Privacy Policy
1. BACKGROUND
This privacy notice applies to all candidates who are applying to be employed by or otherwise work for Grant Thornton in the Channel Islands.
Grant Thornton is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during the application process, and if you are unsuccessful what we will do with your information (including in relation to sharing, storage and transfers to other jurisdictions), in accordance with the Data Protection (Jersey) Law 2018 (and related legislation), the Data Protection (Bailiwick of Guernsey) Law 2017 (and related legislation) and, where applicable, the EU General Data Protection Regulations ("GDPR") (together, the "Data Protection Legislation"). If you are successful in your application a separate employee Data Protection Policy will apply.
Depending on whether you are applying to Guernsey or Jersey, either Grant Thornton Services (Guernsey) Limited or Grant Thornton Services (Jersey) Limited respectively will be the “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under the Data Protection Legislation to notify you of the information contained in this privacy notice (the "Notice").
This Notice is not contractual and we may update it at any time. If we change anything important in this Notice, (the information we collect, how we use it or why) we will notify you.
It is important that you read this Notice so that you are aware of how and why we are using such information.
2. DATA PROTECTION CONTACT
We have a single point of contact for data protection queries relating to both our Jersey and Guernsey offices:
Email (preferred): data.protection@gt-ci.com
Phone: +44 1534 885885
3. Data Protection Principles
We will comply with Data Protection Legislation. This says that the personal information we hold about you must be:
a) used lawfully, fairly and in a transparent way;
b) collected only for legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
c) relevant to the purposes we have told you about and limited only to those purposes;
d) accurate and kept up to date;
e) kept only as long as necessary for the purposes we have told you about; and
f) kept securely, including protecting it against unauthorised or unlawful processing.
We are accountable to demonstrate compliance with these data protection principles.
4. THE KIND OF INFORMATION WE HOLD ABOUT YOU
We may collect, store, and use the following categories of personal information about you:
a) Personal identifiers including name, title, addresses, telephone numbers, personal email addresses, Social Security number and Income Tax reference number.
b) Date of birth.
c) Age.
d) Signature.
e) Gender.
f) Marital status and dependants.
g) Remuneration and benefits history.
h) Identification information such as passport details or driving licence.
i) Recruitment information (including copies of right to work documentation, immigration status, work permit, registration card, references, educational & professional qualifications, aptitude test results, personality profile, and other information included in a CV or cover letter or as part of the application process).
j) Details of any professional social media profiles (e.g. LinkedIn).
k) We may also collect, store and use information considered to be special category data including information about any criminal convictions and offences and/or information about your race, ethnicity, religious beliefs, sexual orientation and political opinions, trade union membership, and information about your health, including any medical conditions.
5. HOW IS YOUR PERSONAL INFORMATION COLLECTED?
We collect personal information about candidates through the application and recruitment process. Information comes from various sources including (but not limited to): directly from candidates; from employment agencies; from referees; and from professional social media sites. We may collect additional information from the following third parties including former employers; companies that undertake personality profiling and aptitude testing; companies that undertake background checks; authorised channels to undertake criminal record checks; regulatory or professional bodies; and government departments or statutory bodies (such as tax and social security departments).
We also obtain personal information about candidates and potential candidates via Pinpoint, our talent acquisition software, providing direct access to candidate CVs. You can elect how long your CV remains active on the Pinpoint portal and can activate the deletion of your personal data from the portal via their Manage Your Data tool. Please refer to Pinpoint directly in relation to any consent you may have given to access to your CV and personal data.
6. HOW WE WILL USE INFORMATION ABOUT YOU
We will only use your personal information when there is a legal basis for doing so. When personal information is processed, the basis of processing will be in accordance with the Data Protection Legislation (as applicable), our legal obligations and to meet our information security requirements. Most commonly, we will use your personal information in the following circumstances:
1. Where we need to take preparatory steps to enter into a contract or engagement with you or in order to perform a contract we have with you.
2. Where we need to comply with a legal or regulatory obligation.
3. Where it is necessary for the conclusion or performance of a contract made between us and a third party that is in your interest or, at your request, in order to take steps prior to entering into that contract.
4. Where the processing is necessary for the purposes of exercising or performing any right or obligation conferred or imposed on us by law or a regulatory obligation in connection with employment or social security including obtaining legal advice, or to comply with legal duties.
5. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests, or where it is necessary for us to establish, exercise or defend legal rights. You have the right to object to any processing under this ground.
6. Where it is necessary in order to comply with an order or a judgment of a court or tribunal having force of law in the relevant jurisdiction.
