Goodwin Recruitment Privacy Policy – London and Frankfurt

Last updated January 23, 2019

Scope of Privacy Policy

Like most businesses, we hold and process a wide range of information, which relates to the individuals who apply and those we recruit to work for us. This Policy explains the type of information we process, why we are processing it and how that processing may affect you. We have a separate Workplace Privacy Policy that applies to our current and former employees.

This Policy also includes the Supplementary Information contained in Appendix A, wherein we explain what we mean by “personal data”, “processing”, “special categories of personal data” and other terms used in this Policy. 

In brief, this policy explains:

  • what personal data we hold and why we process it;
  • the legal grounds that allow us to process your personal data;
  • where the data comes from, who gets to see it and how long we keep it;
  • how to access your personal data and other rights; and
  • how to contact us.

Personal Data – What We Hold and Why We Process It

We process data for the purposes of our business, including recruitment, management, administrative, employment and legal purposes. The Supplementary Information provides more specific information on these purposes, on the type of data that may be processed and on the grounds on which we process data in the context of recruitment. See What are the legal grounds for processing? and Further information on the data we process and our purposes.

Where Data Comes From and Who Gets to See It

Some of the personal data that we process about you comes from you. For example, you tell us your contact details and work history. If you are joining us, you may provide your banking details.

Other personal data may come from third parties, such as recruiters acting on your behalf or from your references. 

Your personal data will be seen internally by administrators, HR, lawyers or managers involved in the interview and decision-making process, and, in some circumstances (if you join us), colleagues.  We will, where necessary and as set out in this Policy, also pass your data outside the firm, for example to people you are dealing with and payroll agencies. 

Further information on this is provided in the Supplementary Information. See Where the data comes from and Who gets to see your data?

How Long Do We Keep Your Personal Data? 

We keep your personal data in line with our document retention policy, and in any event we will not retain it for longer than is necessary for our lawful purposes. In general, if you become employed by us, we will keep your personal data for the duration of your employment and for a period afterwards, as described in our document retention policy. If you are unsuccessful in gaining employment with us, we will likely keep your personal data for a short period after informing you that you were unsuccessful. Your data may be kept on file in order to consider you for other roles in future.

See Retaining your personal data – more information in the Supplementary Information.

Transfers of Personal Data Outside the EEA

We may transfer your personal data outside the EEA to other Goodwin offices in our international network and processors in the United States and Hong Kong.

Further information on these transfers and the measures taken to safeguard your data are set out in the Supplementary Information under Transfers of personal data outside the EEA – more information.

Your Data Rights

You have a right to make a subject access request to receive information about the personal data that we process about you. Further information on this and on other rights is in the Supplementary Information under Access to your personal data and other rights. We also explain how to make a complaint about our processing of your personal data.

Contact Details

In processing your personal data, we act as a data controller. Our contact details are set out below:

Goodwin Procter (UK) LLP
100 Cheapside
London EC2V 6DT
dataprivacy@goodwinlaw.com

Goodwin Procter LLP
TaunusTurm, Taunustor 1
60310 Frankfurt am Main
dataprivacy@goodwinlaw.com

Status of This Policy

This Policy does not form part of any contract of employment you might enter into and does not create contractual rights or obligations. It may be amended by us at any time. Nothing in this Policy is intended to create an employment relationship between any Goodwin entity and any non-employee. 

Appendix A: Supplementary Information

What Do We Mean by “Personal Data” and “Processing”?

“Personal data” is information relating to you (or from which you may be identified). It includes not only facts about you, but also intentions and opinions about you.

"Processing" means doing anything with the personal data, whether or not by automated means, such as collecting, holding, disclosing and deleting the data. Examples of personal data processed automatically include information held on, or relating to use of, a computer, laptop, mobile phone or similar device. It covers data derived from equipment such as access passes within a building and sound and image data such as CCTV or photographs. 

The General Data Protection Regulation (the “GDPR”) applies to the processing of personal data by automated means and otherwise when that data forms (or is intended to form) part of a filing system.

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data are subject to special protection and considered by the GDPR to be “special categories of personal data”.

