AESC Code of Conduct on Data Protection

I. The Retained Executive Search Profession and the Processing of Personal Data

The information contained in this section aims to help AESC member firms understand and comply with the laws governing data privacy currently in effect around the world.

Retained executive search consulting is recognized as a high level professional service, which performs a critical consulting role to client organizations and is integral to the working of an effective labour market for senior management. Competitive economies today rely upon a free and mobile market for executive talent and therefore a free flow of their personal data, provided that fair practice principles are safeguarded.

A key reason for employing a retained executive search firm is that many of the best candidates for top management positions are not active job seekers and do not respond to advertisements, and in order for their interest to be raised an individual approach must be made to them. This process presupposes considerable research in the executive marketplace, due diligence on candidates and a highly confidential approach to the processing of data associated with the assignment .

For that reason the AESC strives to establish and promote the highest professional and ethical standards for the profession.

II. The Collection of Personal Data Throughout the Executive Search Process

In order to conduct an effective search assignment a search firm will proactively contact senior executives and sources in its research and networking efforts and therefore acquire and process new data rather than just rely on existing databases.

Sourcing involves contacting relevant individuals who may be willing to suggest and comment on leading executives in their particular field. Such sources may be found among professional service firms, industry associations, trade journalists as well as executives operating in that field or through the executive search firms' own databases.

Although the search firm has no contractual relationship with the senior executive it is in the interests of the search firm to maintain the highest standards of honesty, confidentiality and consideration when dealing with them. Otherwise the latter would not share his own confidential career aspirations, comments on other executives, or his knowledge of the marketplace - all which are critical pieces of information in the executive search process.

Thus search firms do not reveal sources of their information (without prior permission) nor do they divulge a candidate's personal information (other than that publicly available) to a client without the candidate's prior awareness and consent. Such information is considered highly confidential, proprietary material of the executive search firm and it would be a complete breach of trust if such information were made available to third parties without the consent of the candidate or if it were to be used for purposes other than executive search.

In addition to the proactive collection of data by search firms many executives send unsolicited career resumes and CVs to search firms for inclusion in their files or submit this data to them on-line via the search firm's website. They do so with the expectation that the search firm will refer to these files when conducting assignments. Executives are thus willing sharers of information with executive search firms but nevertheless expect the very highest standards of confidentiality from them. If there is no assignment currently available, which is of interest to them, then most will be content for the firm to retain their details for reference against other opportunities that may arise. Most will also willingly update their details held by a search firm in order to keep their file current.

During the process of qualifying and interviewing a senior executive in connection with a specific recruiting assignment further information will be added to the executive's file to assist the evaluation of the candidate against the requirements of the position, and as appropriate such information will be shared with the client.

III. Data Privacy Principles and Laws

An increasing number of national governments have passed data privacy legislation, which affects the executive search profession.

Although many aspects of data privacy and confidentiality issues are already covered by the AESC Code of Conduct and Professional Practice Guidelines, the AESC nevertheless encourages executive search firms to check whether their practices also comply with applicable national data privacy legislation affecting their national/international operations.

The most detailed data privacy legislation has been enacted by the European Union (EU), Canada and Australia. In the USA, aspects of data privacy are covered by the Fair Credit Reporting Act and the Californian Fair Information Practice Principles (see below for details on this legislation). Such legislation is essentially based upon the following principles:

  • Information definition
  • Collection based on specific purpose and intent
  • Accessibility by the data subject
  • Opt in/opt out measures
  • Limitation on data retention
  • Data accuracy
  • Data security safeguards
  • Accountability

III.a. Data Protection and Executive Search in Europe

EU data privacy legislation was first introduced in the EU as a whole in 1995 under EU Directive 95/46. This directive became law within the 15 member states in October 1998. The law is enforced by the 15 national Data Protection Authorities who may employ sanctions ranging from significant fines to injunctions to stop processing data until data protection regulations are complied with.

