Standard Terms and Conditions of Business – crooton Ltd 


“Assignment Schedule”

An Agreement for the provision of recruitment services by crooton Ltd as set out in the proposal issued to the Client, which upon acceptance by the Client, shall become a contractually binding Agreement. Any revisions to the Assignment Schedule shall be agreed by the Parties in writing. 


Any person introduced by crooton Ltd for the purpose of Engagement in fulfillment of the Assignment Schedule. 


Any person, firm or Corporate body to whom a Candidate is supplied in pursuant to the Assignment Schedule. 

“Client Group” 

Any subsidiary, holding company and or associate person, firm or corporate body of the Client, as defined under s1159 and s1152 of the Companies Act 2006. 

“Confidential Information” 

Any secret or commercially sensitive information in whatever format, relating to either Parties technology, technical processes, business affairs, finances, fee structure, trade secrets, future plans, strategies, personnel, Client relationships, or Intellectual Property, together with all information derived from the above and any other information they have designated as confidential (whether or not it is worded as “confidential”) or which ought to be reasonably considered to be confidential. 


The Engagement, employment or use of a Candidate on a temporary or permanent basis, directly or indirectly through another legal entity, employment, contract for services, agency, franchise, or partnership arrangement (and whether paid or unpaid). 


The Fees payable to crooton Ltd by the Client as set out in the Assignment Schedule (Proposal) on the terms set out below. 

“Intellectual Property” 

The patents, rights to inventions, copyright and related rights, moral rights, trademarks and any other Intellectual Property rights, in each case, whether registered or unregistered and all similar or equivalent rights or forms of protection, which may exist now or in the future. 


The Location of the Assignment Schedule agreed in writing by the Parties or as otherwise agreed by the Parties. 


crooton Ltd and the Client. Party shall be construed accordingly. 

“Standard Terms and Conditions of Business” 

The terms and conditions set out in this document together with the applicable Assignment Schedule. 

“Personal Data” 

As defined in the Data Protection Act 1998 and/or The General Data Protection Regulations 2020. 

  1. Introduction

1.1 These Standard Terms and Conditions of Business govern the provision of Recruitment Services by crooton Ltd to the Client. The terms and conditions should be read in conjunction with the Assignment Schedule. In the event of any conflict between these terms and conditions, the Assignment Schedule shall prevail.


  1. Obligations of the Parties 


2.1. Confidential Information (as defined): crooton Ltd and the Client agree they will take all reasonable steps to ensure Confidential Information is protected against unauthorised disclosure.

2.2. Future Roles: The Client acknowledges that Candidate applications, including their personal details contained within, are only to be used for the purposes of determining suitability for the vacancy they have applied for unless the Candidate has provided additional written consent that they may be contacted about future roles. 

2.3. Additional Assessment: crooton Ltd may ask some Candidates to undertake a pre-screening assessment based on Client Criteria. crooton Ltd and the Client undertake to process the results of any such assessment in accordance with data protection legislation. 

2.4. Pre-employment Screening: It is the responsibility of the Client to conduct and satisfy itself in respect of any relevant employment checks as required. crooton Ltd does not accept liability in relation to such checks.

2.5. Limitation of Liability: crooton Ltd will not be liable for any loss, expense, damage, delay costs or compensation (whether direct, indirect or consequential) which may be incurred by the Client arising from or in any way connected with the introduction of a Candidate or any other provision of the services.

2.6. Intellectual Property (as defined): The Client undertakes that they will not upload, post or otherwise make available any material protected by copyright, trademark or other proprietary rights without the express permission of the owner of the Intellectual Property. The Client acknowledges they will be solely liable for any damages resulting from any infringement of such Intellectual Property rights, or any other harm resulting from such a breach.

  1. Personal Data

3.1. The nature of the service provision necessitates the Parties processing Personal Data as defined in the Data Protection Act 1998 and/or The General Data Protection Regulations 2020. The Parties agree that all such Personal Data will be properly obtained, recorded, used and disposed of in accordance with the provisions and safeguards of the Act. Further information in respect of the statutory obligations and responsibilities of the Parties is set out in the Data Protection Appendix, however, where the Client has any doubts as to their statutory obligations, they should seek professional advice.

  1. Client Personal Data

4.1. In fulfilling the Assignment Schedule, crooton Ltd may process on behalf of the Client, any Personal Data the Client has provided. crooton Ltd will ensure all appropriate technical and organisational measures are taken to protect any Personal Data supplied against unauthorised or unlawful processing or accidental loss. The Client confirms that where necessary, they have obtained any appropriate consent from individuals in connection with the above before providing crooton Ltd with such Personal Data.

4.2. crooton Ltd seeks to maintain an enduring Business relationship with each of its Clients. To this end, crooton Ltd may, from time to time, use the contact details the Client has provided to send invitations, marketing material, updates and other publications crooton Ltd feel may be of interest. Should any individual not wish to receive such information, crooton Ltd would ask that they notify their crooton contact.

