Candidate and Applicant Privacy Notice

SmartComms SC Limited and its group companies (collectively “Smart Communications”, “we”, “us” and “our”) has issued this policy (hereafter “Privacy Notice”)

This notice provides information to candidates for employment with one of our companies, pursuant to the following data protection and privacy laws, as applicable:

  • General Data Protection Regulation ((EU) 2016/679) as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”);
  • the EU’s General Data Protection Regulations (EU Regulation 2016/679) (“GDPR”);
  • the UK’s 2018 Data Protection Act (DPA 2018) (DPA 2018);
  • Federal Data Protection Act in Germany (“BDSG”);
  • the Swiss Federal Act on Data Protection and the Swiss Ordinance to the Federal Act on Data Protection (together the “Swiss DPA”)
  • the California Consumer Privacy Act of 2018 (“CCPA”);
  • any laws or regulations ratifying, implementing, adopting, supplementing or replacing such legislation in each case to the extent in force and as updated, amended or replaced from time to time; and
  • any further applicable data protection laws.

 

Pursuant to applicable data protection laws, we are a “data controller” and we collect, store, hold, process, use, record, consult, disclose, erase, make decisions based upon, destroy and in some instances, transmit personal data about you as a job applicant or candidate for a role at Smart Communications (together these activities are referred to as “Process”, “Processed” or “Processing”).

Pursuant to the CCPA, we are the “Business” and you are the “Consumer”.

For the purposes of this Privacy Notice, we will refer to you as the “Data Subject” in relation to compliance with the laws referenced above.

This Privacy Notice sets out the information that must be provided by us to you at the time your personal data is obtained. We are making you aware of our Privacy Notice because you are applying to or have expressed an interest in working with us (whether as an employee, worker or contractor).

COMPLIANCE WITH THE CCPA:

Pursuant to title 1798.100(b) of the CCPA, this Privacy Notice is intended to inform you about (i) the categories of “Personal Information” which we collect and (ii) the purposes for which we collect such Personal Information.

Categories:

  1. Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  2. Customer records information: None
  3. Characteristics of protected classifications under California or federal law: Race, religion, sexual orientation, gender identity, gender expression, veteran status, age
  4. Commercial information: None
  5. Biometric information: Only if provided by candidate on Application – e.g. Photograph
  6. Internet or other electronic network activity information: None
  7. Geolocation data: None
  8. Audio, electronic, visual, thermal, olfactory, or similar information: None
  9. Professional or employment-related information: Professional qualifications obtained; institutions attended; dates of attendance at Institutions and dates the qualifications were awarded; employment history including previous employers and dates of employment.
  10. Education information: Education history; educational attainments and qualifications obtained; institutions attended; dates of attendance at educational institutions
  11. Inferences: None

 

COMPLIANCE WITH APPLICABLE DATA PROTECTION LAWS:

This Privacy Notice concerns your personal data and special categories of data, together referred to as “Data” in the Privacy Notice which is obtained during the recruitment or selection process. This Privacy Notice describes how we collect and use Data about you and gives examples of the types of Data we hold, Processing activities and the justifications for that Processing.

This Privacy Notice will only apply to the extent that it is consistent, or can be made consistent, with that local guidance from time to time

This Privacy Notice does not form part of any contract of employment or other contract to provide services.

It is important that you read this Privacy Notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing Data about you, so that you are aware of how and why we are using such information. If you require any additional information relating to this policy or the Organisations’ Data Protection Policy please email [email protected]

DATA PROTECTION PRINCIPLES

We will comply with data protection law and principles, which means that your Data will be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have told you about.
  • Kept securely

 

The types of Data we hold about you

In connection with your application for work with us, we shall collect, store, Process and use the following categories of personal data about you:

  • The information you have provided to us in your curriculum vitae and covering letter.
  • The information you have provided on our application form, including (if applicable) name, title, address, telephone number, personal email, address, date of birth, gender, employment history, qualifications, reference information, work status, visa requirements.
  • Any information you provide to us during an interview.
  • Any information you provide to us or the results of any pre-employment testing process.
  • Any information you provide to us, as permitted by applicable data protection law.