In addition we may also use your personal information where you have given us consent to do so or in circumstances where we need to protect your or someone else’s vital interests (e.g. avoiding serious risk of harm to you or others).
6.1 Situations in which we will use your personal information
We need all (or a majority of) the categories of information in the list at section 4 above primarily to consider your application and whether to enter into a contract of employment with you, including but not limited to contacting you in respect of possible roles, inviting you to interview, putting together an offer letter, establishing your right to work, evaluating your skills, qualifications and suitability for the role and undertaking criminal record searches, and other background and reference checks and to generally conform with our regulatory and legal obligations.
We have legal and regulatory obligations to ensure your suitability for the role. Some of the above grounds may overlap and there may be several grounds which justify our use of your personal information.
6.2 If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to proceed with your application or we may be prevented from complying with our legal obligations.
6.3 Change of purpose
We will only use your personal information for the legitimate purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original legitimate purpose. If we need to use your personal information for an unrelated but legitimate purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge, in compliance with the above rules, where this is required or permitted by law.
7. HOW WE USE PARTICULARLY SENSITIVE PERSONAL INFORMATION
”Special categories” of particularly sensitive personal information require higher levels of protection. The only forms of special category information we generally process through the application process are criminal checks or medical information (in particular that is provided in order that reasonable adjustments can be made e.g. disability information).
We may process special categories of personal information in the following circumstances:
7. With your explicit written consent. Usually this consent will be specific to the recruitment process and will not permit us to continue to process your special category personal data indefinitely relying on consent. Please note we may continue to process this information on other lawful grounds should you accept an offer of employment.
8. Where it is needed in the public interest, such as for equal opportunities monitoring and in line with our data protection policy.
9. Where we need a medical diagnosis and/or to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
We may only use information relating to criminal convictions where the law allows us to do so, when we are undertaking background searches or to assess your suitability to work for us. We are required to carry out such checks in order to satisfy ourselves there is nothing in your criminal conviction history which makes you unsuitable for the role as required by our legal and regulatory duties.
Where searches have been undertaken we will continue to hold such information about criminal convictions as long as it remains relevant.
Less commonly, we may process these types of sensitive personal information where it is needed in relation to legal claims or where it is needed to protect your interests and you are not capable of giving your consent, or where you have already made the information public.
8. AUTOMATED DECISION-MAKING
As part of our recruitment process from time to time we use personality profiling and aptitude testing as an aid to recruitment decision making. No decisions are taken solely on an automated basis. For further information please contact a member of our People & Culture team.
9. DATA SHARING
We may share your data with third parties, including third-party service providers (to carry out personality profiling, aptitude testing and to undertake background screening checks), and other entities within the Grant Thornton network where there are centralised or group functions that are or can be operated by other member firms of the Grant Thornton network (such as recruitment and human resource operations which can be outsourced to Grant Thornton Advisory Private Limited).
We require third parties to uphold the security of your data and to take and implement appropriate security measures to protect your personal data in line with our policies and Data Protection Legislation.
We may share your personal information with third parties where required by law, where it is necessary to administer the relationship with you or where we have another legitimate interest in doing so (but we will not do this if these interests are over-ridden by your interests and rights in particular to privacy). Sometimes we may disclose personal information to organisations outside of Grant Thornton on other lawful grounds, such as:
· to comply with our legal obligations, including where necessary to abide by law, regulation or contract, or to respond to a court order, administrative or judicial process;
· in response to lawful requests by public authorities (including for national security or law enforcement purposes);
· as necessary to establish, exercise or defend against potential, threatened or actual litigation;
· where necessary to protect the vital interests of you or another person;
· in connection with the sale, assignment or other transfer of all or part of our business; and/or
· with your consent.
Some third parties are based in jurisdictions outside of the Channel Islands, the UK and/or the EEA (for example Grant Thornton Advisory Private Limited which is based in India). Where your personal data is transferred outside of the Channel Islands, the UK or the EEA, we will ensure that your personal data is adequately protected in accordance with the requirements under the Data Protection Legislation. You can expect a similar degree of protection, in respect of your personal information, to that applicable in the Channel Islands.
There is an adequacy decision by the European Commission in respect of Guernsey, Jersey and the UK, so these jurisdictions are considered to provide an adequate level of protection for your personal information.
Where we are transferring your personal data to a jurisdiction which has not been deemed by the European Commission to have adequate laws in place to protect personal data, we transfer the personal data using one of the following measures:
· Where we use certain service providers on a recurring basis, we will seek to put in place Standard Contractual Clauses approved by the European Commission, which give your personal data the same protection it has within the Channel Islands, the UK and/or the EEA.
