Like most businesses, we hold and process a wide range of information, some of which relates to individuals who are applying to work for us. This notice explains the type of information we process, why we are processing it and how that processing may affect you. The notice focuses on individuals who are applying to work for us and the data we process as part of that process. This notice is set out in this document (the Core Notice) and the Supplementary Information in Annex 1 to this document. In the Supplementary Information, we explain what we mean by “personal data”, “processing”, “sensitive personal data” and other terms used in the notice.
In brief, this notice explains:
what personal data we hold and why we process it;
the legal grounds which allow us to process your personal data;
where the data comes from, who gets to see it and how long we keep it;
how to access your personal data and other rights;
how to contact us.
Personal data – what we hold and why we process it
Where the data comes from and who gets to see it
How long do we keep your personal data?
See Retaining your personal data – more information in the Supplementary Information.
Transfers of personal data outside the EEA
Your data rights
Status of this notice
Annex 1: Supplementary information What do we mean by “personal data” and “processing”?
“Personal data” is information relating to you (or from which you may be identified) which is processed by automatic means or which is (or is intended to be) part of a structured manual filing system. It includes not only facts about you, but also intentions and opinions about you.
Data “processed automatically” includes information held on, or relating to use of, a computer, laptop, mobile phone or similar device. It covers data derived from equipment such as access passes within a building, data on use of vehicles and sound and image data such as CCTV or photographs.
"Processing" means doing anything with the data. For example, it includes collecting it, holding it, disclosing it and deleting it. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data are subject to special protection and considered by EU privacy law to be “sensitive personal data”.
References in this notice to employment, work (and similar expressions) include any arrangement we may have under which an individual provides us with work or services, or applies for such work or services. By way of example, when we mention an “employment contract”, that includes a contract under which you provide us with services; when we refer to ending your potential employment, that includes terminating a contract for services. We use the word “you” to refer to anyone within the scope of the notice.
Legal grounds for processing personal data
What are the grounds for processing?
|Term||Ground for processing||Explanation|
|Contract||Processing necessary for performance of a contract with you or to take steps at your request to enter a contract||This covers carrying out our contractual duties and exercising our contractual rights|
|Legal obligation||Processing necessary to comply with our legal obligations||Ensuring we perform our legal and regulatory obligations. For example, providing a safe place of work and avoiding unlawful discrimination.|
|Legitimate Interests||Processing necessary for our or a third party’s legitimate interests||We or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data. Your data will not be processed on this basis if our or a third party’s interests are overridden by your own interests, rights and freedoms.|
|Consent||You have given specific consent to processing your data||In general processing of your data in connection with employment is not conditional on your consent. But there may be occasions where we do specific things such as provide a reference and rely on your consent to our doing so.|
Processing sensitive personal data
If we process sensitive personal data about you (for example (but without limitation), storing your health records to assist us in ensuring that we provide you with a healthy and safe work workplace or processing personal data relating to diversity monitoring), as well as ensuring that one of the grounds for processing mentioned above applies, we will make sure that one or more of the grounds for processing sensitive personal data applies. In outline, these include:
Processing being necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorised by law or collective agreement;
Processing relating to data about you that you have made public (e.g. if you tell colleagues that you are ill);
Processing being necessary for the purpose of establishing, making or defending legal claims;
Processing being necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity;
Processing for equality and diversity purposes to the extent permitted by law.
Further information on the data we process and our purposes
|Purpose||Examples of personal data that may be processed||Grounds for processing|
|Recruitment||Standard data related to your identity (e.g. your name, address, email address, ID information and documents, telephone numbers, place of birth, nationality, contact details, professional experience and education (including university degrees, academic records, professional licenses, memberships and certifications, awards and achievements, and current and previous employment details), financial information (including current salary information) language skills, and any other personal data that you present us with as part of your application related to the fulfilment of the role. Information concerning your application and our assessment of it, your references, any checks we may make to verify information provided or background checks and any information connected with your right to work. If necessary, we will also process information concerning your health, any disability and in connection with any adjustments to working arrangements.||Contract. Legal obligation. Legitimate interests|
|Administering our recruitment process||Evaluating your experience and qualifications against the requirements of the position you are applying for. Administering our online careers portal. Communicating with you in respect of any offer of employment we choose to make and providing you with information about our onboarding process.||Contract. Legal obligation. Legitimate interests|
|Entering into a contract with you (if you are made an offer by us)||Information on your terms of employment from time to time including your hours and working patterns, your pay and benefits, such as your participation in pension arrangements, life and medical insurance; and any bonus or share schemes.||Contract. Legal obligation. Legitimate interests|
|Contacting you or others on your behalf||Your address and phone number, emergency contact information and information on your next of kin.||Contract. Legitimate interests|
|Payroll administration||Information on your bank account, pension contributions and on tax and national insurance. Your national insurance number or other government issued identifier.||Contract. Legal obligation. Legitimate interests|
|Financial planning and budgeting||Information such as your proposed salary and (if applicable) envisaged bonus levels.||Legitimate interests|
|Physical and system security||Photographic image upon attendance for interview at our premises.||Legitimate interests|
|Providing information to third parties in connection with transactions that we contemplate or carry out||Information on any offer made to you and your proposed contract and other employment data that may be required by a party to a transaction such as a prospective purchaser, seller or outsourcer.||Legitimate interests|
|Monitoring of diversity and equal opportunities||Information on your nationality, racial and ethnic origin, gender, sexual orientation, religion, disability and age as part of diversity monitoring initiatives. Such data will aggregated and used for equality of opportunity monitoring purposes. Please note we may share aggregated and anonymized diversity statistics with regulators if formally required / requested.||Legitimate interests|
|Disputes and legal proceedings||Any information relevant or potentially relevant to a dispute or legal proceeding affecting us.||Legitimate interests. Legal obligation|
Where the data comes from
Who gets to see your data?
