Recruitment Privacy Policy -European Offices

Scope Of Privacy Policy

Like most businesses, we hold and process a wide range of information, which relates to the individuals who apply, and those we recruit, to work for us. This Policy explains the type of information we process, why we are processing it and how that processing may affect you. We have a separate Workplace Privacy Policy that applies to our current and former employees. 

This Policy also includes the Supplementary Information contained in Appendix A, wherein we explain what we mean by “personal data”, “processing”, “special categories of personal data” and other terms used in this Policy. 

In brief, this Policy explains:

  • what personal data we hold and why we process it;
  • the legal grounds that allow us to process your personal data;
  • where the personal data comes from, who gets to see it and how long we keep it;
  • how to access your personal data and other rights; and
  • how to contact us.

Personal Data – What We Hold and Why We Process It 

We process personal data for the purposes of our business, including recruitment, management, administrative, employment and legal purposes. The Supplementary Information provides more specific information on these purposes, on the type of data that may be processed and on the grounds on which we process data in the context of recruitment. See What are the legal grounds for processing? and Further information on the data we process and our purposes. 

Where The Data Comes From and Who Gets To See It 

Some of the personal data that we process about you comes from you. For example, you tell us your contact details and work history. If you are joining us, you may provide your banking details.

Other personal data may come from third parties, such as recruiters acting on your or our behalf or from your references. 

Your personal data will be seen internally by administrators, HR, lawyers and managers involved in the interview and decision-making process, and, in some circumstances (if you join us), colleagues. We will, where necessary and as set out in this Policy, also pass your data outside the firm, for example to people you are dealing with and payroll agencies. 

Further information on this is provided in the Supplementary Information. See Where the data comes from and Who gets to see your data? 

How Long Do We Keep Your Personal Data? 

We keep your personal data in line with our document retention policy, and in any event we will not retain it for longer than is necessary for our lawful purposes. In general, if you become employed by us, we will keep your personal data for the duration of your employment and for a period afterwards, as described in our document retention policy. If you are unsuccessful in gaining employment with us, we will likely keep your personal data for a short period after informing you that you were unsuccessful. 

See Retaining your personal data – more information in the Supplementary Information. 

International Transfers of Personal Data

We may transfer your personal data outside of the EEA or the UK (as applicable) to other Goodwin offices in our international network and to third parties, who provide services to us and to you.

Further information on these transfers and the measures taken to safeguard your data are set out in the Supplementary Information under International transfers of personal data – more information.

Your Data Rights

You have a right to make a subject access request to receive information about the personal data that we process about you. Further information on this and on other rights is in the Supplementary Information under Access to your personal data and other rights. We also explain how to make a complaint about our processing of your personal data.

Controller Contact Details

In processing your personal data, we act as a data controller. This means that we determine the purposes and means of the processing of your personal data. In most cases, the data controller for your personal data will be the Goodwin entity to which you apply for work. Our contact details are set out below:

For London:

Goodwin Procter (UK) LLP
100 Cheapside
London EC2V 6DT
dataprivacy@goodwinlaw.com

For Cambridge:

Goodwin Procter (UK) LLP
50-60 Station Rd
Cambridge CB1-2JH
dataprivacy@goodwinlaw.com

For Frankfurt:

Goodwin Procter LLP
TaunusTurm, Taunustor 1
60310 Frankfurt am Main
dataprivacy@goodwinlaw.com

For Paris:

Goodwin Procter (France) LLP
12 rue d’Astorg
75 008 Paris
dataprivacy@goodwinlaw.com

For Luxembourg:

40 Avenue Monterey
L-2163 Luxembourg
Grand Duchy of Luxembourg
dataprivacy@goodwinlaw.com

EU and UK Representatives Contact Details

Goodwin Procter (UK) LLP is required to designate a representative in the EU that can be addressed by data subjects in addition to or instead of it on all issues related to the processing of personal data under the GDPR. Its representative in the EU is:

Goodwin Procter (France) LLP
12 rue d’Astorg
75 008 Paris

Goodwin Procter (France) LLP, Goodwin Procter (Luxembourg), and Goodwin Procter LLP (in respect of its branch office in Frankfurt) are each required to designate a representative in the UK that can be addressed by data subjects in addition to or instead of them on all issues related to the processing of personal data under the UK GDPR. Their representative in the UK is: 

Goodwin Procter (UK) LLP
100 Cheapside
London EC2V 6DT

Status of this Policy

This Policy does not form part of any contract of employment you might enter into and does not create contractual rights or obligations. It may be amended by us at any time. Nothing in this Policy is intended to create an employment relationship between any Goodwin entity and any non-employee.
 