 

Germany, Switzerland and Austria

  • The results of any employment screening process, as permitted by applicable data protection law and employment law, including address history, credit checks (“Betreibungsregisterauszug” or “SCHUFA Auszug”), visa requirements, eligibility to work, education history, employment history including salary and dates of employment, reason for leaving, dates employed and position whilst employed, and supporting documents and documents that you provide that verify any gaps in your employment history and any other Data you make available.
  • Proof of eligibility to work in the country that you have applied.

 

As a general rule, we try not to collect or process any special category Data about you, unless authorized by law or where necessary to comply with applicable data protection laws. However, in some circumstances, we shall need to collect, or request on a voluntary disclosure basis, some special category Data for legitimate employment-related purposes, as permitted by applicable law.

We shall collect, store and use the following special categories of more sensitive Data:

  • Information about your race, ethnicity and gender
  • Information about your health, including any medical condition
  • Information about criminal convictions and offences relevant to the job position (in accordance with applicable data protection law)

 

All roles at Smart Communications, and the Services we supply to our customers ,require a high degree of trust and integrity since it involves dealing with highly regulated industries such as Investment banks and Financial Institutions. In addition our compliance accreditations are critical to be able to provide services to our customers on our cloud platform. To ensure compliance with our legal obligations derived from applicable data protection laws and – as applicable – our customer obligations and our key accreditation bodies any roles with access to Smart Communications or Smart Communications’ Source Code; any roles with access to our customer’s data; any roles with access to our customer’s live systems and any employees with access to the Company’s Financial Information; are all required to complete background screening prior to being provided with access to our IT systems as permitted under applicable data protection laws.

All other locations

Such Data may include: name, title, address and address history, telephone number, personal email, date of birth, gender, employment history including salary and dates of employment, reason for leaving, dates employed and position whilst employed, qualifications, reference information, work status, visa requirements, eligibility to work, address history, education history, identification number, credit status and supporting documents for example, a copy of your government issued ID; certificates showing professional qualifications; documents that you provide that verify any gaps in your employment history and any other Data you make available. We may also collect, store and use the following special categories of more sensitive Data:

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
  • Information about your health, including any medical condition, health and sickness records
  • Information about criminal convictions and offences

 

As a general rule, we try not to collect or process any special category Data about you, unless authorized by law or where necessary to comply with applicable data protection laws. However, in some circumstances, we may need to collect, or request on a voluntary disclosure basis, some special category Data for legitimate employment-related purposes.

How do we collect your Data?

Data is collected directly through you or from an employment agency, jobsite or background check provider. We shall sometimes collect additional information from third parties including former employers or credit reference agencies.

We shall collect Data about candidates from the following sources:

  • You, the candidate
  • Recruitment agency(ies) (only where the agencies have obtained your consent to pass on your application for employment purposes)
  • HireRight background check provider, as permitted under applicable data protection laws
  • Publicly accessible sources for example your LinkedIn Profile, Facebook and Twitter profile, as permitted under applicable data protection
  • Your named references
  • Disclosure and Barring Service/Conduct Search, as permitted under applicable data protection law.

 

Change of Purpose

We will only use your Data for the purpose for which it was collected, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purposes. If we need to use your Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We may also process your Data without your knowledge or consent, in compliance with the above rules, where this is permitted or required by law.

Purpose of Processing your Data

Under applicable data protection laws, these purposes illustrate our “Lawful Basis” of Processing.

For the purpose of the CCPA, the list below sets out our purposes for collecting your Personal Information.

