Recruitment Privacy Notice

Last updated: May 21, 2024

This Recruitment Privacy Notice (“Notice”) applies to all job applicants, whether on a part-time, temporary or full-time basis, and including roles for a position as contingent worker, contractor, intern or trainee (“Applicants”).

For the avoidance of doubt nothing in this Notice shall be construed as forming part of a contractual relationship between us, whether or not your application is successful.

Table of contents

1. Introduction
2. Personal data we collect and process when you apply for a position with us
3. How we use your personal data (our purposes) and our legal basis for processing it
4. Who we share your personal data with
5. How we keep your personal data secure
6. International data transfers
7. Data retention
8. Your data protection rights
9. Updates to this Notice
10. How to contact us

We recommend that you read this Notice in full to ensure you are completely informed about how we collect, process, share and protect your personal data. However, if you only want to access a particular section of this Notice, then you can click on the relevant link above to jump to that section.

1. Introduction

Bloomreach, Inc. and its subsidiaries("Bloomreach", "we" [or "us"]) has issued this Notice to describe how we handle personal data that we hold about Applicants (collectively referred to as "you"). We respect the privacy rights of individuals and are committed to handling personal data responsibly and in accordance with applicable law. This Notice sets out the personal data that we collect and process about you, the purposes of the processing and the rights that you have in connection with it.

This Notice applies to all of Bloomreach's parent company, entities, operating divisions, subsidiaries, affiliates, and branches and any additional subsidiary, affiliate, or branch of [Client] that we may subsequently form. If you are making an application for employment or to be engaged in a contract of service in the EEA or UK, the entity that employs or engages you will be the controller of your personal data.

If you are accepted for a role at Bloomreach, the information collected during the recruitment process will form part of your ongoing staff member record and will be processed in accordance with our Employee Privacy Policy.

If you are not successful, we may still keep your application and related information to allow us to consider you for other suitable openings within Bloomreach in the future unless you request that we delete your data in accordance with the information set out under the "Data retention" heading below.

If you are in any doubt regarding our processing of your data, or have any comments or questions about this Notice, then please contact us using the contact details under the “How to contact us heading below.

2. Personal data we collect and process when you apply for a position with us

We collect personal data about you when you apply for a position with us and during the recruitment process.

Sources of personal data

We collect this personal data from the following different sources:

• Information that you provide directly
  
  We collect personal data directly from you when you submit your Application. This could be by an application sent via an online application portal, our website or by sending your application directly to a member of our staff. In connection with the recruitment process you may also choose to provide us with further personal information through any of these channels.
• Information from third parties
  
  Where a third party is representing you or has contacted you on our behalf, including recruitment agencies and third party recruitment platforms, such third parties may provide your personal data to us. We may also receive (or solicit) personal data from academic institution(s) with whom you have indicated you are or were affiliated in order to confirm your qualifications, as well as your nominated referees with whom we may communicate in order to obtain information about your previous employment or character. Where necessary and permitted by law, we may use background checking agencies to confirm whether you have any criminal convictions and to confirm that you are legally entitled to work in the country from where we are recruiting.
• Information that we collect indirectly
  
  We collect your personal data indirectly, including through automated means, via our online application portal and website. Such information includes your IP address and information about the device used to complete and make your application. Some of the information we collect indirectly is captured using cookies and other tracking technologies. For further information about the types of cookies we use, why, and how you can control cookies, please see our Cookie Notice.
• Information that we collect from publicly available sources
  
  We collect information about you from social media platforms aimed at making professional connections such as Linkedin where you have made information available about yourself.
• Information that we create
  
  During the recruitment process we may create information pertaining to your Application such as interview notes, feedback, internal communications and communications with your directly.

Categories of personal data

The table below describes the categories of personal data we may collect from and about you through our application process.

Data Categories	Personal Data Description	Source
Contact Data	Name or alias, home address, personal telephone number and personal email addresses.	- Directly from you
Application Information, Professional and Academic Data	May include: Position applied for, age, date of birth, gender, pronouns, compensation and salary data, eligibility for and participation in benefit schemes and CV/résumé information such as previous roles, job descriptions, responsibilities and assignments, years of service, security clearance status, education, academic/professional qualifications and experience.	- Directly from you
Interview and selection notes	Notes made by interviewers or other staff in connection with your application.	- Directly from you - Third parties - Information that we create
Sensitive Personal Data	May include: Information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, information about your health (including mental health) and disability, or sexual orientation.	- Directly from you
Background Checks	May include: Criminal records data, results of reference checks and screening such as verification of education and employment history, screening checks such as against politically exposed persons registers, disbarment checks and other searches relevant to the role for which you are applying.	- Directly from you - Third parties
Nationality, Citizenship and Right to Work Information	Nationality and country of birth, citizenship and right to work information, government identification documents (including passports and residency permits) and, where relevant, visa information.	- Directly from you
Communication Data	Communications between us and you in relation to your application and the application process.	- Directly from you - Automatic collection - Information that we create
Social Media Data	Details that you have provided in your application about your social media handle and information about you that you have made public on your social media account.	- Directly from you - Third parties
IT Data	Information collected through our recruitment portal and website (including by means of cookies and similar tracking technology, such as IP addresses, log files and login information). IT Data may also include inferred location based on your IP address or activities, device identifiers associated with your computer or device, mobile carrier and related information and activity logs generated when you navigate our recruitment portal and website.	- Automatic collection
Security and Access Data	Closed-circuit television (CCTV) footage in public or common areas on or near our premises (such as in car parking areas and in which case footage may include vehicle licence plates). It may also include other information obtained through electronic means such as security records (e.g. swipe card records, building entry / exit data to which Bloomreach may from time to time have access) and if you are visiting a premises, physical or electronic guest book information containing name, [photograph], vehicle licence plate and person(s) you are visiting).	- Automatic collection - Third parties (where used for CCTV, security and access systems)

3. How we use your personal data (our purposes) and our lawful basis for processing it

We use the personal data that we collect from and about you only for the purposes described in this Notice. The following table provides more details on our purposes for processing your personal data and the related legal bases. The legal basis under which your personal information is processed will depend on the data concerned and the specific context in which we collect it.