APPENDIX A: SUPPLEMENTARY INFORMATION

WHAT DO WE MEAN BY “PERSONAL DATA” AND “PROCESSING”?

“Personal data” is information relating to a natural person, from which such person may be identified. It includes not only facts about you, but also intentions and opinions about you. 

"Processing" means doing anything with the personal data, whether or not by automated means, such as collecting, holding, disclosing and deleting the data. Examples of personal data processed automatically include information held on, or relating to use of, a computer, laptop, mobile phone or similar device. It covers data derived from equipment such as access passes within a building and sound and image data such as CCTV or photographs. 

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and the United Kingdom General Data Protection Regulation, which is the GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”) apply to the processing of personal data by automated means and otherwise when that data forms (or is intended to form) part of a filing system.

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data are subject to special protection and considered by the GDPR and the UK GDPR to be “special categories of personal data”. 

References in this Policy to employment, work (and similar expressions) include any arrangement we may have under which an individual provides us with work or services, or applies for such work or services. By way of example, when we mention an “employment contract”, that includes a contract under which you provide us with services; when we refer to ending your potential employment, that includes terminating a contract for services. We use the word “you” to refer to anyone within the scope of this Policy. 

WHAT ARE THE LEGAL GROUNDS FOR PROCESSING?

Under the GDPR and the UK GDPR (as applicable), there are various grounds on which we can rely when processing your personal data. In some contexts more than one ground applies. We have summarised these grounds as Contract, Legal Obligation, Legitimate Interests and Consent and outline what those terms mean in the following table. When processing your personal data for the purpose of recruitment in our Frankfurt office, we also rely on §26 of the German Bundesdatenschutzgesetz (BDSG), which applies to data processing for employment related purposes.

 

Term Ground for Processing Explanation
Contract Processing necessary for performance of a contract with you or to take steps at your request to enter a contract This covers carrying out our contractual duties, exercising our contractual rights and taking the necessary steps to prepare your employment contract. 
Legal Obligation Processing necessary to comply with our legal obligations  Ensuring we perform our legal and regulatory obligations. For example, depending on applicable law, providing a safe place of work, avoiding unlawful discrimination, including with regard to disabled workers and complying with our obligations relating to professional equality between women and men, fulfilling our obligations of tax and social declarations, and responding to relevant regulators, immigration authorities and other government departments or public bodies.
Legitimate Interests Processing necessary for our or a third party’s legitimate interests  

We or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data.

This includes in particular our legitimate interest to assess your suitability for the proposed job.

Your data will not be processed on this basis if our or a third party’s interests are overridden by your own interests or fundamental rights and freedoms. 
Consent You have given specific consent to processing your data In general, processing your data in connection with employment is not conditional on your consent (even for processing special categories of personal data). But there may be occasions where we do specific things such as provide a reference and rely on your consent to our doing so. 

Processing special categories of personal data

If we process special categories of personal data about you, as well as ensuring that one of the legal grounds for processing listed in the table above applies, we will make sure that the processing is:

  • necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorised by law or collective agreement;
  • related to data about you that you have made manifestly public (e.g., if you tell colleagues that you are ill);
  • necessary for the purpose of establishing, making or defending legal claims;
  • necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity, where permitted by applicable law;
  • for equality and diversity purposes to the extent permitted by applicable law; or
  • subject to your explicit consent.

