Legal notices: Recruitment-specific Privacy Notice
1. Introduction
At DLA Piper, we take seriously the protection of your privacy and confidentiality and we undertake to preserve the confidentiality of all information you provide to us.
This privacy notice ("Notice") sets out the basis on which DLA Piper processes the personal data it collects from you. For the purposes of this Notice, DLA Piper means DLA Piper International LLP and the various DLA Piper entities operating in the UK, Europe, Asia-Pacific, Middle East and Africa, also referred to in this notice as "the firm" or "we".
2. Scope of Privacy Notice
Like most businesses, we hold and process a wide range of information, some of which relates to individuals who are applying to work for us. This Notice explains the type of information we process, why we are processing it and how that processing may affect you.
The Notice focuses on individuals who are applying to work for us as an employee, partner, contingent worker, a contractor, a consultant or work experience and the data that we process as part of that process. We have a separate Internal Privacy Notice that applies to our current and former employees.
References in this Notice to employment, work (and similar expressions) include any arrangement we may have under which an individual provides us with work or services, or applies for such work or services, including but not limited to partners of any DLA Piper entity.
We use the word “you” to refer to anyone within the scope of the Notice.
In brief, this Notice explains:
- what personal data we hold and why we process it;
- the legal grounds which allow us to process your personal data;
- where the data comes from, who gets to see it and how long we keep it;
- how to access your personal data and other rights;
- how to contact us.
3. Types of personal data processed
"Personal data" is a concept defined by data protection law, and refers to any information which relates to an identified or identifiable individual. It includes not only facts about an individual, but also intentions and opinions about them.
"Processing" means doing anything with the data. For example, it includes collecting it, holding it, disclosing it and deleting it.
"Sensitive personal data" or "special categories of data" is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data and is subject to special protection under relevant data protection law.
The types of personal data which we process will vary depending on your role, your location and the terms and conditions of employment or engagement (if any) relevant to you. DLA Piper generally process data for the purposes of our business including providing services to our clients, management, administrative, employment and for legal and regulatory purposes.
4. Sources of personal data
When you apply to work for us the initial data about you that we process is likely to come from you: for example, contact details and information on your immigration status and whether you can lawfully work. Where necessary and in accordance with this Notice, we will require references and information to carry out background checks. If you have concerns about this in a particular context, you should speak to your contact within our Recruitment team.
Please note we may also receive data from third party recruiters, agents and similar organisations as a part of the recruitment process, or as a referral from one of our employees or clients.
5. Disclosures of personal data
5.1 Internal use
Your personal data will be seen internally by members of the Recruitment team, and other HR team members, recruiting managers, and in some circumstances (if you join us) colleagues. We will also disclose this to other members of the firm where necessary for decision making regarding your application, this will depend on the type of role you are applying for.
5.2 External use
We will only disclose your personal data outside the firm if disclosure is consistent with a ground for processing on which we rely and doing so is lawful and fair to you.
We will disclose your data if it is necessary for our legitimate interests or the interests of a third party (but we will not do this if these interests are over-ridden by your interests and rights in particular to privacy).
Where necessary, we will also disclose your personal data if you consent, or where we are required to do so by law and in connection with criminal or regulatory investigations. Please note that when we disclose your data in such circumstances, where applicable, we will ensure that any necessary due diligence has been undertaken on the recipient and any necessary contractual documentation is in place to ensure the integrity and security of the data as required by law.
Specific circumstances in which your personal data may be disclosed include:
- Disclosure to third party providers to carry out reference checks, credit checks and other pre-employment on-boarding activities if you accept an offer from us;
- Disclosure to organisations that process data on our behalf such as our payroll service, insurers and other benefit providers, our bank and organisations that host our IT systems and data. This would normally occur if you accept an offer from us and would be carried out as part of the on-boarding process;
- Disclosure to any regulator as necessary as part of the recruitment process.
