 2018.

We may also process criminal offence data (which is separate from special category data) to assess your suitability for employment, both during recruitment (through appropriate criminal records checks) and throughout your employment. This is necessary to comply with regulatory requirements, to determine whether an individual has committed an unlawful act or been involved in dishonesty or other improper conduct, and for the purposes of preventing or detecting unlawful acts.

7. The legal basis for processing your personal data

The law provides several bases on which we may collect and process your personal data, including:

a) Contractual obligations

To comply with our contractual obligations and exercise our rights under your employment contract with us.

b) Legal and regulatory obligations

To comply with legal and regulatory obligations, including when you exercise your rights under data protection law and for compliance related disclosures such as verifying your identity and performing credit checks.

We also record and monitor phone calls and electronic communications made or sent to or by us where required to meet regulatory obligations.

c) Our legitimate interests

In certain situations, we may use your personal data to pursue our legitimate interests (or those of our affiliates) in a way which you might reasonably expect and that does not materially impact your rights or freedom. Examples include:

• Administering and managing the operation of our business effectively and efficiently.
• Maintaining compliance with internal policies and procedures

For special category data, we rely on additional conditions under UK GDPR, such as processing necessary for employment law obligations (e.g., health and safety, reasonable adjustments) or for equality monitoring purposes.

For criminal offence data, we process this where necessary to comply with regulatory requirements and prevent or detect unlawful acts.

We always ensure that any use of personal data complies with the applicable law and that access is restricted to employees who need it for the purposes described in this Statement. 

8. Sharing your information with third parties

Your personal data may be shared internally with members of the People (HR) team (including payroll and Talent Acquisition), your line manager, Compliance, managers in your business area, and IT staff where access is necessary for their roles. During recruitment, your data may be shared with third parties for assessing your suitability for employment.

In the course of your employment, certain personal information - such as your name, job title and business contact details - may be shared externally as part of your role (e.g., when sending emails, attending meetings, participating in calls, or representing Puma).

Your data may also be shared with employee representatives during collective consultation (e.g., redundancy or business sale), limited to information necessary for consultation (such as name, contact details, role and length of service). Internally, the amount of personal information shared will be limited to operational needs.

We may also disclose your personal data to our affiliates for purposes such as:

• Managing and administrating our business and that of our affiliates
• Benchmarking salaries and benefits (shared on an anonymised and aggregated basis)
• Assessing compliance with laws, regulations, and internal policies
• Administrating and Maintaining employee databases

We may also need to share certain personal data with external third parties for the following purposes:

• To comply with legal obligations or court orders
• At your request (e.g., providing data to a mortgage or rental provider)
• To service providers acting on our behalf (e.g., applicant tracking systems, background screening, pension and benefit providers, insurers, payroll providers, IT and communications providers, law firms, accountants and auditors). These parties will be subject to confidentiality requirements and may only use your personal data as described in this Statement;
• To regulators such as the Financial Conduct Authority or HMRC;
• To detect or prevent fraud or unlawful acts;
• In connection with a business sale or acquisition (including due diligence)

We will never lend or sell your information to third parties.

We may occasionally need to share special category data (e.g., health data) with external third parties such as with Insurers or Occupational Health providers. Where possible, we will try obtain your explicit consent before doing so. In limited circumstances, special category data may be shared without consent where permitted by law, including:

• To comply with employment law (e.g., equality and diversity monitoring)
• To protect your vital interests, or those of another person
• To process information you have made public
• To provide medical care, counselling or similar where consent cannot reasonably be obtained
• To comply with law enforcement notices or court orders
• To obtain legal advice or establish, exercise, or defend legal rights.

Any data shared for diversity monitoring or similar purposes will always be aggregated and anonymised so individuals cannot be identified.

We require all third parties to ensure the security of your personal data and to treat it in accordance with the UK GDPR and consequently, they may only use your personal data for the purposes we specify in our contract with them.

9. International Transfers

In certain circumstances, we may transfer your personal data to countries outside the United Kingdom and the European Economic Area (EEA). Where we transfer data to a country recognised by the UK Government or the European Commission as providing an adequate level of data protection, your personal data will be transferred on that basis.

For transfers to countries that do not have an adequacy decision, we implement appropriate safeguards in accordance with UK GDPR. These include the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or other legally recognised mechanisms. These safeguards ensure that your personal data receives protection equivalent to UK data protection standards.

10. Security and data retention

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, misuse, alteration, destruction or accidental loss. These include access controls, encryption, segregation of duties, and regular security reviews. Access to personal data is limited to those individuals who need it for legitimate business purposes. Individuals who handle personal data are required to do so in accordance with applicable policies and procedures.

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or to meet legal, regulatory, contractual and legitimate business requirements. Retention periods are determined by reference to statutory limitation periods, regulatory record-keeping obligations, the nature and sensitivity of the data, and the potential need to establish, exercise or defend legal claims.

Different categories of personal data are retained for different periods. In many cases, core employment records are retained for at least seven years after the end of your employment, reflecting applicable limitation periods and regulatory expectations. Not all categories of employee data are retained for the same duration, and some data may be deleted or anonymised sooner where no longer required.

Certain categories of personal data are subject to specific retention periods, including:

• Criminal record check information obtained for the purpose of conducting a criminal record check is normally retained for no more than six months. A record of the outcome or decision (rather than the underlying data check) may be retained for up to seven years.
• Recruitment records relating to unsuccessful candidates may be retained for up to 18 months after the recruitment process has concluded. Where consent is relied upon, it may be withdrawn at any time. In other cases, retention is based on our legitimate interests, including managing recruitment processes and responding to or defending potential legal claims.

Once the applicable retention period has expired, personal data is securely deleted or anonymised, unless continued retention is required to comply with legal or regulatory obligations or for the establishment, exercise or defence of legal claims. Further detail on retention periods and review processes is available on request.

11. Your rights

You have the following rights regarding your personal data:

• The right to obtain information regarding the processing of your personal data and access to the Personal Data which we hold about you;
• The right to withdraw your consent to the processing of your personal data at any time. Please note, however, that we may still be entitled to process your personal data if we have another legitimate reason for doing so. For example, we may need to retain personal data to comply with a legal obligation;
• The right to request that we rectify your personal data if it is inaccurate or incomplete;
• The right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data, but we are legally entitled or obligated to retain it;
• The right to object to, or request that we restrict, our processing of your personal data in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal data but we are legally entitled or obligated to refuse that request; and
• The right to lodge a complaint with the relevant data protection regulator if you think that any of your rights have been infringed by us (see Section 14 below).

You can exercise your rights by contacting us, please see Section 14 below.

12. Automated decision-making

Employment decisions are not based solely on automated decision-making.

13. Changes to this Statement

We keep this Statement under regular review and may update it from time to time. When we make changes, we will update the ‘last revised’ date at the top of this Statement and publish the updated version on our website and other appropriate locations. We encourage you to check this Statement periodically to stay informed about how we process your personal data. 

14. Contact and Complaints information

If you have any questions, concerns, or wish to exercise your data protection rights, including making a complaint about how we process your personal data or about this Statement, please contact us:

Email: gdpr@pumainvestments.co.uk,

Post: Puma Capital Group, Compliance Team, Cassini House, 57 St James’s Street, London SW1A 1LD.

We aim to acknowledge all complaints within 30 days and will investigate your concerns thoroughly, providing updates where required. A final response detailing the outcome of our investigation will be provided within three months, unless exceptional circumstances apply.

If you are not satisfied with our response, you have the right to escalate your concerns to the Information Commissioner’s Office:

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint