Goodwin Recruitment Privacy Policy – UK and Frankfurt

Last updated March 10, 2020

Scope of Privacy Policy

Like most businesses, we hold and process a wide range of information, which relates to the individuals who apply and those we recruit to work for us. This Policy explains the type of information we process, why we are processing it and how that processing may affect you. We have a separate Workplace Privacy Policy that applies to our current and former employees.

This Policy also includes the Supplementary Information contained in Appendix A, wherein we explain what we mean by “personal data”, “processing”, “special categories of personal data” and other terms used in this Policy. 

In brief, this policy explains:

  • what personal data we hold and why we process it;
  • the legal grounds that allow us to process your personal data;
  • where the data comes from, who gets to see it and how long we keep it;
  • how to access your personal data and other rights; and
  • how to contact us.

Personal Data – What We Hold and Why We Process It

We process data for the purposes of our business, including recruitment, management, administrative, employment and legal purposes. The Supplementary Information provides more specific information on these purposes, on the type of data that may be processed and on the grounds on which we process data in the context of recruitment. See What are the legal grounds for processing? and Further information on the data we process and our purposes.

Where Data Comes From and Who Gets to See It

Some of the personal data that we process about you comes from you. For example, you tell us your contact details and work history. If you are joining us, you may provide your banking details. 

Other personal data may come from third parties, such as recruiters acting on your behalf or from your references. 

Your personal data will be seen internally by administrators, HR, lawyers and managers involved in the interview and decision-making process, and, in some circumstances (if you join us), colleagues. We will, where necessary and as set out in this Policy, also pass your data outside the firm, for example to people you are dealing with and payroll agencies. 

Further information on this is provided in the Supplementary Information. See Where the data comes from and Who gets to see your data?

How Long Do We Keep Your Personal Data? 

We keep your personal data in line with our document retention policy, and in any event we will not retain it for longer than is necessary for our lawful purposes. In general, if you become employed by us, we will keep your personal data for the duration of your employment and for a period afterwards, as described in our document retention policy. If you are unsuccessful in gaining employment with us, we will likely keep your personal data for a short period after informing you that you were unsuccessful.

See Retaining your personal data – more information in the Supplementary Information.

Transfers of Personal Data Outside the EEA

We may transfer your personal data outside the EEA to other Goodwin offices in our international network and to third parties, who provide services to us and to you.

Further information on these transfers and the measures taken to safeguard your data are set out in the Supplementary Information under Transfers of personal data outside the EEA – more information.

Your Data Rights

You have a right to make a subject access request to receive information about the personal data that we process about you. Further information on this and on other rights is in the Supplementary Information under Access to your personal data and other rights. We also explain how to make a complaint about our processing of your personal data.

Contact Details

In processing your personal data, we act as a data controller. This means that we determine the purposes and means of the processing of your personal data. In most cases, the data controller for your personal data will be the Goodwin entity to which you apply for work.  Our contact details are set out below:

For London:

Goodwin Procter (UK) LLP
100 Cheapside
London EC2V 6DT
dataprivacy@goodwinlaw.com

For Cambridge:

Goodwin Procter (UK) LLP
50-60 Station Rd
Cambridge CB1-2JH
dataprivacy@goodwinlaw.com

For Frankfurt:

Goodwin Procter LLP
TaunusTurm, Taunustor 1
60310 Frankfurt am Main
dataprivacy@goodwinlaw.com

Status of This Policy

This Policy does not form part of any contract of employment you might enter into and does not create contractual rights or obligations.  It may be amended by us at any time. Nothing in this Policy is intended to create an employment relationship between any Goodwin entity and any non-employee. 

Appendix A: Supplementary Information

What Do We Mean by “Personal Data” and “Processing”?

“Personal data” is information relating to a natural person, from which such person may be identified.  It includes not only facts about you, but also intentions and opinions. 

"Processing" means doing anything with the personal data, whether or not by automated means, such as collecting, holding, disclosing and deleting the data. Examples of personal data processed automatically include information held on, or relating to use of, a computer, laptop, mobile phone or similar device. It covers data derived from equipment such as access passes within a building and sound and image data such as CCTV or photographs. 

The EU General Data Protection Regulation (the “GDPR”) applies to the processing of personal data by automated means and otherwise when that data forms (or is intended to form) part of a filing system.

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data are subject to special protection and considered by the GDPR to be “special categories of personal data”.