References in this Policy to employment, work (and similar expressions) include any arrangement we may have under which an individual provides us with work or services, or applies for such work or services. By way of example, when we mention an “employment contract”, that includes a contract under which you provide us with services; when we refer to ending your potential employment, that includes terminating a contract for services. We use the word “you” to refer to anyone within the scope of this Policy. 

What Are The Legal Grounds For Processing?

Under the GDPR, there are various grounds on which we can rely when processing your personal data. In some contexts more than one ground applies. We have summarised these grounds as Contract, Legal Obligation, Legitimate Interests and Consent and outline what those terms mean in the following table. When processing your personal data for the purpose of recruitment in our Frankfurt office, we also rely on §26 of the German Bundesdatenschutzgesetz (BDSG), which applies to data processing for employment related purposes.

Term  Ground for Processing  Explanation 
Contract  Processing necessary for performance of a contract with you or to take steps at your request to enter a contract  This covers carrying out our contractual duties and exercising our contractual rights.  
Legal Obligation  Processing necessary to comply with our legal obligations   Ensuring we perform our legal and regulatory obligations. For example, providing a safe place of work and avoiding unlawful discrimination or responding to relevant regulators, immigration authorities or other government departments. 
Legitimate Interests  Processing necessary for our or a third party’s legitimate interests 

We or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data.

Your data will not be processed on this basis if our or a third party’s interests are overridden by your own interests, rights and freedoms.  

Consent  You have given specific consent to processing your data  In general, processing your data in connection with employment is not conditional on your consent (even for processing special categories of personal data). But there may be occasions where we do specific things such as provide a reference and rely on your consent to our doing so.   

Processing Special Categories of Personal Data

If we process special categories of personal data about you (for example (but without limitation), storing your health records to assist us in ensuring that we can provide you with a healthy and safe workplace or processing personal data relating to diversity monitoring), as well as ensuring that one of the grounds for processing mentioned above applies, we will make sure that one or more of the grounds for processing such data applies. In outline, these include:  

  • Processing necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorised by law or collective agreement; 
  • Processing relating to data about you that you have made public (e.g., if you tell colleagues that you are ill); 
  • Processing necessary for the purpose of establishing, making or defending legal claims;
  • Processing necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity;
  • Processing for equality and diversity purposes to the extent permitted by law; and
  • Processing for which you have given us your explicit consent.

Further Information on the Data We Process and Our Purposes

This Policy outlines the purposes for which we process your personal data. More specific information on these, including examples of the personal data that may be processed and the grounds on which we process such data, are included in the table below for illustrative purposes and are not meant to be exhaustive.

Purpose  Examples of personal data that may be processed  Grounds for processing 
Recruitment in relation to any job for which you apply, we recruit you for and/or any job we think you might be suitable for in the future  Standard data related to your identity (e.g., your name, address, email address, ID information and documents, telephone numbers, place of birth, nationality, contact details, professional experience and education (including university degrees, academic records, professional licenses, memberships and certifications, awards and achievements, and current and previous employment details), financial information (including current salary information) language skills, and any other personal data that you present us with as part of your application related to the fulfilment of the role, which may include special categories of personal data, such as race.

Information concerning your application and our assessment of it, your references, any checks we may make to verify information provided or background checks (for example, checks against the insolvency register and education verification) and any information connected with your right to work in the UK.

If necessary, we will also process information concerning your health and/or any disability in connection with any adjustments needed to working arrangements. 

Consent

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)

Administering our recruitment process  Evaluating your experience and qualifications against the requirements of the position you are applying for (or any future job for which we think you are suitable).

Administering our online careers portal.

Communicating with you in respect of any offer of employment we choose to make and providing you with information about our onboarding process.  

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)

Conducting pre-employment screening to assess your suitability for employment and to comply with our regulatory obligations  Criminal records, national insurance numbers, credit worthiness, standing and capacity, sex offender records, insolvency records, education records, previous employment records, legal admissions, bankruptcy filings, civil litigation history, media publications, certificates of good standing.