  1. Fees

5.1. Upon acceptance of a proposal provided by crooton Ltd., an invoice will be raised and submitted to the Client. The proposal shall become the Assignment Schedule and this, together with these Standard Terms and Conditions of Business, shall form the contract between the Parties.

5.2. crooton Ltd charges Fees based on the Product type and Volume of Products purchased (defined within the Assignment Schedule). Fees are exclusive of VAT which is payable at the current rate. These Fees will be detailed separately on the invoice.

5.3. Fees will become due within Seven (7) days of the monthly invoice date. Fees are non-refundable and no claw-back on Fees charged will be offered as part of the service provided by crooton Ltd in the event any Candidate does not commence or remain in employment. 

5.4. If Fees are not paid by the Client on or prior to the date they become due, crooton Ltd shall be entitled at its sole discretion to;

  1. Charge interest at a rate of 3% above the base rate of the Bank of England as applying from time to time, or, if higher, the rate prescribed in terms of the Late Payment of Commercial Debts (Interest) Act 1998, from the date for payment, until receipt by crooton Ltd of the full amount, whether or not after judgement and/or 
  2. Suspend the provision of the services (i.e., the delivery of potentially suitable Candidates for the vacancy) until such time as payment has been made.

  1. Force majeure

6.1. crooton Ltd shall not be held responsible for any failure to fulfil its obligations for the provision of services if such failure has been caused (directly or indirectly) by circumstances beyond its control.

7.0. Third Parties 

7.1. No person other than the Parties to the Agreement, their respective successors and assignees, shall have the right to enforce any of the terms, pursuant to the Contracts (Right of Third Parties) Act 1999 (or otherwise), except to the extent that the Assignment Schedule expressly provides for.

8.0. Jurisdiction and Applicable Law 

8.1. The Parties irrevocably agree that this Agreement shall be governed by, and construed in accordance with, English law, and the Parties shall submit to the exclusive jurisdiction of the Courts of England in relation to any claim, dispute or difference concerning this Agreement and any matter arising from it.

9.0. Entire Agreement 

9.1. These Standard Terms and Conditions of Business, together with the Assignment Schedule, comprise the entire Agreement. If any clause within these terms and conditions of business prove to be unenforceable by law, the remaining clauses shall still have full effect. The Agreement supersedes all previous representations, warranties and terms relating to the service provision. Any amendments, additions or alterations to this agreement shall not be effective unless agreed in writing. 


Data Protection Appendix 


Data Processing”
Any operation or set of operations performed upon Personal Data or sets of Personal Data 

“Data Subject”
Identified or identifiable living individual to whom Personal Data relates

“Data Controller”
Natural or legal persons, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of 

Personal Data

“Data Processor”
Natural or legal persons, public authority, agency or other body which processes Personal Data on behalf of the controller

“Personal Data”
Any information relating to an identified or identifiable living individual who can be identified directly or indirectly by reference to it:
This may comprise: name, personnel number, location data or on-line indicator, or one or more factors specific to the physical, physiological, genetic, mental,  economic, cultural or social identity of the individual 

“Special categories of Personal Data” (Sensitive Personal Data under DPA 1998)

  • Racial/Ethnic origin 
  • Political opinion 
  • Religious or philosophical beliefs 
  • Trade union membership 
  • Genetic data 
  • Biometric data 
  • Health 
  • Sex life/sexual orientation 

Similar safeguards apply to Personal Data relating to criminal convictions and offences. 

“Privacy Notice”
The information you supply to job applicants (and employees) about the processing of Personal Data. This must be concise, transparent, intelligible, easily accessible and written in clear and plain language. 

Data Protection Principles Under GDPR 

Lawfulness, fairness and transparency: Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject 

Purpose limitation: Personal Data must be collected only for specified, explicit and legitimate purposes 

Data Minimisation: Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed 

Accuracy: Personal Data must be accurate and, where necessary, kept up to date.

Storage Limitation: Personal Data which is kept in a form which permits identification of Data Subjects must be kept for no longer than is necessary for the purposes for which data is processed.

Integrity and Confidentiality: Personal Data must be processed in a manner that, through use of technical or organisational measures, ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage 

Accountability: The data controller is responsible for and must be able to demonstrate compliance with the other data protection principles.

Data Subject Rights: 

  • Right to be informed 
  • Right to Be Forgotten 
  • Right of Access 
  • Data Portability 

Restricting Processing and Rectification:

  • Rectification 
  • Right to Object 
  • Right not to be subject to a decision based solely on automated processing      (including profiling) 

1.0. Introduction

1.1. This Data Protection Appendix constitutes the Data Processing Contract between the Data Controller (crooton Ltd.) and the Data Processor (the Client) and any Sub-Processor which the Client appoints to process Personal Data. Such a contract is required under the General Data Protection Regulations (GDPR) and requires the Data Processor to: 

  • Process Personal Data only on documented instructions from the Data Controller  (including with regard to cross-border data transfers) 
  • Impose confidentiality obligations on all personnel authorised to process personnel data
  • Ensure the security of the personnel data it processes 
  • Adhere to rules regarding the appointment of sub-processors 
  • Implement measures to assist the Data Controller in complying with Data Subjects’ requests
  • Assist the Data Controller in ensuring compliance with data security requirements, taking into account the nature of processing and information available to the processors 
  • Upon request from the Data Controller, return or destroy the Personal Data at the end of the relationship 
  • Provide the Data Controller with information necessary for the Data Controller to demonstrate compliance with GDPR. 