References in this Policy to employment, work (and similar expressions) include any arrangement we may have under which an individual provides us with work or services, or applies for such work or services. By way of example, when we mention an “employment contract”, that includes a contract under which you provide us with services; when we refer to ending your potential employment, that includes terminating a contract for services. We use the word “you” to refer to anyone within the scope of this Policy. 

What Are The Legal Grounds For Processing?

Under the GDPR, there are various grounds on which we can rely when processing your personal data.  In some contexts more than one ground applies.  We have summarised these grounds as Contract, Legal Obligation, Legitimate Interests and Consent and outline what those terms mean in the following table. When processing your personal data for the purpose of recruitment in our Frankfurt office, we also rely on §26 of the German Bundesdatenschutzgesetz (BDSG), which applies to data processing for employment related purposes.

Term  Ground for Processing  Explanation 
Contract  Processing necessary for performance of a contract with you or to take steps at your request to enter a contract This covers carrying out our contractual duties, exercising our contractual rights and taking the necessary steps to prepare your employment contract.  
Legal Obligation  Processing necessary to comply with our legal obligations   Ensuring we perform our legal and regulatory obligations. For example, providing a safe place of work, avoiding unlawful discrimination, and responding to relevant regulators, immigration authorities or other government departments.
Legitimate Interests  Processing necessary for our or a third party’s legitimate interests 

We or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data.

Your data will not be processed on this basis if our or a third party’s interests are overridden by your own interests or fundamental rights and freedoms.

Consent  You have given specific consent to processing your data  In general, processing your data in connection with employment is not conditional on your consent (even for processing special categories of personal data). But there may be occasions where we do specific things such as provide a reference and rely on your consent to our doing so.  

Processing Special Categories of Personal Data

If we process special categories of personal data about you, as well as ensuring that one of the legal grounds for processing listed in the table above applies, we will make sure that the processing is: 

  • necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorised by law or collective agreement;
  • related to data about you that you have made manifestly public (e.g., if you tell colleagues that you are ill);
  • necessary for the purpose of establishing, making or defending legal claims;
  • necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity;
  • for equality and diversity purposes to the extent permitted by law; or
  • subject to us your explicit consent.

If we decide to hire you, where required or permitted by applicable local law, we will collect the following special categories of personal data:

London and Cambridge offices:

  • data needed to allow us to comply with relevant employment laws, such as processing details of your disability in order to provide you with reasonable adjustments, processing information relating to your illness or pregnancy to process statutory payments or maintaining appropriate health and safety records;
  • data necessary to identify or review the equality of opportunity afforded to our staff;
  • data necessary to identify suitable candidates and promote and maintain diversity in senior positions in the organisations; and
  • data necessary in connection with any legal proceedings, in order to obtain any legal advice or otherwise as necessary to establish, exercise or defend a legal claim.

Frankfurt office:

  • details of any disability or incapacity; medical and sickness certificates; and medical data and other documents required to confer special benefit status, where applicable;
  • your medical leave information and related medical certificates; and
  • information about your religion if required for tax purposes and in compliance with German law and trade union affiliation, if you have informed us of your trade union membership and/or asked us to make payments to trade unions or for religious tax on your behalf.

Further Information on the Data We Process and Our Purposes

This Policy outlines the purposes for which we process your personal data. More specific information on these purposes, including examples of the personal data that may be processed and the grounds on which we process such data, are included in the table below for illustrative purposes and are not meant to be exhaustive.

Purpose  Examples of personal data that may be processed  Grounds for processing 
Recruitment in relation to any job for which you apply, we recruit you for and/or any job we think you might be suitable for in the future 

Standard data related to your identity, e.g., your name, address, email address, ID information and documents, telephone numbers, place of birth, nationality, contact details, and professional experience and education (including university degrees, academic records, professional licenses, memberships and certifications, awards and achievements, and current and previous employment details), financial information (including current salary information), language skills, and any other personal data that you present us with as part of your application, related to the fulfilment of the role, which may include special categories of personal data, such as race.

Information concerning your application and our assessment of it, your references, any checks we may make to verify information provided or background checks (see below) and any information connected with your right to work in the UK.

If necessary, we will also process information concerning your health and/or any disability in connection with any adjustments needed to working arrangements.

Consent

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)

Administering our recruitment process 

Your experience and qualifications for the position you are applying for (or any future job for which we think you are suitable). 

Data you enter into our online careers portal. 

