NOTICE OF PRIVACY AND PROCESSING OF CANDIDATE PERSONAL DATA
Carl Stuart Ltd. is committed to complying with data protection legislation, including the data protection regime introduced by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”). This Notice of Privacy and Processing of Candidate Personal Data (the “Candidate Privacy Notice”) describes the “personal data” (as defined in the GDPR) that we collect about our Candidates (the “Candidate Data”) when they apply for a job at Carl Stuart, what we do with that information, and what rights apply to candidates who are covered by the GDPR (the “Candidate(s)”).
1. WHO IS RESPONSIBLE FOR THE PROCESSING OF CANDIDATE DATA?
Carl Stuart is the so-called “Data Controller,” which decides why and how Candidate Data is collected and processed when Candidates apply for a job at Carl Stuart.
2. WHAT TYPE OF CANDIDATE DATA DO WE COLLECT, AND HOW IS IT COLLECTED?
For prospective, current, and former Candidates, at the start of the application process, we typically collect:
Basic identification and contact information (e.g. full name, phone number, email).
Education (e.g. university attended) and current employer.
CV / resume, which typically describes professional experiences, qualifications, education, and other information that the Candidate voluntarily includes.
Information regarding how the Candidate heard of the position.
Country the Candidate is applying from, a representation that they are legally authorised to work in the country where the position is based, and whether the Candidate needs sponsorship for employment visa status.
Optional links to the Candidate’s professional profile / page (e.g. LinkedIn URL, GitHub URL, Portfolio URL).
Responses to application questions, such as: What has been your favourite project or proudest accomplishment? Why? Why do you want to work at Carl Stuart?
Optional additional information that the Candidate voluntarily provides.
Depending on the role, we may request information on language skills, a cover letter, sample of work, or engagement in various testing activities prior to interview.
In some cases, usually where Candidates volunteer it, the personal data that we process will also include special categories of data, such as diversity-related information (including data about racial and ethnic origin, religious beliefs and other beliefs of a similar nature) and health related data (including data about any disabilities).
If a Candidate is selected for an interview and requests an accommodation during the interview process, we may also collect health related data as provided by the Candidate (including data about any disabilities) in connection with the accommodation request.
If a Candidate advances in the application process, we will usually collect additional information about the Candidate during the interview process, such as:
Additional education and employment information (e.g. employment dates with a Candidate’s current / prior employers, positions held, etc.).
Interview performance evaluation and scores / assessments from testing conducted as part of the interview process.
Language skills or areas of expertise and interest.
Information relevant to arranging Candidate travel to Carl Stuart offices, if needed for interview purposes.
Other information that Candidates choose to disclose during the interview process.
Information submitted as part of the application process, which includes any assessments and interviews, must be true, accurate, complete, and not misleading. Any false or misleading statements or omissions made by Candidates during the application process may be sufficient cause to justify the rejection of a Candidate’s application or, if the Candidate has already become an employee, the immediate termination of employment, in accordance with applicable law.
If a Candidate successfully completes the interview process and accepts an offer of employment from Carl Stuart, then, prior to the start of their employment, we will collect additional Candidate Data (e.g., data to verify work eligibility, data regarding alleged or proven criminal offenses, to the extent permitted by applicable law). Additional information about this process will be provided to individuals who receive and accept an offer of employment from Carl Stuart.
In some cases, the personal data we collect from Candidates is needed to meet our legal or regulatory obligations. If so, we will indicate that the provision of this information is mandatory.
Additionally, as part of the recruitment and application process, Carl Stuart may also collect Candidate Data indirectly from third parties, such as:
Recruitment agencies that Candidates use to apply to Carl Stuart.
Personal referrals submitted by Candidates.
Publicly available sources such as business- and employment-oriented social networking services and job boards where Candidates may post their information.
Paid and unpaid recruiting services used to obtain Candidate contact information in connection with recruiting efforts.
Background check providers (if Candidates receive and accept an offer of employment from Carl Stuart).