Contract

Legal Obligation

Legitimate Interest

Consent

§26 BDSG (Frankfurt office)

Entering into a contract with you (if you are made an offer by us)  Information on your terms of employment from time to time, including your hours and working patterns, your pay and benefits, such as your participation in pension arrangements, life and medical insurance, and any bonus or share schemes.  

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)

Contacting  you or others on your behalf  Your address and phone number, emergency contact information and information on your next of kin. 

Contract

Legitimate Interests

§26 BDSG (Frankfurt office)

Payroll administration 

Information on your bank account, pension contributions and on tax and national insurance

Your national insurance number or other government issued identifier. 

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)

Financial planning and budgeting  Information such as your proposed salary and (if applicable) envisaged bonus levels.  

Legitimate Interests

§26 BDSG (Frankfurt office)

Physical and system security 

CCTV images upon attendance for interview at our premises.

Monitoring and checking the security of our systems. 

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)

Providing information to third parties in connection with transactions that we contemplate or carry out  Information on any offer made to you and your proposed contract and other employment data that may be required by a party to a transaction such as a prospective purchaser, seller or outsourcer. 

Legitimate Interests

§26 BDSG (Frankfurt office)

Monitoring of diversity and equal opportunities   Information on your nationality, racial and ethnic origin, gender, sexual orientation, religion, disability and age as part of diversity monitoring initiatives. Such data will aggregated and used for equality of opportunity monitoring purposes.  

Legitimate Interests

§26 BDSG (Frankfurt office)

Disputes and legal proceedings  Any information relevant or potentially relevant to a dispute or legal proceeding affecting us. 

Legitimate Interests

Legal Obligation

§26 BDSG (Frankfurt office)

Complying with data subject rights  Processing necessary to comply with rights asserted by you over the personal data that we process 

Legal Obligation

§26 BDSG (Frankfurt office)

Please note that if you accept an offer from us, we will process further information as part of the employment relationship. We will provide you with our full Workplace Privacy Policy as part of the on-boarding process. 

Where the Data Comes From

When you apply to work for us, the initial data about you that we process is likely to come from you:for example, contact details, bank details and information on your immigration status and whether you can lawfully work. Where necessary and in accordance with this Policy, we will require references and information to carry out background checks. If you have concerns about this in a particular context, you should speak to your recruiter or our HR department.

Please note we may also receive data from third party recruiters, agents and similar organisations as a part of the recruitment process. 

Who Gets to See Your Data?

Internal use: Where necessary and as set out in this Policy, your personal data will be disclosed to relevant lawyers, HR and administrators for the purposes of your application as mentioned in this document. We will also disclose this to other Goodwin affiliated undertakings where necessary for decision making regarding your application – this will depend on the type of role you are applying for.

External use: We will only disclose your personal data outside Goodwin if disclosure is consistent with a ground for processing on which we rely and doing so is lawful and fair to you.

We will disclose your data if it is necessary for our legitimate interests as a firm or the interests of a third party (but we will not do this if these interests are over-ridden by your interests and legal rights in relation to privacy). 

We may also disclose your personal data based on your consent, or where we are required to do so by law, or in connection with criminal or regulatory investigations.  

Please note that when we disclose your data in such circumstances we will ensure that any necessary due diligence has been undertaken on the recipient and any necessary contractual documentation is in place to ensure the integrity and security of the data as required by law.

Where necessary and as set out in this Policy, your personal data will be disclosed to relevant lawyers, HR and administrators for the purposes of your application as mentioned in this document.  We will also disclose this to other Goodwin affiliated undertakings where necessary for decision making regarding your application – this will depend on the type of role you are applying for.

Specific circumstances in which your personal data may be disclosed include:

  • Disclosure to organisations that process data on our behalf, such as our payroll service, our bank and organisations that host or support our IT systems and data - this would normally occur if you accept an offer from us and would be carried out as part of the on-boarding process;
  • To third party recruitment consultants and similar businesses (including online recruitment portals) as a part of the recruitment process;
  • Disclosure to any regulator as necessary as part of the recruitment process;
  • In our London office, disclosure to our third party background report service provider for the purposes of conducting pre-employment screening in relation to the following areas (as applicable to the role you are applying for and the office you are applying to work in):
    • Criminal records;
    • National Insurance number;
    • Credit worthiness, standing and capacity;
    • Sex offender notification and disclosure scheme;
    • Insolvency;
    • Education verification;
    • Previous employment verification;
    • Bar admissions;
    • Bankruptcy filings;
    • Civil litigation; and
    • Media searches.

