1 Overview

This Job Applicant Privacy Notice sets out what personal data we, TopHat Corporate Limited, hold about you and how we collect and use it during and after the recruitment process. It applies to anyone who is applying to work for us, whether as an employee, worker, contractor, consultant, intern, volunteer, partner or director (together referred to as ‘Job Applicant’ or ‘you’).

Please note that we will not necessarily hold, use or share all of the types of personal data described in this Privacy Notice in relation to you. The specific types of data about you that we will hold, use and share will depend on the role for which you are applying, the nature of the recruitment process, how far you progress in the recruitment process and your individual circumstances.

We are required by data protection law to give you the information in this Privacy Notice. It is important that you read the Privacy Notice carefully, together with any other similar or additional information that we might give you from time to time about how we collect and use your personal data. Should your application be successful, when you start work for us, we will provide you with another privacy notice that explains how we deal with your personal data whilst you are working for us.

This Privacy Notice applies from 25 May 2018, when the General Data Protection Regulation comes into force. It does not give you any contractual rights. We may update this Privacy Notice at any time.

Who is the controller?

TopHat Corporate Limited is the “controller” for the purposes of data protection law. This means that we are responsible for deciding how we hold and use personal data about you.

What is personal data?

Personal data means any information relating to a living individual who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, NI number, employee number, email address, physical features). It can be factual (e.g. contact details or date of birth), an opinion about an individual’s actions or behaviour, or information that may otherwise impact that individual in a personal or business capacity.

Data protection law divides personal data into two categories: ordinary personal data and special category data. Any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, or biometric or genetic data that is used to identify an individual is known as special category data. The rest is ordinary personal data.

2 Ordinary Personal Information

2.1 Information Collection

At the initial stages of recruitment, we collect, hold and use the following types of ordinary personal data about you:

· Information contained in your application form/CV/covering letter, including your name, title, contact details, photograph (if applicable), employment history, experience, skills, qualifications/training (including educational, vocational, driving licences where appropriate), referees’ names and contact details, etc.
· Publicly available information about you, such as your business social media presence
· Selection information, including correspondence, interview notes, internal notes, the results of any written or online selection tests

If you are shortlisted for a position, or you receive a conditional offer of employment, we may collect, hold and use the following additional types of ordinary personal data about you:
· Pre-employment check information, including references and verification of qualifications
· Right to work checks and related documents

2.2 Use of Information

2.2.1 We hold and use this personal data so that we can:

· process your application and correspond with you about it;
· assess whether you have the required skills, experience, qualifications and training for a role within the company;
· make informed recruitment decisions and assess your suitability for employment;
· verify information provided by you;
· check and demonstrate that you have the legal right to work in the UK;
· keep appropriate records of our recruitment process and decisions;
· comply with statutory and/or regulatory requirements and obligations;
· administer the contract we have entered into with you;
· record and assess your academic qualifications to make informed decisions about employment or engagement;
· operate and maintain a record of dismissal procedures;
· prevent fraud;
· reach out to former employers for references

Some of the personal information you provide to us is mandatory and/or is a statutory and/or contractual requirement, some of the personal information you may be asked to provide to us on a voluntary basis.

2.2.2 Legal grounds for using your ordinary personal data

2.2.2.1 Data protection law specifies the legal grounds on which we can hold and use personal data.

We rely on one or more of the following legal grounds when we process your ordinary personal data:

a. When we need it to take steps at your request to enter into a contract with you (entry into a contract), because by applying for a job with us you are effectively asking us to enter into a contract with you [whether this is an employment contract, a contract for services or another type of contract]. Our use of your personal information is necessary for the performance of our obligations under our contract with you (for example, to pay you or to confer a benefit under the terms of an employment contract); or
b. When we need it to comply with a legal obligation (legal obligation), e.g. the obligation not to discriminate during our recruitment process, or the obligation not to employ someone who does not have the legal right to work in the UK.
c. Where neither (a) or (b) apply, it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (legitimate interest). For example, it is in our legitimate interests to review and consider your personal data (as listed above) so that we can select the most appropriate candidate for the job.

2.2.2.2 Where we are relying on our legitimate interests or the legitimate interests of a third party, we have explained, in the relevant parts of this Privacy Policy, what those legitimate interests are.

2.2.2.3 In the limited circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please contact our DPO at the contact details stated above. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing.

3 Special Category Personal Information

3.1 Information Collection

We will only collect, hold and use limited types of special category data about you during the recruitment process, as described below.
Since special category data is usually more sensitive than ordinary personal data, we need to have an additional legal ground (as well as the legal grounds set out in the section on ordinary personal data, above) to collect, hold and use it. The additional legal grounds that we rely on to collect, hold and use your special category data are explained below for each type of special category data.