We will use the Data we collect about you to:

  • Assess your skills, qualifications, and suitability for the work or advertised role
  • Carry out background and reference checks, as permitted by applicable data protection laws
  • Assess your right to work in the country where you have applied for in compliance with immigration rules
  • Communicate with you about the recruitment process
  • Keep records related to our hiring or recruitment processes
  • Carry out data analytics including the profiles of those applying for roles with us. (In such case Smart Communications will be the Controller as defined under applicable data protection law).
  • Comply with legal or regulatory requirements for example comply with the duty to make reasonable adjustments for disabled job applicants and with other disability discrimination obligations
  • Comply with specific regulatory requirements of our customers, as permitted by applicable laws
  • Manage the recruitment process, and ensure effective HR, personnel management and business administration
  • Monitor equal opportunities (In such case Smart Communications will be the Controller as defined under applicable data protection law)
  • Enable us to establish, exercise or defend possible legal claims,

 

Under data protection laws, data controllers have to explain how Data about Data Subjects is used because they can only use Data when they are permitted to do so by law. Data controllers will be permitted to use Data by law when they can establish a “Lawful Basis” in accordance with applicable data protection law (a lawful basis is not, however, required for the purposes of the Swiss DPA). The Lawful Basis relevant for Processing Data about you in the recruitment context is that:-

  • It is necessary for the purposes of legitimate interests pursued by us or by a third party and your interests or your fundamental rights and freedoms do not override our interests. It is in our legitimate interests to decide whether to appoint you to the role or provide you with work since it would be beneficial to our business to appoint someone to that role or work.
  • It is necessary for entering into a contract with a Data Subject. We need to process your Data to decide whether to enter into a contract of employment or work with you.

 

Having received your CV and covering letter we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the role or work. If we decide to offer you the role or work, we will then take up references, carry out a criminal record check and/or carry out any other relevant checks before confirming your appointment, to the extent permitted by law.

If the collection of any of your Data is not mandatory (for example, where we collect information on a voluntary disclosure basis for equal opportunities monitoring), and provided that the applicable law allows for it, we will let you know this before we collect it, as well as the consequences of failing to provide us with this information (if any).

If you fail to provide Data when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history) and in compliance with applicable law, we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

Why and how we use Special Categories of Data:

We will only collect and use your special category data, which includes information about criminal convictions and offences, when the law allows us to do so.

Some special category Data e.g. information about your health, and information about criminal convictions and offences, is processed so that we can perform or exercise our obligations or rights under employment law and in line with our data protection policies.

The purposes for which we are processing, or shall process, health information and information about any criminal convictions and offences, are to:

  • assess your suitability for employment or engagement
  • comply with statutory and/or regulatory requirements and obligations, e.g. carrying out criminal record checks
  • comply with specific regulatory requirements of our customers
  • comply with the duty to make reasonable adjustments for disabled job applicants and with other disability discrimination obligations
  • ensure compliance with your statutory rights
  • ascertain your fitness to work
  • ensure effective HR, personnel management and business administration
  • ensure meaningful equal opportunity monitoring and reporting.

 

Where Smart Communications processes other special categories of Data i.e. information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation, this is done only for the purpose of equal opportunities monitoring in recruitment and in line with our data protection policy and applicable data protection law.

Where appropriate and permitted under applicable laws, we will collect information about criminal convictions as part of the -background/screening process or we will be notified of such information directly by you in the course of you working for us.

Data that Smart Communications uses for these purposes is either anonymised or is collected with your explicit written consent, which can be withdrawn at any time. It is entirely your choice whether to provide such personal information. In such case Smart Communications will be the Controller as defined under applicable data protection law.

In accordance with applicable data protection laws, we request relevant information about your criminal convictions history if we would like to offer you the work or role (conditional on checks and any other conditions, such as references, being satisfactory). We are required to carry out a criminal records check in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role. In particular:

All roles at Smart Communications and the Services we supply to our customers require a high degree of trust and integrity since it involves dealing with highly regulated industries such as Investment banks and Financial Institutions and so we would like to ask you about existing job- and/or role-relevant criminal convictions and – as permitted by applicable law – to provide a copy of your criminal records history.

Automated DecisionMaking:

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

Transferring Data to a Third Party:

Why will we share your Data with third parties?

We take precautions to allow access to applicant Data only to Smart Communications employees and third parties who have a legitimate purpose for access and who require such access to perform their job duties.