If we decide to hire you, where required or permitted by applicable local law, we will collect the following special categories of personal data:

UK offices:

  • your health data as needed to allow us to comply with relevant employment laws, such as details of your disability in order to provide you with reasonable adjustments, information relating to your illness or pregnancy to process statutory payments, and information about your physical and mental health and possible exposure to contagious disease to ensure your health and safety and that of your co-workers;
  • diversity data needed to identify or review the equality of opportunity afforded to our staff;
  • data necessary to identify suitable candidates and promote and maintain diversity in senior positions in the firm, and (with your explicit consent) as requested by clients for their own diversity monitoring purposes; and
  • criminal conviction and offences data as necessary in connection with any legal proceedings, in order to obtain any legal advice or otherwise as necessary to establish, exercise or defend a legal claim.

Paris office:

  • your social security number for purposes of payroll and communication with social bodies;
  • your health data in the event of a workplace accident or your voluntary disclosure to us of exposure to infectious disease, which may include symptoms and test results; and
  • details of any disability or incapacity.

Frankfurt office:

  • information about your health and possible exposure to contagious disease as needed to allow us to comply with relevant health and safety laws to ensure your safety and that of your co-workers;
  • details of any disability or incapacity; medical and sickness certificates; and medical data and other documents required to confer special benefit status, where applicable;
  • your medical leave information and related medical certificates; and
  • information about your religion if required for tax purposes and in compliance with German law and trade union affiliation, if you have informed us of your trade union membership and/or asked us to make payments to trade unions or for religious tax on your behalf.

Luxembourg office:

  • your social security number for purposes of payroll and communication with social bodies;
  • your health data in the event of a workplace accident or your voluntary disclosure to us of exposure to infectious disease, which may include symptoms and test results; and
  • details of any disability or incapacity and medical and sickness certificates.

Further information on the data we process and our purposes

This Policy outlines the purposes for which we process your personal data. More specific information on these purposes, including examples of the personal data that may be processed and the grounds on which we process such data, are included in the table below for illustrative purposes and are not meant to be exhaustive. 

Purpose Examples of personal data that may be processed Grounds for Processing
Recruitment in relation to any role for which you apply, we recruit you for and/or any role we think you might be suitable for in the future  

Standard data related to your identity, e.g., your name, address, email address, ID information and documents, telephone numbers, place of birth, contact details, and professional experience and education (including university degrees, academic records, professional licenses, memberships and certifications, awards and achievements, and current and previous employment details), financial information (including current salary information), language skills, and any other personal data that you present us with as part of your application, related to the fulfilment of the role (which may include special categories of personal data in the UK and Frankfurt, as permitted by applicable law).

Information concerning your application and our assessment of it, your references, any checks we may make to verify information provided or background checks (see below) and any information connected with your right to work in the relevant country.

If we decide to hire you, if necessary, we will also process information concerning your health (UK and Frankfurt offices) and/or any disability (all offices) in connection with any adjustments needed to working arrangements.
 

Consent

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)
Administering our recruitment process   

Your experience and qualifications for the position you are applying for (or any future job for which we think you are suitable). 

Data you enter into our online careers portal. 

Communications with you in respect of any offer of employment we choose to make and providing you with information about our onboarding process. 
 

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)
Conducting pre-employment screening to assess your suitability for employment  

Criminal records, credit worthiness, standing and capacity, sex offender records, insolvency records, bankruptcy filings, civil litigation history and national insurance numbers (UK offices).

Certificate of Conduct issued by the German Federal Office of Justice and credit rating from SCHUFA (Frankfurt office)

Extracts from your criminal record, i.e., “B3”, when this is necessary for the position you are applying for (or any future job for which we think you are suitable) (Paris office)

Education records, previous employment records, legal admissions, certificates of good standing and media publications (all offices).
 

Contract

Legitimate Interest

Legal Obligation

Consent

§26 BDSG (Frankfurt office)
Entering into a contract with you (if you are made an offer by us)  

Information on your terms of employment from time to time, including your hours and working patterns, your pay and benefits, such as your participation in pension arrangements, life and medical insurance, and any bonus schemes.

 

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)
Contacting you or others on your behalf Your address and phone number, emergency contact information and information on your next of kin.  

Contract

Legitimate Interests

§26 BDSG (Frankfurt office)
Payroll administration / partnership accounts Information on your bank account, pension contributions and tax (except that tax number of potential employees cannot be collected in France), national insurance, social security numbers or other government issued identifier as permitted by applicable law.  

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)
Financial planning and budgeting  Information such as your proposed salary and (if applicable) envisaged bonus levels.   