In some jurisdictions, we also use a third party ATS (applicant tracking system) which stores your personal data for us once you have made an application in order to enable the relevant Recruiting manager and Recruiter to consider your application.
6. Retention of data
Our general approach is to only retain your personal data for as long as is required to satisfy the purpose for which it was collected by us or provided by you. If you become employed by us we will keep your personal data for the duration of your employment and for a period afterwards.
If you are unsuccessful in gaining employment with us, we will keep your personal data for a short period after informing you that you were unsuccessful and in any event, normally, for no longer than 12 months or a shorter period where legally required, from your last contact with us. Your data may be kept on file and considered for other roles.
7. Cross border transfers
The global nature of our business means that your personal data may be disclosed to other DLA Piper entities, or to third party suppliers or partners, located outside of the European Economic Area ("EEA"), including (but not limited to) our entities in Africa, the Middle East, Asia-Pacific and the United States of America which do not offer a level of protection of privacy equivalent to the level within the European Union.
In respect of internal transfers within DLA Piper, we have entered into an intra-group agreement, using the Standard Contractual Clauses, to ensure your data receives an adequate level of protection.
In respect of transfers of your personal data to third party suppliers outside of the EEA, we will take steps to ensure that your personal data receives an adequate level of protection, including by, for example, entering into data transfer agreements or by ensuring that third parties are certified under appropriate data protection schemes.
8. Data Subject Rights
You have a variety of rights to exercise control over your personal data, including rights of access, erasure and objection. These rights are subject to certain exemptions which we may need to apply, and certain rights (such as erasure) only apply in limited circumstances. Further information on this and on other rights is in Schedule 2 Data Subject Rights, to this Notice.
9. Children under 16
If you are aged 16 or under‚ we require your parent/guardian's permission before you provide us with your personal information.
10. Automatic decision making
We may use automatic decision making within our processes in order to appropriately progress applications you make to us. Any automatic decisions made will be on the basis of online assessment results only and not on the basis of personal information.
You may contact us to find out more information about automatic decision making including speaking with us about your application by emailing recruitment@dlapiper.com or by writing to Recruitment Team - Data Privacy, 160 Aldersgate Street, London, EC1A 4HT, United Kingdom, or by telephone +44 (0) 8700 111 111.
11. Contact details
In processing your personal data, we act as a data controller. Our contact details are set out below:
Privacy Officer
DLA Piper UK LLP
160 Aldersgate Street
London
EC1A 4HT
Email: privacyteam@dlapiper.com
Telephone: +44 (0)20 7349 0296
12. Complaints
If you have complaints relating to our processing of your personal data, you should raise these with privacyteam@dlapiper.com or your local recruitment team, recruitment@dlapiper.com. You may also raise complaints with the relevant Supervisory Authority or regulator.
13. Status of this Notice
This Notice does not form part of any contract of employment you might enter into and does not create contractual rights or obligations. It may be amended by us at any time. Nothing in this Notice is intended to create an employment relationship between DLA Piper and any non-employee.
SCHEDULE 1: PURPOSE AND LEGAL BASIS FOR PROCESSING
Under data protection law, there are various legitimate and lawful grounds on which DLA Piper can rely when processing your personal data. In some contexts more than one ground applies. We have summarised these grounds as Contract, Legal obligation, Legitimate Interests and Consent and outline what those terms mean in the following table.