We shall as part of the recruitment or selection processes share your Data with the following third parties, provided that applicable law allows us to do so:

  • Parent, Associated Employers or Group Companies
  • Legal representatives
  • Regulators and professional bodies
  • Recruiters or reference checking agencies
  • Government or statutory bodies
  • Cloud service providers
  • Consultants or Contractors working on our behalf (specifically for the purposes of recruitment and selection)
  • Background checking providers (specifically to allow them to perform the background screening)

 

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your Data in line with our policies or the data processing contract with have entered with them. We do not allow our third-party service providers to use your Data for their own purposes. We only permit them to process your Data for specified purposes and in accordance with our instructions.

Transferring Data

Your Data shall be transferred to, and processed in, countries other than the country in which you are resident; in exceptional circumstances, in any country in the world. These countries shall have data protection laws that are different to the laws of your country.

Smart Communications. In respect of transfers to the Smart Communications Group we will only transfer your Data in order for Human Resources and Finance to perform their duties.

Smart Communications and our third-party service providers and partners operate around the world. This means that when your Data is collected it shall be processed in any of these countries.

Where we transfer your personal data to Smart Communications group companies, the transfer shall be in accordance with the Standard Contractual Clauses approved by the European Commission including supplementary measures, as applicable and appropriate. Transfers may also occur under Smart Communication’s intra group data transfer agreement which applies the same standard of adherence to applicable data protection law.

Where we transfer your personal data to third parties, we shall only do so in compliance with applicable data protection law. Where such transfer is made from the United Kingdom or EEA, such transfers are compliant with the transfer mechanisms approved by the European Commission under GDPR and equivalent UK law.

Smart Communications is committed to processing and handling your personal data in accordance with applicable data protection law, and we continue to monitor guidance on applicable data protection laws regarding appropriate safeguards for transfers of personal data.

Where we transfer your Data to third parties we shall only do so in compliance with applicable data protection law.

Data Security

We maintain appropriate administrative, technical and organisational measures which are designed to help safeguard the confidentiality, integrity and availability of your Data and to protect it against accidental or unlawful destruction, accidental loss, unauthorised alteration, disclosure or access, misuse, and any other unlawful form of processing. To ensure compliance with data protection laws and our internal policies, we address information security at all appropriate technology infrastructure points. We also train Smart Communications employees on the importance of data privacy and we permit Smart Communications employees to access Data solely on an authorized need to know basis.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data Retention

How long will you use my information for?

The periods for which Data will be stored and the criteria used to determine retention periods or whether Data can be deleted will depend on the information in question, its relevance or sensitivity; however, generally, Data will be deleted if it has been superseded by other relevant or up to date information, if it is out of date, irrelevant or no longer necessary.

Generally, provided that the applicable law allows for it, this means that your Data will be retained until the end of your employment application, or work relationship with us plus a period of 12 months after we have communicated to you our decision about whether to appoint you to a role or offer you work. Once hired, we will retain your Data for the period of your employment with us and as required to comply with applicable retention obligations under applicable data protection laws. We retain your Data for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely delete your Data in accordance with our Data Retention Policy. In some circumstances we shall anonymise your Data so that it can no longer be associated with you, in which case we shall use such information without further notice to you.

Rights of Access, Correction, Erasure, and Restriction (Your rights in connection with Data):

As a Data Subject, by law you have the right to:

  • Request access to your Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Data we hold about you and to check that we are lawfully processing it.
  • Request correction of the Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your Data. This enables you to ask us to delete or remove Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Data where you have exercised your right to object to processing (see below).
  • Object to processing of your Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Data for direct marketing purposes.
  • Request the restriction of processing of your Data. This enables you to ask us to suspend the processing of Data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the portability of certain Data to another party.
  • Withdraw your consent at any time, where we process your Data on the basis of consent.

 

If you want to access, correct or request erasure of your Data, object to the processing of your personal data, or request that we transfer a copy of certain Data to another party, please contact [email protected] in writing.

We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your Data, please contact the DPO by emailing [email protected] You have the right to make a complaint at any time to the competent data protection supervisory authority in your country. You can find a list of authorities in the EEA here: https://edpb.europa.eu/about-edpb/board/members_en. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.

Updated January 2022