Where necessary and as set out this privacy notice, your personal data will be disclosed to relevant managers, the People Team and administrators for the purposes of your application as mentioned in this document. We will also disclose this to other members of our group where necessary for decision making regarding your application – this will depend on the type of role you are applying for.
We will only disclose your personal data outside the group if disclosure is consistent with a ground for processing on which we rely and doing so is lawful and fair to you. We will disclose your data if it is necessary for our legitimate interests as an organisation or the interests of a third party (but we will not do this if these interests are over-ridden by your interests and rights in particular to privacy). Where necessary, we will also disclose your personal data if you consent, where we are required to do so by law and in connection with criminal or regulatory investigations.
Specific circumstances in which your personal data may be disclosed include:
Disclosure to organisations that process data on our behalf such as our payroll service, insurers and other benefit providers, our bank and organisations that host our IT systems and data. This would normally occur if you accept an offer from us and would be carried out as part of the on-boarding process;
To third party recruitment consultants and similar businesses (including online recruitment portals) as a part of the recruitment process;
Disclosure of aggregated and anonymised diversity data to relevant regulators as part of a formal request (see above).
If there was any need to get background checks we would use an external company.
Retaining your personal data – more information
Transfers of personal data outside the EEA – more information
In connection with our business and for employment, administrative, management and legal purposes, we will where necessary and as set out in this privacy notice transfer your personal data outside the EEA to members of our group and data processors in other jurisdictions in which we are established. We will ensure that any transfer is lawful and that there are appropriate security arrangements. In relation to intra-group transfers, the members of the ustwo group of companies have entered into agreements ensuring appropriate and suitable safeguards with our controllers/processors outside the EEA. These are in standard terms approved by the European Commission. If you wish to see details of these safeguards, please email firstname.lastname@example.org. A list of data recipients who receive material amounts of personal data and are located outside of the EEA is set out in Annex 2 - Extra-EEA Third Party Processors.
Access to your personal data and other rights
We try to be as open as we reasonably can about personal data that we process. If you would like specific information, just ask us. You also have a legal right to make a “subject access request”. If you exercise this right and we hold personal data about you, we are required to provide you with information on it, including:
Giving you a description and copy of the personal data
Telling you why we are processing it
If you make a subject access request and there is any question about who you are, we may require you to provide information from which we can satisfy ourselves as to your identity. As well as your subject access right, you may have a legal right to have your personal data rectified or erased, to object to its processing or to have its processing restricted. If you have provided us with data about yourself (for example your address or bank details), you have the right to be given the data in machine readable format for transmitting to another data controller. This only applies if the ground for processing is Consent or Contract. If we have relied on consent as a ground for processing, you may withdraw consent at any time – though if you do so that will not affect the lawfulness of what we have done before you withdraw consent.
UK Data Protection Bill Policy
Status of this notice
Annex 2 – Extra-EEA Third party processors
As indicated above, we may transfer your personal data outside the EEA in countries which do not have data protection laws equivalent to those applicable in the EEA. This transfer is covered by model clauses approved by the European Commission.
The transfer of personal data to recipients based outside of the EEA is carried out in connection with our business and for employment, administrative, management and legal purposes.
List of data recipients located outside the EEA:
|ustwo Studio Inc, 26 Broadway, 16th Floor, New York, NY, 10004||US|
|ustwo Studio Pty, 118 Commonwealth St, Sydney, NSW, 2010||Australia|