Term |
Ground for processing |
Explanation |
1. Contract |
Processing necessary for performance of a contract with you or to take steps at your request to enter a contract |
This covers carrying out our contractual duties and exercising our contractual rights. |
2. Legal obligation |
Processing necessary to comply with our legal obligations |
Ensuring we perform our legal and regulatory obligations. For example, providing a safe place of work and avoiding unlawful discrimination or complying with our regulatory obligations. |
3. Legitimate Interests |
Processing necessary for our or a third party’s legitimate interests |
We or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data. |
4. Consent |
You have given specific consent to processing of your data |
In general, processing of your data in connection with employment is not conditional on your consent but there may be occasions where we do specific things, such as request a reference and rely on your consent on doing so. |
If we process sensitive personal data about you, as well as ensuring that one of the grounds for processing mentioned above applies, we will make sure that one or more of the grounds for processing sensitive personal data applies. In outline, these include:
- Processing being necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorised by law or collective agreement;
- Processing relating to data about you that you have manifestly made public;
- Processing being necessary for the purpose of establishing, making or defending legal claims;
- Processing being necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity;
- Processing for equality and diversity purposes to the extent permitted by local law; and
- Processing for which you have given us your explicit consent.
The Core Notice outlines the purposes for which we process your personal data. More specific information on these, examples of the data and the grounds on which we process data are in the table below.
The examples in the table cannot, of course, be exhaustive.
Please note that if you accept an offer from us we will process further information as part of the employment relationship. We will provide you with our full Internal Privacy Notice as part of the on-boarding process.
Purpose |
Examples of personal data that may be processed |
Grounds for processing |
Recruitment in relation to any job for which you apply and/or any job we think you might be suitable for in the future. |
Standard data related to your identity (e.g. your name, address and email address), ID information and documents, telephone numbers, place of birth, nationality, contact details, salary information, professional experience and education (including university degrees, academic records, professional licenses, memberships and certifications, awards and achievements, and current and previous employment details), financial information (including current salary information), language skills, and any other personal data that you present us with as part of your application related to the fulfilment of the role. |
Contract |
Administering our recruitment process |
Evaluating your experience and qualifications against the requirements of the position you are applying for (or any future job for which we think you are suitable). |
Contract |
Entering into a contract with you (if you are made an offer by us) |
Information on your terms of employment from time to time including your hours and working patterns, your pay and benefits, such as your participation in pension arrangements, life and medical insurance and any bonus or share schemes. |
Contract |
Contacting you or others on your behalf |
Your address and phone number, emergency contact information and information on your next of kin. |
Contract |
Payroll administration |
Information on your bank account, pension contributions and on tax and national insurance. |
Contract |
Financial planning and budgeting |
Information such as your proposed salary including any applicable bonus eligibility. |
Legitimate interests |
Physical and system security |
CCTV images upon attendance for interview at our premises. |
Legitimate interests |
Providing information to third parties in connection with transactions that we contemplate or carry out |
Information on any offer made to you and your proposed contract and other employment data that may be required by a party to a transaction such as a prospective purchaser, seller or outsourcer. |
Legitimate interests |
Monitoring of diversity and equal opportunities (where permitted under local law) |
Information on your nationality, racial and ethnic origin, gender, sexual orientation, religion, disability and age as part of diversity monitoring initiatives. Such data will be aggregated and used for equality of opportunity monitoring purposes. |
Legitimate interests |
Disputes and legal proceedings |
Any information relevant or potentially relevant to a dispute or legal proceeding affecting us. |
Legitimate interests |
SCHEDULE 2: DATA SUBJECT RIGHTS
We try to be as open as we reasonably can about the personal data that we process. If you would like specific information, please ask us.
You have a legal right to make a “subject access request”. If you exercise this right and we hold personal data about you, we are required to provide you with information on it, including:
- Giving you a description and copy of the personal data; and
- Telling you why we are processing it.
If you make a subject access request and there is any question about who you are, we may require you to provide information from which we can satisfy ourselves as to your identity.
As well as your subject access right, you may have a legal right to have your personal data rectified or erased, to object to its processing or to have its processing restricted. If you have provided us with data about yourself (for example your address or bank details), you have the right to be given the data in machine readable format for transmitting to another data controller. This only applies if the ground for processing is Consent or Contract.
If we have relied on consent as a ground for processing, you may withdraw consent at any time – though if you do so that will not affect the lawfulness of what we have done before you withdraw consent.