Communications with you in respect of any offer of employment we choose to make and providing you with information about our onboarding process.   

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)

Conducting pre-employment screening to assess your suitability for employment

Criminal records, credit worthiness, standing and capacity, sex offender records, insolvency records, bankruptcy filings, civil litigation history and national insurance numbers (UK offices).

Certificate of Conduct issued by the German Federal Office of Justice and credit rating from SCHUFA (Frankfurt office)

Education records, previous employment records, legal admissions, certificates of good standing/conduct and media publications (all offices).

Contract

Legitimate Interest

Legal obligation

Consent

§26 BDSG (Frankfurt office)

Entering into a contract with you (if you are made an offer by us) 

Information on your terms of employment from time to time, including your hours and working patterns, your pay and benefits, such as your participation in pension arrangements, life and medical insurance, and any bonus schemes.

 

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)

Contacting  you or others on your behalf  Your address and phone number, emergency contact information and information on your next of kin. 

Contract

Legitimate Interests

§26 BDSG (Frankfurt office)

Payroll administration  Information on your bank account, pension contributions and tax, national insurance, social security numbers or other government issued identifier.

Contract

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)

Financial planning and budgeting  Information such as your proposed salary and (if applicable) envisaged bonus levels.  

Legitimate Interests

§26 BDSG (Frankfurt office)

Physical and system security 

CCTV images upon attendance for interviews at our premises.

Legal Obligation

Legitimate Interests

§26 BDSG (Frankfurt office)

Providing information to third parties in connection with transactions that we contemplate or carry out  Information on any offer made to you and your proposed contract and other employment data that may be required by a party to a transaction such as a prospective purchaser, seller or outsourcer.

Legitimate Interests

§26 BDSG (Frankfurt office)

Monitoring of diversity and equal opportunities   Information on your nationality, racial and ethnic origin, gender, sexual orientation, religion, disability and age. Such data will aggregated and used for equality of opportunity monitoring purposes. 

Legitimate Interests

§26 BDSG (Frankfurt office)

Disputes and legal proceedings  Any information relevant or potentially relevant to a dispute or legal proceeding affecting us. 

Legitimate Interests

Legal Obligation

§26 BDSG (Frankfurt office)

Complying with data subject rights  Information necessary to comply with rights asserted by you over the personal data that we process.

Legal Obligation

§26 BDSG (Frankfurt office)

 

Please note that if you accept an offer from us, we will process further information as part of the employment relationship. We will provide you with our full Workplace Privacy Policy (EU offices) as part of the on-boarding process.

Where the Data Comes From

When you apply to work for us, the initial data about you that we process is likely to come from you, for example, contact details, bank details and information on your immigration status, and whether you can lawfully work.  Where necessary and in accordance with this Policy, we will require references and information to carry out background checks. If you have concerns about this in a particular context, you should speak to your recruiter or our HR department. 

Please note we may also receive data from third party recruiters, agents and similar organisations as a part of the recruitment process. 

Who Gets to See Your Data?

Internal use: Where necessary and as set out in this Policy, your personal data will be disclosed to relevant lawyers, HR and administrators for the purposes of your application as mentioned in this document.  We will also disclose this to other Goodwin Procter affiliated undertakings where necessary for decision making regarding your application – this will depend on the type of role you are applying for.

External use: We will only disclose your personal data outside Goodwin if disclosure is consistent with a ground for processing on which we rely and doing so is lawful and fair to you.  

We will disclose your data if it is necessary for our legitimate interests as a firm or the interests of a third party (but we will not do this if these interests are overridden by your interests or fundamental rights and freedoms). 

We may also disclose your personal data based on your consent, or where we are required to do so by law, or in connection with criminal or regulatory investigations.  

Please note that when we disclose your data in such circumstances we will ensure that any necessary due diligence has been undertaken on the recipient and any necessary contractual documentation is in place to ensure the integrity and security of the data as required by law.

Specific circumstances in which your personal data may be disclosed externally include:

  • Disclosure to organisations that process data on our behalf, such as our payroll service, our bank and organisations that host or support our IT systems and data -  this would normally occur if you accept an offer from us and would be carried out as part of the on-boarding process;
  • Disclosure to third party recruitment consultants and similar businesses (including online recruitment portals) as a part of the recruitment process;
  • Disclosure to any regulator as necessary as part of the recruitment process;
  • In our London and Cambridge offices, disclosure to our third party background report service provider for the purposes of conducting pre-employment screening in relation to the following areas (as applicable to the role you are applying for):
    • Criminal records;
    • National Insurance number;
    • Credit worthiness, standing and capacity;
    • Sex offender notification and disclosure scheme;
    • Insolvency;
    • Education verification;
    • Previous employment verification;
    • Bar admissions;
    • Bankruptcy filings;
    • Civil litigation; and
    • Media searches.