Legitimate Interests

§26 BDSG (Frankfurt office)
Physical and system security  

CCTV images upon attendance for interviews at our premises.

 

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)
Providing information to third parties in connection with transactions that we contemplate  Information on any offer made to you and your proposed contract and other employment data that may be required by a party to a transaction such as a prospective purchaser, seller or outsourcer.  

Legitimate Interests

§26 BDSG (Frankfurt office)
Monitoring of diversity and equal opportunities   

Information on your nationality, gender, disability and age (in Paris and Luxembourg such data will only be aggregated and used for equality of opportunity monitoring purposes).

Information on your racial and ethnic origin and sexual orientation (UK and Frankfurt offices).
 

Legitimate Interests

Legal Obligation

§26 BDSG (Frankfurt office)

Substantial Public Interest
Disputes and legal proceedings Any information relevant or potentially relevant to a dispute or legal proceeding affecting us.   

Legitimate Interests

Legal Obligation

§26 BDSG (Frankfurt office)
Complying with data subject rights Information necessary to comply with rights asserted by you over the personal data that we process.  

Legal Obligation

§26 BDSG (Frankfurt office)

Please note that if you accept an offer from us, we will process further information as part of the employment relationship. We will provide you with our full Workplace Privacy Policy (European offices) as part of the on-boarding process.

Where the data comes from

When you apply to work for us, the initial data about you that we process is likely to come from you, for example, contact details, bank details and information on your immigration status and whether you can lawfully work.Where necessary and in accordance with this Policy, we will require references and information to carry out background checks.If you have concerns about this in a particular context, you should speak to your recruiter or our HR department.

Please note we may also receive data from third party recruiters, agents and similar organisations as a part of the recruitment process.

Who gets to see your data?

Internal use: Where necessary and as set out in this Policy, your personal data will be disclosed to relevant lawyers, HR and administrators for the purposes of your application as mentioned in this Policy. We will also disclose this to other Goodwin Procter affiliated undertakings where necessary for decision making regarding your application – this will depend on the type of role you are applying for.

External use: We will only disclose your personal data outside Goodwin if disclosure is consistent with a ground for processing on which we rely and doing so is lawful and fair to you.

We will disclose your data if it is necessary for our legitimate interests as a firm or the legitimate interests of a third party (but we will not do this if these interests are overridden by your interests or fundamental rights and freedoms).

We may also disclose your personal data based on your consent, or where we are required to do so by law, or in connection with criminal or regulatory investigations. 

Please note that when we disclose your data in such circumstances we will ensure that any necessary due diligence has been undertaken on the recipient and any necessary contractual documentation is in place to ensure the integrity and security of the data as required by law.

Specific circumstances in which your personal data may be disclosed include:

  • Disclosure to organisations that process data on our behalf, such as our payroll service, our bank and organisations that host or support our IT systems and data - this would normally occur if you accept an offer from us and would be carried out as part of the on-boarding process;
  • Disclosure to third party recruitment consultants and similar businesses (including online recruitment portals) as a part of the recruitment process;
  • Disclosure to any regulator as necessary as part of the recruitment process;
  • In our UK offices, disclosure to a third party background report service provider for the purposes of conducting pre-employment screening in relation to the following areas (as applicable to the role you are applying for): education verification; previous employment verification; legal / bar admissions; criminal records; credit worthiness; standing and capacity; sex offender notification and disclosure scheme; insolvency; bankruptcy filings; and civil litigation.

We also use a third party HR management system which tracks your application and stores your personal data for us once you have made an application.

Retaining your personal data – more information

We will retain your personal data in line with our document retention policy, and in any event we will not keep it for longer than is necessary for our lawful purposes.

In general, if you are successful in becoming employed by us, we will keep your personal data for the duration of your employment and for a period afterwards.

If you are unsuccessful in gaining employment with us, we will likely keep your personal data for six months after informing you that you were unsuccessful. In considering how long to keep your data, we will take into account its relevance to our business and your potential employment either as a record or in the event of a legal claim. Your data may also be kept on file and considered for other roles. However, any criminal record data processed in accordance with applicable law will not be retained.