At the initial stages of recruitment, we collect, hold and use the following special category data about you:

· Equal opportunities monitoring data which could include information about your race or ethnicity, religious beliefs, sexual orientation or health
· Information relevant to any request by you for adjustments to the recruitment process as a result of an underlying medical condition or disability.
· If you are shortlisted for a position, or you receive a conditional offer of employment, we may collect, hold and use the following additional types of special category personal data about you:
· We collect information about your health in a pre-employment medical questionnaire and/or examination, as well as any information about underlying medical conditions, results on drug and alcohol tests, and adjustments that you have brought to our attention.

3.2 Use of Information

3.2.1 We hold and use this special category personal data so that we can:

· monitor equality of opportunity and diversity in our recruitment process;
· carry out a fair, non-discriminatory recruitment process by considering/making reasonable adjustments to our process as appropriate;
· assess whether you are fit to do the job with adjustments, to consider/arrange suitable adjustments and to comply with health and safety requirements

3.2.2 Legal grounds for using your special category personal data

· when it is necessary in the public interest for the purposes of equal opportunities monitoring and is in line with our Data Protection Policy;
· when we need it to comply with a legal obligation/exercise a legal right in relation to employment – namely, the obligations not to discriminate, and to make reasonable adjustments to accommodate a disability – and such use is in line with our Data Protection Policy;
· when we need it to comply with a legal obligation/exercise a legal right in relation to employment – namely, the obligation to make reasonable adjustments to accommodate a disability – and such use is in line with our Data Protection Policy; and it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

4 Change of Purpose

We will only use your personal information for the purposes for which we collected it. If we need to use your personal information for a purpose other than that for which it was collected, we will provide you, prior to that further processing, with information about the new purpose. We will explain the legal basis which allows us to process your personal information for the new purpose and we will provide you with any relevant further information. We may also issue a new privacy notice to you.

5 Source of Personal Information

You provide us with most of the personal data about you that we hold and use, for example in your written application, by completing any assessments and during any interviews.

Some of the personal data we hold and use about you is generated from internal sources during the recruitment process. For example, the person interviewing you may score your suitability for the role and we record the reasons for decisions made about whether your application is successful or not.

Some of the personal data about you that we hold, and use may come from external sources. For example, a recruitment agency, open source networks, and existing databases provide us with a shortlist of candidates. If we offer you a role, we will carry out pre-employment checks, such as taking up references from past employers or education providers and we may check your qualifications by contacting the awarding body. We may ask an occupational health professional to report to us on your fitness to do the job. In some circumstances, we may ask the Home Office for information about your immigration status to verify your right to work in the UK. For some roles, we may also obtain information about you from publicly available sources, such as your LinkedIn profile, career sites, job boards or other media sources.

6 Disclosure of Information

6.1 Selected Companies

Your personal information will be made available to the following companies on need basis:

  • TopHat Labs Limited
  • TopHat Industries Limited
  • TopHat Communities Limited
  • TopHat Technologies Limited

We will only share your personal data with third parties where we have an appropriate legal ground under data protection law which permits us to do so. Commonly, this could include situations where we are legally obliged to provide the information (e.g. to HMRC for tax purposes), to comply with our contractual duties (e.g. to providers of your contractual benefits such as occupational pension, health insurance, etc.), or where it is necessary in our legitimate interest (e.g. to an IT service provider for maintenance of our IT systems).

6.2 Recruitment Agencies

We engage recruitment agencies to provide us with the details of suitable candidates for our available vacancies, to communicate with those candidates, to handle administration in connection with the recruitment process. If we have received your initial application details from a recruitment agency, we will share with them any of your personal data that is necessary to enable them to fulfil their functions for us. Our legal grounds for doing so are that: it is necessary for entry into a contract; and it is in our legitimate interest to engage service providers to assist us with the recruitment process.

6.3 Medical/occupational health professionals

We may share information relevant to any request by you for adjustments to the recruitment process because of an underlying medical condition or disability with medical/occupational health professionals to enable us to identify what, if any, adjustments are needed in the recruitment process and, if you are successful, once you start work. We may also share details of disclosed medical conditions and/or answers to pre-employment health questionnaires with medical/occupational health professionals to seek a medical report about you to enable us to assess your fitness for the job and whether any adjustments are needed once you start work. This information may also be used by the medical/occupational health professionals to carry out assessments required by health and safety legislation. Our legal grounds for sharing this personal data are that: it is necessary for entry into a contract; it is in our legitimate interests to consider adjustments to enable Job Applicants to participate fully in the recruitment process and to assess the fitness for work of Job Applicants to whom we have offered jobs; and it is necessary to comply with our legal obligations/exercise legal rights in the field of employment (obligations not to discriminate, to make reasonable adjustments, to comply with health and safety requirements).