We also use a third party HR management system which tracks your application and stores your personal data for us once you have made an application.

Retaining Your Personal Data – More Information

We will retain your personal data in line with our document retention policy, and in any event we will not keep it for longer than is necessary for our lawful purposes.

In general, if you are successful in becoming employed by us, we will keep your personal data for the duration of your employment and for a period afterwards. 

If you are unsuccessful in gaining employment with us, we will likely keep your personal data for a short period after informing you that you were unsuccessful. In considering how long to keep your data, we will take into account its relevance to our business and your potential employment either as a record or in the event of a legal claim. Your data may also be kept on file and considered for other roles.

Personal data relating to job applicants (other than the person who is successful) will normally be deleted after 6 months.

Transfers Of Personal Data Outside The EEA – More Information

In connection with our business and for employment, administrative, management and legal purposes, we transfer your personal data outside the EEA to authorised members of our affiliated firms and data processors in the US and Hong Kong. We ensure that the transfers are lawful and that there are appropriate security arrangements in place.

When we transfer your personal data to Goodwin offices outside of the EEA, we do so in reliance on data transfer agreements based on standard terms adopted by the European Commission to ensure appropriate and suitable safeguards for the transfer of personal data outside of the EEA.

When we transfer your personal data to data processors located in the US and Hong Kong, we do so in reliance on data transfer agreements based on standard terms adopted by the European Commission to ensure appropriate and suitable safeguards for the transfer of personal data outside of the EEA or on the US Privacy Shield. 

If you wish to see details of these safeguards, please ask our Director of International HR or her designee.

Access To Your Personal Data And Other Rights

We try to be as open as we reasonably can about personal data that we process. If you would like specific information, just ask us.

Under article 15 of the GDPR, you have a legal right to make a “subject access request”. If you exercise this right and we hold personal data about you, we are required to provide you with information on it, including:

  • Giving you a description and copy of the personal data
  • Telling you why we are processing it

If you make a subject access request and there is any question about who you are (for example, the request comes from an email address that we do not recognise and which does not readily enable us to identify you), we may require you to provide information from which we can satisfy ourselves as to your identity and protect your personal information in case the request is not genuine.

As well as your subject access right, you have a legal right to have your personal data rectified (Art. 16 GDPR) or erased (Art. 17 GDPR), to object to its processing on grounds relating to your particular situation (Art. 21 GDPR), or to have its processing restricted (Art. 18 GDPR). If you have provided us with data about yourself (for example your address or bank details), you have the right to be given the data in machine readable format for transmitting to another data controller (Art. 20 GDPR). This only applies if the ground for processing is Consent or Contract.

If we have relied on consent as a ground for processing, you may withdraw consent at any time (Art. 7 par. 3 GDPR) – though if you do so that will not affect the lawfulness of what we did before you withdrew consent.

If we have relied on legitimate interests as a ground for processing, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, and we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims (Art. 21 GDPR).

There are exceptions to these rights according to the GDPR and local laws. For example, it will not be possible for us to delete your data if we are required by law to keep it; and access to your data may be refused if making the information available would reveal personal information about another person or if we are legally prevented from disclosing such information.

If you wish to exercise your rights, please contact your HR manager.

Complaints 

If you have complaints relating to our processing of your personal data, you should raise these with HR in the first instance. You may also raise complaints with the relevant Data Protection Authority, as detailed below:

For the United Kingdom:

Information Commissioner’s Office (ICO). For contact and other details ask HR or see: https://ico.org.uk/.

For Frankfurt:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit. For contact and other details ask HR or see: https://datenschutz.hessen.de/

Status of this Policy

This Policy does not form part of any contract of employment that you may enter into with us and does not create contractual rights or obligations. It may be amended by us at any time. Nothing in this notice is intended to create an employment relationship between any Goodwin entity and any non-employee.