III.a.1 Obligations on executive search firms operating in the EU

Under the EU Data Protection legislation, when processing personal data in the EU, executive search firms should assure senior executives that:

  • Their personal data is being collected and processed for specified, explicit and legitimate purposes, determined at the time of collection. For instance for the purpose of executive search activity
  • Their personal data will only be processed provided that they have given their consent.
  • The personal data collected is adequate, relevant and not excessive in relation to the purpose for which it is collected
  • They will not process sensitive data, such as that related to ethnic origin, political beliefs, health or sexual preference, unless it is relevant for a specific assignment and that they have given their explicit consent
  • Their personal data will be accessible and processed in strict confidentiality by authorized staff within the firm
  • They will take all necessary steps to keep the data accurate and up to date
  • Their personal data is not kept longer than necessary in view of the purpose of the processing
  • Their personal data will only be transferred to their clients provided that the senior executive has given unambiguous consent
  • They will take appropriate state-of the art technical and organizational security measures to protect personal data against accidental or unlawful destruction, accidental loss, improper alteration, or unauthorized disclosure or access
  • Their clients acknowledge that they will adhere to privacy and confidentiality standards equivalent to theirs.

III.a.2. Rights of the Senior Executive

When giving consent to personal data collection, the senior executives should be informed of:

  • The purpose of the personal data processing
  • Categories of recipients to whom the data may be disclosed during the search process

In addition, executive search firms should inform and grant senior executives the following rights:

  • To obtain upon request a copy of all data relating to them, provided that the rights and legitimate of other individuals (e.g. reference sources) are not adversely affected.
  • To correct and update their data
  • To request no further contact from the executive search firm
  • To request the complete deletion of their personal data

III.a.3. Personal Data transfer outside the EU and executive search

As client companies expand into new markets and as globalization becomes a key strategic focus, the need to identify executives with international experience is more pressing and there is a strong demand for expatriate managers who are willing to relocate to another country. In addition, an increasing number of senior executives are internationally mobile and a significant percentage of search projects involve cross-border work. Executive search firms make an important contribution to this process and logically operate internationally with offices in different parts of the world organized in industry practices so that they can serve international corporations, which are their major clients. Many large executive search firms have invested heavily in technological infrastructure, which has allowed them to establish secure wide area networks to share information within their own firm. Typically, all the offices of an international search firm abide by the same code of ethics with regard to confidentiality of information.

According to the EU data privacy directive personal data cannot be transferred outside the EU to countries which do not provide adequate levels of protection (click here to view the list of countries with adequate level of protection).

However the Directive allows for exceptions.

For instance personal data can lawfully be transferred to third countries, which do not guarantee satisfactory protection if:

  • The senior executive has given unambiguous, freely given and informed consent for their personal data to be "exported" outside the EU
  • USA recipients of European personal data register with the US Department of Commerce and adhere to the "safe harbour scheme" aimed at fulfilling the adequacy requirements of Article 25 of the EU Directive.
  • Non EU recipients negotiate specific contracts with European counterparts to comply with the EU legislation, as allowed under Article 26(2)
  • An executive search firm develops its worldwide binding Corporate Rules for international transfer, which comply with the EU privacy legislation. That option is still at the consultation stage though and has not yet been decided upon by the EU

III.a.4. AESC Code of Conduct.

The AESC is currently developing and negotiating at the EU level (EU Working Party 29) its own Code of Conduct reflecting specific aspects of the executive search profession. The draft code provides standards with regard to the processing of personal data on senior executives - such data being fundamental to the performance of retained executive search activity and, if approved with the EU will be an adjunct to the AESC Code of Ethics and Professional Practice Guidelines.

For further information, please contact:

Mr. Peter Felix, President AESC, Tel: 646-757-5490 Email:

IV. Further Information

Data Privacy and Executive Search in the USA

Fair Credit Reporting Act

California Office of Privacy Protection

This page contains links to some of the major privacy protection laws at the State and federal level.

U.S. Department of Commerce: Safe Harbor

The "safe harbor" framework is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws.

Data Privacy and Executive Search in Australia

Australian Federal Privacy Law

This page consolidates the legislation, regulations, codes, determinations and guidelines which affect private sector business, health service providers and Commonwealth and ACT government agencies.

Data Privacy and Executive Search in Canada

Office of the Privacy Commissioner of Canada

The Office of the Privacy Commissioner of Canada has gathered useful information to help businesses learn how they can comply with the Personal Information Protection and Electronic Documents (PIPED) Act.

National Data Protection Authorities throughout the World and Other Useful Links

National Data Protection Commissioners

List of National Data Protection Commisioners throughout the World.

A global information resource on consumers, commerce and data privacy worldwide.

Morrison & Foerster, LLP

Legal updates in the Privacy arena.

Return to Industry Standards menu.