6.4 Legal/professional advisers

We share any of your personal data that is relevant, where appropriate, with our legal and other professional advisers, to obtain legal or other professional advice about matters related to you or during dealing with legal disputes with you or other Job Applicants. Our legal grounds for sharing this personal data are that: it is in our legitimate interests to seek advice to clarify our rights/obligations and appropriately defend ourselves from potential claims; it is necessary to comply with our legal obligations/exercise legal rights in the field of employment; and it is necessary to establish, exercise or defend legal claims.

6.5 Home Office

We may share your right to work documentation with the Home Office, where necessary, to enable us to verify your right to work in the UK. Our legal ground for sharing this personal data is to comply with our legal obligation not to employ someone who does not have the right to work in the UK.

6.6 Restrictions on use of personal information by recipients

6.6.1 Any third parties with whom we share your personal information are limited (by law and by contract) in their ability to use your personal information for the specific purposes identified by us. We will always ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws.

6.6.2 Save as expressly detailed above, we will never share, sell or rent any of your personal information to any third party without notifying you and/or obtaining your consent. Where you have given your consent for us to use you information in a particular way, but later change your mind, you can contact us and we will stop doing so.

6.7 Consequences of not providing personal data

We only ask you to provide personal data that we need to enable us to decide whether or not to offer you a role. If you do not provide particular information to us, then we will have to make a decision on whether or not to offer you a role without that information, which in some cases could result in us deciding not to recruit you. For example, if we ask you to provide an example of previous written work/a certificate verifying a qualification and you do not, we will have to decide whether to recruit you without that information. If you do not provide us with names of referees or a reference when asked, we will not usually be able to offer you the role. In addition, some of the personal data you provide to us is required by law. For example, if you do not provide us with the documentation we need to check your right to work in the UK, then we cannot by law employ you.

If you choose not to provide us with personal data requested, we will tell you about the implications of any such decision at the relevant time.

7 Retention of Personal Information

7.1 We will keep your personal data throughout the recruitment process

If your application is successful, when you start work for us you will be issued with an Employee Privacy Notice which will include information about what personal data we keep from the recruitment process and how long we keep your personal data whilst you are working for us and after you have left.

If your application is unsuccessful, we will keep your personal data for up to 6 months from the date we notify you of our decision. (Note, we may keep your personal data for longer than 6 months if you have asked us to consider you for future vacancies – see ‘Will we keep your application on file?’ below). There may, however, be circumstances in which it is appropriate for us to keep particular items of your personal data for longer. We will base these decisions on relevant circumstances, considering the following criteria:
· the amount, nature, and sensitivity of the personal data
· the risk of harm from unauthorised use or disclosure
· the purposes for which we process your personal data and how long we need the particular data to achieve these purposes
· how long the personal data is likely to remain accurate and up to date
· for how long the personal data might be relevant to possible future legal claims
· any applicable legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept
In all cases, we will not keep your personal data for longer than necessary for the purposes for which the personal information is used or otherwise processed. The length of time we retain personal information depends on the purposes for which we collect and use it and / or as required to comply with applicable laws.

7.2 Will we keep your application on file?

If you are unsuccessful for the role for which you have applied, or you sent us a speculative application, then, if you have consented to us doing so, we will keep your personal data on file to identify if you might be suitable for any other vacancies that may arise in the next 12 months and will contact you if we believe this is the case. We will not keep your personal data for this purpose for longer than 12 months.

If during the period that we have your personal data on file, you wish to apply for any particular vacancy that we have open, please do contact us to make us aware of this – particularly if it is not a close match with your previous experience or is in a different area of our business from a vacancy you applied for previously, as we may not otherwise realise that the vacancy would be of interest to you.

When applying for a particular role, there is no obligation for you to consent to us keeping your personal data on file for consideration for other roles if you do not want to. Your application for the particular role you are putting yourself forward for will not be affected.

If you change your mind about us keeping your personal data on file, you have the right to withdraw your consent at any time – see ‘Your Rights’, below.

7.3 References

If you give us details of referees, we require you to inform them what personal data of theirs you are giving to us. You must also give them our contact details and let them know that they should contact us if they have any queries about how we will use their personal data.