3. WHAT DO WE USE CANDIDATE DATA FOR?
We process Candidate Data in order to:
undertake recruitment activities, such as determining the suitability of a Candidate’s qualifications, checking for existing or potential conflicts of interest or any other restrictions which may otherwise restrict or prevent a Candidate’s employment with Carl Stuart;
undertake business management/security and employment planning activities, where permitted;
reply to official requests from a public or judicial authority with the necessary authorisation;
plan, prepare for and implement any future merger, acquisition, divestiture, restructuring, reorganisation, dissolution or other sale or transfer of some or all of Carl Stuart’s assets, in which Candidate Data is among the assets transferred; and
comply with any legal obligations imposed on Carl Stuart in relation to its recruitment practices and record retention obligations.
4. WHAT’S THE LEGAL BASIS FOR WHY WE USE CANDIDATE DATA?
We are not allowed to process Candidate Data if we do not have a valid legal basis. Therefore, we will only process Candidate Data if:
the processing is necessary for Carl Stuart’s legitimate interests, and does not unduly affect a Candidate’s interests or fundamental rights and freedoms (see below);
the processing is necessary to perform our contractual obligations towards a Candidate, or to take agreed upon pre-contractual steps, such as preparing documentation for a Candidate following a decision to make an offer of employment;
the processing is necessary to comply with our legal or regulatory obligations;
the processing is necessary to protect the vital interests of the relevant individual or of another natural person, such as providing disability access to Carl Stuart premises for interviews where applicable;
the processing is necessary for the performance of a task carried out in the public interest; or
in some cases, and if requested from Candidates from time to time, we have obtained Candidate prior consent.
Examples of the “legitimate interests” referred to above are:
to benefit from cost-effective services (e.g. we may opt to use certain IT platforms offered by suppliers);
to determine whether a Candidate or potential Candidate’s skills and experience are suitable for a role within Carl Stuart, and determine whether or not to (i) make an offer of employment with Carl Stuart; or (ii) approach a Candidate with a view to making an offer of employment with Carl Stuart, on this basis;
at the appropriate stage in the recruitment process (i.e. as part of making an offer of employment), to verify the accuracy of information provided to us as part of an application, including through background screening if and when an offer of employment is made and accepted;
to prevent fraud or criminal activity, misuse of our products or services, as well as to ensure the security of Carl Stuart IT systems, architecture, networks and premises;
to otherwise exercise our fundamental rights to property and to operate a business under articles 16 and 17 of the EU’s Charter of Fundamental Rights; and
to meet our corporate and social responsibility objectives.
To the extent that we process any special categories of personal data relating to Candidates, we will do so because:
the processing is necessary to carry out our obligations under employment, social security, or social protection law;
the processing is necessary for the establishment, exercise, or defense of a legal claim;
the processing is necessary for reasons of substantial public interest; or
the Candidate has given explicit consent to us to process that information (where legally permissible).
5. HOW DO WE PROTECT CANDIDATE DATA?
All Carl Stuart personnel accessing Candidate Data must comply with our internal rules and processes in relation to the processing of that data, to protect it and ensure its confidentiality. Carl Stuart Personnel are also required to follow the technical and organisational security measures put in place to protect Candidate Data.
We have also implemented technical and organisational measures to protect Candidate Data against unauthorised, accidental, or unlawful destruction, loss, alteration, misuse, disclosure, or access and against all other unlawful forms of processing. These security measures have been implemented taking into account the state of the art of the technology, their cost of implementation, the risks presented by the processing, and the nature of the Candidate Data, with particular care for sensitive personal data.
6. WHO HAS ACCESS TO CANDIDATE DATA AND WITH WHOM IS IT SHARED?
6.1 WITHIN Carl stuart
We make Candidate Data available to appropriate Carl Stuart personnel to complete the purposes indicated in section 3 above.
6.2 OUTSIDE Carl stuart
We usually also transfer relevant Candidate Data to third parties outside Carl Stuart to complete the purposes listed in section 3 above, including:
third party service providers, such as our recruiting platform provider, our hosting providers, cloud service providers, database providers, vendors who manage online testing as part of the interview process, and if a Candidate receives and accepts an offer of employment, then also to a third party who carries out pre-employment checks on prospective employees. Carl Stuart works to ensure that these service providers are contractually obligated to protect Candidate Data;
any national and/or international regulatory, enforcement or exchange, body or court where we are required to do so by applicable laws or regulations or at their request;
any central or local government department and other statutory or public bodies, where required by applicable laws or regulations;
to a buyer or other successor in the event of a merger, acquisition, divestiture, restructuring, reorganisation, dissolution or other sale or transfer of some or all of Carl Stuart’s assets, in which Candidate Data is among the assets transferred; and
any other legitimate recipient of communications required by applicable laws or regulations.