We also use a third party HR management system which tracks your application and stores your personal data for us once you have made an application.

Retaining Your Personal Data – More Information

We will retain your personal data in line with our document retention policy, and in any event we will not keep it for longer than is necessary for our lawful purposes. 

In general, if you are successful in becoming employed by us, we will keep your personal data for the duration of your employment and for a period afterwards. 

If you are unsuccessful in gaining employment with us, we will likely keep your personal data for six months after informing you that you were unsuccessful. In considering how long to keep your data, we will take into account its relevance to our business and your potential employment either as a record or in the event of a legal claim. Your data may also be kept on file and considered for other roles. However, your criminal record data will not be retained.

Transfers Of Personal Data Outside The EEA – More Information

In connection with our business and for employment, administrative, management and legal purposes, we transfer your personal data outside the EEA (EU Member States, Iceland, Liechtenstein and Norway and the United Kingdom during the Brexit transition period) to other Goodwin offices in our international network and to third parties, including to countries that may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located.

When we transfer your personal data to Goodwin offices outside of the EEA, we do so in reliance on a data transfer agreement based on standard contractual clauses approved by the European Commission to ensure appropriate and suitable safeguards for the transfer of personal data outside of the EEA. These Goodwin offices may from time to time transfer your personal data onward to other third parties outside of the EEA, in accordance with the terms of our data transfer agreement.   

When we transfer your personal data to third parties located outside of the EEA, for example to our service providers, external recipients of electronic communications, other counsel, accountants, insurers and advisors, such transfers are done only in reliance on a decision of the European Commission that the non-EEA country ensures an adequate level of protection; data transfer agreements based on standard contractual clauses; certification under the EU-US Privacy Shield; or your consent. 

If you wish to see details of these safeguards, please ask our Director of International HR.

Access To Your Personal Data And Other Rights

We try to be as open as we reasonably can about personal data that we process. If you would like specific information, just ask us.

Under Article 15 of the GDPR, you have a legal right to make a “subject access request”. If you exercise this right and we hold personal data about you, we are required to provide you with information on it, including:

  • Giving you a description and copy of the personal data
  • Telling you why we are processing it

If you make a subject access request and there is any question about who you are (for example, the request comes from an email address that we do not recognise and which does not readily enable us to identify you), we may require you to provide information from which we can satisfy ourselves as to your identity and protect your personal information in case the request is not genuine.

As well as your subject access right, you have a legal right to have your personal data rectified (Art. 16 GDPR) or erased (Art. 17 GDPR), to object to its processing on grounds relating to your particular situation (Art. 21 GDPR), or to have its processing restricted (Art. 18 GDPR).  If you have provided us with data about yourself (for example your address or bank details), you have the right to be given the data in machine readable format for transmitting to another data controller (Art. 20 GDPR).  This only applies if the ground for processing is consent or contract.

If we have relied on consent as a ground for processing, you may withdraw consent at any time (Art. 7 par. 3 GDPR) – though if you do so that will not affect the lawfulness of what we did before you withdrew consent.

If we have relied on legitimate interests as a ground for processing, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, and we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims (Art. 21 GDPR).

There are exceptions to these rights according to the GDPR and local laws. For example, it will not be possible for us to delete your data if we are required by law to keep it; and access to your data may be refused if making the information available would reveal personal information about another person or if we are legally prevented from disclosing such information.

If you wish to exercise your rights, please contact your HR manage

Complaints 

If you have complaints relating to our processing of your personal data, you should raise these with HR in the first instance. You may also raise complaints with the relevant Data Protection Authority, as detailed below:

For the United Kingdom:

Information Commissioner’s Office (ICO). For contact and other details please contact our HR department or see: https://ico.org.uk/ICO.

For Frankfurt:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit. For contact and other details please contact our HR department or see: https://datenschutz.hessen.de/

Status of this Policy

This Policy does not form part of any contract of employment that you may enter into with us and does not create contractual rights or obligations.  It may be amended by us at any time. Nothing in this notice is intended to create an employment relationship between any Goodwin entity and any non-employee.