8 Your Rights

You have the following rights with respect to your personal information:

8.1 Right of Access

You have the right to request from us information on which personal information about you we process at any time. Please send your request to the postal or email address stated below.

8.2 Right to Rectification of Incorrect Data

If data about you is inaccurate, you have the right to obtain from us rectification of such data without undue delay. Please send your request to the postal or email address stated below.

8.3 Right to Erasure

Under the requirements set out in Art 17 GDPR you have the right to request from us the erasure of your personal information. In particular you may ask us to erase personal information, if (i) it is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the personal information has been unlawfully processed, (iii) you object to the processing pursuant to Art 21(1) GDPR and there are no overriding legitimate grounds for the processing, (iv) the personal information has to be erased for compliance with a legal obligation in Union or Member State law to which we are subject or (v) you withdraw your consent on which the processing is based and there is no other legal ground for the processing. Please send your request to the postal or email address stated below.

8.4 Right to Restriction of Processing

You have the right to obtain from us restriction of processing, where one of the following applies: (i) The accuracy of the personal information is contested by you, processing will be restricted for a period enabling us to verify the accuracy of the personal information, (ii) the processing is unlawful and you oppose the erasure of the personal information and request the restriction of their use instead, (iii) we no longer need the personal information for the purposes of the processing, but are required by you to keep them for the establishment, exercise or defence of legal claims or (iv) you have objected to processing pursuant to Art 21(1) GDPR and the verification whether our legitimate interests override yours is pending. Please send your request to the postal or email address stated below.

8.5 Right to Data Portability

According to Art 20 GDPR you have the right to receive the personal information concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. Please send your request to the postal or email address stated below.

8.6 Right to Object

Pursuant to Art 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal information concerning you which is based on point e) or f) of Art 6 para. 1 GDPR. We will no longer process your personal information unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the purpose of establishing, exercising or defending legal claims.

We will consider all such requests and provide our response within a reasonable period (and in any event any time period required by law). Please note, however, that certain personal information may be exempt from such requests in certain circumstances.

If an exception applies, we will tell you this when responding to your request. We may request you provide us with information necessary to confirm your identity before responding to any request you make.

If you would like to exercise any of the above rights, please contact the Data Protection Officer, TopHat, 14 Great James Street, Bloomsbury, London WC1N 3DP or dataprotection@tophat.io in writing. Note that these rights are not absolute, and, in some circumstances, we may be entitled to refuse some or all of your request.

If you have any questions or concerns about how your personal data is being used by us, you can contact us at the address detailed above.

Note too that you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website: https://ico.org.uk.

9 Transfers of Information

9.1 The personal information may be processed by staff operating outside the EEA working for us, other members of our group or third-party data processors for the purposes mentioned in sections 2.2 and 3.2 above. Further details on to whom your personal information may be disclosed are set out in section 6 above.

9.2 If we provide any personal information about you to any such non-EEA members of our group or third-party data processors, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this Privacy Policy. These measures include entering into European Commission approved standard contractual arrangements with them.

10 Security

10.1 TopHat Corporate Limited has put in place measures to protect the security of your personal information. It has internal policies, procedures and controls in place to try and prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, workers, agents, contractors and other third parties who have a business need to know to perform their job duties and responsibilities. You can obtain further information about these measures from our DPO at the contact details stated above.

10.2 Where your personal information is shared with third-party service providers, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions.

11 Third Party Websites

Please note that this Privacy Policy only applies to the personal information that we (or third parties on our behalf or our group companies) collect from or about you and we cannot be responsible for personal information collected and stored by third parties. Third party websites have their own terms and conditions and privacy policies, and you should read these carefully before you submit any personal information to these websites. We do not endorse or otherwise accept any responsibility or liability for the content of such third-party websites or third-party terms and conditions or policies.

12 Automated Decision-making

Automated decision making occurs when an electronic system uses your personal information to make a decision without human intervention. We do not envisage that any employment decisions will be taken about you based solely on automated decision making, including profiling. However, we will notify you in writing if this position changes.

13 Changes to our Privacy Policy

This Privacy Policy may be amended from time to time. Any changes we make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Privacy Policy.

14 Further Questions or Making a Complaint

If you have any queries or complaints about our collection, use or storage of your personal information, or if you wish to exercise any of your rights in relation to your personal information, please contact our DPO. We will investigate and attempt to resolve any such complaint or dispute regarding the use or disclosure of your personal information.

You may also make a complaint to your local data protection authority in the EU country where we are based. If you are unsure which data protection authority to contact, please contact our DPO who will advise you.

The practices described in this Privacy Policy are current personal information protection policies, as of 25 May 2018.