1.2. As part of such a Contract, the Data Controller is required to:

  • Set out the subject matter and duration of the processing 
  • The nature and purpose of the processing 
  • The type of Personal Data and the categories of Data Subjects
  • The obligations and rights of the Data Controller 

2.0. Rights and Obligations of the Data Controller

2.1. The Data Controller is responsible for ensuring the processing of Personal Data takes place in compliance with General Data Protection Legislation. 

2.2. The Data Controller has the right and obligation to make decisions about the purposes and means of the processing of Personal Data.

2.3. The Data Controller shall be responsible for ensuring the processing of Personal Data which the Data Processor is instructed to perform, has a legal basis. 

3.0. Further Obligations of the Data Processor

3.1. The Data Processor shall insofar as possible, implement the following technical and organisational measures: 

  • Use a clear data collection notice for Candidates at the point of application with regard to how Personal Data will be used (Privacy Notice) 
  • Use email addresses in correspondence which clearly allow Data Subjects to apply their rights (of access, rectification and right to be forgotten) 
  • Not base shortlisting solely on automated processing 
  • Alert the Data Controller of any beaches within 24 hours. 

4.0. Purpose of Processing

4.1. The purpose of the processing of the Data Subject’s (Candidate’s) Personal Data is in order to assess their suitability in relation to a job vacancy. The Data Controller, Data Processor (and any Sub-Processor) have relied on the Data Subject’s consent as the legitimate basis for processing their Personal Data. Such consent shall pertain to the processing of Personal Data (typically in the form of a CV or Application From) in relation to their application for a job vacancy. 

4.2. Personal Data shall typically comprise: Name, e-mail address, telephone number, address, employment history, skills, qualifications, date of birth, place of birth, and nationality. Special category data (for which an additional legitimate reason for processing is required) may include: ethnicity, disability (and any such reasonable adjustments).

5.0. Confidentiality

5.1. The Data Processor shall act in accordance with General Data Protection Regulations at all times and only allow such personnel under its authority, who have committed themselves to confidentiality, or who are under an appropriate statutory obligation of confidentiality and only on a “need to know” basis to process such Personal Data.

6.0. Security of Processing

6.1. The Data Controller shall evaluate the risks to the “rights and freedoms of natural persons” inherent in the processing and may implement such measures to mitigate those risks. Such measures may include – 

  • Pseudonymisation and encryption of Personal Data 
  • Assessing the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Assessing the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident 
  • Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing. 

6.2. The level of security shall take into account that the processing involves Personal Data and associated employment history. With this in mind, crooton Ltd will provide a password-protected secure online system, to process Data Subjects. This data will be stored on secure servers based in the UK.

7.0. Commencement and Termination

7.1. This Contract shall become effective upon commencement of the Engagement and Cease upon Dis-Engagement, as defined in the Assignment Schedule or Dis-Engagement if the Assignment Schedule is terminated earlier, for whatever reason. Upon Dis-Engagement, the Data Processor acknowledges they shall be under obligation to delete all Personal Data processed and confirm to the Data Controller that they have done so. Where the Data Processor wishes to retain the Personal Data of the Data Subject for employment or in connection with future vacancies, they shall identify their own legitimate reason for processing, which shall be entirely separate from this contract.


8.0. Sub-Processors

8.1. Where the Data Processor engages a Sub-Processor to undertake specific processing activities, the same obligations as govern those of the Processor shall apply to the Sub-Processor. If the Sub-Processor does not fulfil the data protection obligations, the Data Processor shall remain fully liable as regards the of the Sub-Processor.

9.0. Assistance to the Data Controller in the Event of a Data Breach

9.1. Taking into account the nature of the processing and the nature of the data breach, the Data Processor shall assist the Data Controller in fulfilling their obligation to, without due delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data breach to the competent supervisory authority (Information Commissioner’s Office), unless the Personal Data breach is unlikely to result in a risk to the “rights and freedoms of natural persons”. 

9.2. Notify the Data Controller without undue delay of the breach in order that they may communicate the Personal Data breach to the Data Subject, when the Personal Data breach is likely to result in a high risk to “the rights and freedoms of natural persons”. 

9.3. Assist the Data Controller to fulfil their obligations to carry out an assessment of the impact of the breach upon the envisaged processing operations on the protection of Personal Data (a data protection impact assessment). 

9.4. Assist the Data Controller in their obligation to consult the competent supervisory authority (ICO) prior to processing where a data protection impact assessment indicates the processing would result in a high risk in the absence of measures taken by the Data Controller to mitigate the risk. 

9.5. In particular, the Data Processor shall assist by providing the following information where possible:

  • The categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned 
  • The likely consequences of the Personal Data breach 
  • The measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.