· Where the transfer is on an ad hoc basis, to a service provider which we do not regularly use, we will only transfer the personal data if:
o The transfer is necessary for the establishment, exercise or defence of legal claims; or
o We have your explicit consent; or
o The transfer is necessary for the conclusion or performance of a contract in your interest, and we are party to that contract; or
o The transfer is necessary in order to perform a contract between us and you, or the implementation of pre-contractual measures taken at your request.
All our third-party service providers are required to take and implement appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
10. DATA SECURITY
We are committed to protecting the security of your personal information. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained by using the contact details above.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
11. DATA RETENTION
If you are unsuccessful in your application, information will be retained for up to 12 months on the basis of legitimate interests in order to provide candidate feedback and defend legal proceedings. Further details in relation to our retention policies can be obtained from our data protection contact listed at point 2. above.
If you are successful in your application, a separate employee Data Protection Policy will apply which outlines the retention periods for employee personal information.
12. RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION
12.1 Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us. If your personal information is not kept accurate and current, we may not be able to proceed with your application.
12.2 Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
· Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to determine whether we are lawfully processing it. It also entitles you to receive information about (amongst other things) any recipients of that information, the period for which the information is processed, the source of the information (if not provided by you), any international transfers of the information and where information is transferred the protections we put in place to protect your information. If this request is made then the data will usually be provided to you within four weeks of the request (or such other time period as applicable under local legislation).
· Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
· Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it or we are not legally obliged to retain it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below) or you withdraw your consent to our use of your personal information. In this circumstance the data will usually be erased within four weeks of the request (or such other time period as applicable under local legislation). We may continue processing the data in certain circumstances, including if there are grounds other than consent for processing your personal information, where processing the personal information is in compliance with a legal obligation or for reasons of public interest, or for the exercise or defence of legal claims. In these instances, we shall advise you if we consider that there are on-going grounds permitting us to continue processing your personal information.
· Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party). In such circumstances, we shall cease processing your personal information unless: we are legitimately processing the information on a different basis and there are compelling legitimate grounds for continuing to process the personal information; or we are otherwise permitted to process the information under Data Protection Legislation. If applicable, we will advise you of the basis on which we continue to process your personal information. You also have the right to object where we are processing your personal information for direct marketing purposes.
· Request the restriction of processing of your personal information if you contest the accuracy of the personal information we process about you; you consider that the processing is unlawful but you do not want us to erase the information; we are not required to continue processing the information but you wish the information to be retained in connection with a legal claim; or you have objected to the grounds upon which we process the information.
· Request the transfer of your personal information to another party (Right to data portability). Where you provide personal information to us and consent to us using it and the processing is carried out by automatic means you are entitled to receive a copy of that information in a machine-readable format and for that to be provided to another data controller, where technically possible.
· In certain circumstances, we are permitted to make decisions in relation to you on automated processing. At present, we do not make decisions in relation to applicants based solely on automated processing. Where we do make decision based on automated processing, you may request you are not subject to an automatic decision, alternatively you may (i) express a view on the decision; or (ii) appeal or seek to review the decision; and (iii) request and obtain human intervention in the decision.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us using the details above.
Where you have asked us to rectify, erase or restrict the processing of your personal information and we have passed your information on to a third party, then you can ask us to provide the identity and contact details of the third party. Where you have requested a restriction on processing, we will inform you if we lift or cease that restriction on processing.
12.3 No fee usually required
You will not usually have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee in some circumstances, including if your request for access is clearly unfounded, repetitive or otherwise excessive. Alternatively, we may refuse to comply with the request in such circumstances.
12.4 What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
13. RIGHT TO WITHDRAW CONSENT
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please do so by using the contact details above. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
14. COMPLAINTS
Should you have any cause for complaint, please email data.protection@gt-ci.com or phone +44 1534 885885.
If you are dissatisfied with the way in which your complaint has been handled you may contact your local data protection supervisory authority, or write to our local Information Commissioner:
| For Jersey complaints Jersey Office of the Information Commissioner 2nd Floor 5 Castle Street St Helier Jersey JE2 3BT Web: www.jerseyoic.org Email: enquiries@jerseyoic.org | For Guernsey complaints The Office of the Data Protection Authority Block A, Lefebvre Court Lefebvre Street St. Peter Port Guernsey GY1 2JP Web: www.odpa.gg Email: info@odpa.gg
15. CHANGES TO THIS PRIVACY NOTICE
We reserve the right to update this privacy notice at any time. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, please contact us via email data.protection@gt-ci.com (preferred) or call +44 1534 885885.