If your data is only useful for a short period, or we are only permitted by law to retain it for a specified period of time (for example, CCTV footage), we will delete it more frequently.

International transfers of personal data – more information

In connection with our business and for employment, administrative, management and legal purposes, we transfer your personal data outside the EEA (EU Member States, Iceland, Liechtenstein and Norway) or the UK (as applicable) to other Goodwin offices in our international network and to third parties, including to countries that may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located.

When we transfer your personal data to:

  • Goodwin offices located in the United States and Hong Kong, we do so in reliance on a data transfer agreement based on standard contractual clauses approved by the European Commission and/or the UK Government (“SCCs”). These Goodwin offices will from time to time transfer your personal data onward to third parties outside of the UK and the EEA in accordance with the terms of the SCCs;
  • Goodwin offices located in the EU or the UK, we do so were necessary in reliance on a decision by the European Commission or the UK government (as applicable) that the data privacy regimes of the EEA or the UK (as applicable) ensure an adequate level of protection (“Adequacy Decision”), so additional safeguards are not needed to transfer your personal data there; and
  • third parties located outside of the UK or the EEA, for example to our service providers, external recipients of electronic communications, other counsel, accountants, insurers and advisors, we do so in reliance on an Adequacy Decision, SCCs or your consent. 

If you wish to see details of these safeguards, please contact our Director, Human Resources - Europe & Asia.

Access to your personal data and other rights

We try to be as open as we reasonably can about personal data that we process. If you would like specific information, just ask us.

Under Article 15 of the GDPR / UK GDPR, you have a legal right to make a “subject access request”. If you exercise this right and we hold personal data about you, we are required to provide you with information on it, including:

  • Giving you a description and copy of the personal data
  • Telling you why we are processing it

If you make a subject access request and there is any question about who you are (for example, the request comes from an email address that we do not recognise and which does not readily enable us to identify you), we may require you to provide information from which we can satisfy ourselves as to your identity and protect your personal information in case the request is not genuine.

As well as your subject access right, you have a legal right to have your personal data rectified (Art. 16 GDPR / UK GDPR) or erased (Art. 17 GDPR / UK GDPR), to object to its processing on grounds relating to your particular situation (Art. 21 GDPR / UK GDPR), or to have its processing restricted (Art. 18 GDPR / UK GDPR). If you have provided us with data about yourself (for example your address or bank details), you have the right to be given the data in machine readable format for transmitting to another data controller (Art. 20 GDPR / UK GDPR). This only applies if the ground for processing is consent or contract.

If we have relied on consent as a ground for processing, you may withdraw consent at any time (Art. 7 par. 3 GDPR / UK GDPR) – though if you do so that will not affect the lawfulness of what we did before you withdrew consent.

If we have relied on legitimate interests as a ground for processing, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, and we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims (Art. 21 GDPR / UK GDPR).

There are exceptions to these rights according to the GDPR, the UK GDPR and local laws. For example, it will not be possible for us to delete your data if we are required by law to keep it; and access to your data may be refused if making the information available would reveal personal information about another person or if we are legally prevented from disclosing such information.

If you are hired to work for our Paris office, you will have the right under French data protection laws to provide instructions regarding the management of your personal data after your death.

If you wish to exercise your rights, please contact your HR manager.

Complaints

If you have complaints relating to our processing of your personal data, you should raise these with HR in the first instance. You may also raise complaints with the relevant Data Protection Authority, as detailed below:

For the United Kingdom:

Information Commissioner’s Office (ICO). For contact and other details please contact our HR department or see: https://ico.org.uk/ICO.

For France:

Commission Nationale de l’Informatique et des Libertés (CNIL). For contact and other details please contact our HR department or see: https://www.cnil.fr/

For Frankfurt:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit. For contact and other details please contact our HR department or see: https://datenschutz.hessen.de/

For Luxembourg:

Commission nationale pour la protection des données (CNPD). For contact and other details please contact our HR department or see: https://cnpd.public.lu

Status of this policy

This Policy does not form part of any contract of employment that you may enter into with us and does not create contractual rights or obligations. It may be amended by us at any time. Nothing in this notice is intended to create an employment relationship between any Goodwin entity and any non-employee.