6.3 TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA
The Candidate Data transferred within or outside Carl Stuart as set out in sections 6.1 and 6.2 above, is in some cases also processed in a country outside the EEA, which covers the EU member states, Iceland, Liechtenstein and Norway.
If Candidate Data is transferred outside the EEA, we will put in place suitable safeguards to ensure that such transfer is carried out in compliance with applicable data protection laws and regulations. To ensure this level of protection for Candidate Data, Carl Stuart may use a data transfer agreement with the third-party recipient based on standard contractual clauses approved by the European Commission or ensure that the transfer is to a jurisdiction that is the subject of an adequacy decision by the European Commission or to the US under the EU-US Privacy Shield framework. Where Carl Stuart transfers Candidate Data to other group companies, we rely on the standard contractual clauses approved by the European Commission. Candidates may request additional information about the relevant safeguards by exercising their rights as set out below.
7. HOW LONG DO WE STORE CANDIDATE DATA?
When applying for a job at Carl Stuart, Candidates are asked whether they would like to be contacted about future job opportunities with Carl Stuart, for up to three (3) years. This is voluntary, and Candidates are not required to agree to this. Further, a Candidate’s response to this question will not impact Carl Stuart’s consideration of the Candidate for the position to which he/she is currently applying.
If a Candidate voluntarily indicates that Carl Stuart may contact him/her about future job opportunities, then Carl Stuart will retain the Candidate Data in order to contact the Candidate about potentially suitable job opportunities for up to three (3) years. The Candidate may revoke his/her consent at any time.
If a Candidate does not indicate that Carl Stuart may contact him/her about future job opportunities, or if a Candidate revokes his/her consent, then Carl Stuart will retain the Candidate Data for only as long as necessary to fulfill the purpose for which it was collected or to comply with applicable legal, regulatory or internal policy requirements. In general, although there may be limited exceptions, Carl Stuart will keep Candidate Data for unsuccessful Candidates who do not request to be contacted for future job opportunities for 6 months to 1 year, following communication of the decision that the Candidate’s most recent application is unsuccessful. The exact length of time will vary by jurisdiction and individual circumstances. If Candidates wish to have their personal data, including contact information, removed from our databases, they can inform their Recruiter and/or make a request as described in section 8 below, which we will review as set out therein.
Data relating to successful Candidates who accept employment with Carl Stuart, is dealt with by the employee privacy notice that will be provided upon joining Carl Stuart.
8. WHAT ARE CANDIDATES’ RIGHTS AND HOW CAN THEY EXERCISE THEM?
8.1 CANDIDATES’ RIGHTS
Candidates have a number of rights in respect of Candidate Data. Details of those rights can be found in Carl Stuart’s Privacy and Security Statement here: https://www.carlstuartbespoketailor.com/privacy
8.2 CANDIDATES WHO WISH TO EXERCISE THEIR RIGHTS
To exercise the above rights, Candidates may send an email to email@example.com.
If a Candidate makes the above request and is not satisfied with Carl Stuart’s response, he or she has the right to make a complaint to the data protection authority in the jurisdiction where the Candidate lives or works, or in the place where the Candidate thinks an issue in relation to his or her personal data has arisen.
9. UPDATES TO THIS PRIVACY NOTICE
This Candidate Privacy Notice was last updated in May 2018. It may be subject to amendments. Any future changes or additions to the processing of Candidate Data as described in this Candidate Privacy Notice will be communicated to Candidates through an appropriate channel.
10. DATA PROTECTION OFFICER
Given the nature of Carl Stuart’s business model, we do not employ a Data Protection Office (DPO). However, should you have questions related to the subject of data protection, please send them to the email address provided in Section 8.2.