Purpose/Activity	Type of personal data	Lawful basis
To communicate with Applicants during the course of the recruitment process	Contact Data Communications Data IT Data Social Media Data	- Legitimate interests of managing Applications for positions with us.
To assess suitability of applicants for the role they have applied for	Contact Data Application Information, Professional and Academic Data Interview and selection notes Communication Data Social Media Data	- Legitimate interests of managing Applications for positions with us.
To maintain Applicant records	Contact Data Application Information, Professional and Academic Data Interview and selection notes Background Checks Nationality, Citizenship and Right to Work Information Communication Data	- Legitimate interests of managing Applications for positions with us.
Determine your eligibility to work	Nationality, Citizenship and Right to Work Information	- Legal obligation
To conduct criminal record and background checks	Background Checks	- Legitimate interests of managing Applications for positions with us or with consent (where required by applicable local law)
To calculate proposed salary and assess eligibility for certain benefits	Contact Data Application Information, Professional and Academic Data Interview and selection notes Communication Data	- Legitimate interests of managing Applications for positions with us
To enter into employment contracts or other contractual engagements	Contact Data Communication Data	- To take steps to enter into a contract with successful Applicants
To monitor and improve our application process	Contact Data Application Information, Professional and Academic Data Interview and selection notes Background Checks Nationality, Citizenship and Right to Work Information Communication Data IT Data	- Legitimate interest of reviewing and updating our application process
Physical and system security	Security and Access Data IT Data Including CCTV images and records of use of swipe and similar entry cards / systems if you visit our premises such as to attend an interview.	- Legitimate interest of ensuring the security of our systems and premises
Monitoring of diversity and equal opportunities	Sensitive Personal Data Specifically, to the extent required or permitted by local law, information on your nationality, racial and ethnic origin, gender, sexual orientation, religion, philosophical beliefs, disability, age and other diversity markers.	- Legal obligations - Public interest - Consent
Address access needs and if an Applicant is successful to make workplace adjustments	Contact Data Sensitive personal data	- Legal obligations - Consent
Disputes and legal proceedings	Contact Data Application Information, Professional and Academic Data Interview and selection notes Background Checks Nationality, Citizenship and Right to Work Information Communication Data IT Data Security and access data Any other information relevant or potentially relevant to a dispute or legal proceeding affecting us.	- Legitimate interests - Legal obligation

Lawful basis for processing descriptions

Lawful basis	Description
Contract	We require certain personal data for the purpose of taking steps prior to entering into an employment contract or other contractual engagement with you.
Consent	In certain circumstances, we may ask for your consent (separately from any contract between us) before we collect, use, or disclose your personal data, in which case you can voluntarily choose to give or deny your consent without any negative consequences to you.
Legitimate interests	We may collect, use or disclose your personal data for the legitimate interests of either Bloomreach or a third party, but only when we are confident that your privacy rights will remain appropriately protected. If we rely on our (or a third party's) legitimate interests, these interests will normally be to manage job applications and offers for positions with us and to communicate with Applicants in connection with the recruitment process and to review and improve our recruitment process.
Legal obligation	There may be instances where we must process and retain your personal data to comply with laws or to fulfil certain legal obligations. For example, avoiding unlawful discrimination.
Public interest	There may be instances where processing your data is necessary to perform a specific task in the public interest. In general, your data will not be processed on this ground, but there may be some limited instances, for example prevention and detection of crime, or for diversity monitoring purposes.
Vital interests	Although unlikely, it may be necessary to process your data (including Sensitive Personal Data such as health data) to protect someone’s life. In general, we will not process your data on this ground but there may be rare occasions when we need to do so, for example, if we need to process personal data to save your life and administer emergency medical treatment.
Legal claims	To establish, make or defend legal claims.
Public health	To protect against serious cross-border threats to health.

4. Who we share your personal data with

We take care to allow access to personal data only to those who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. Whenever we permit a third party to access personal data, we will implement appropriate measures to ensure the information is used in a manner consistent with this Notice and that the security and confidentiality of the information is maintained.

We share your personal data with the following categories of recipients:

• our group companies who operate in the UK, Europe and around the world in order to administer human resources, staff member compensation and benefits at an international level on our HR platform, as well as for other legitimate business purposes such as IT services/security, tax and accounting, and general business management;
• third party service providers and partners on a "need to know basis" and in accordance with applicable data privacy law. This may include third parties who provide support and advice including in relation to employee/applicant management, legal, financial / audit, management consultancy, insurance, and reporting services.
• any competent law enforcement body, regulatory, government agency, court or other third party (such as our professional advisers) where we believe disclosure is necessary (i) as a matter of applicable law or regulation (e.g. to provide certain salary information to tax authorities), (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
• a buyer or prospective buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of the whole or any part of our business as permitted by law and/or contract;
• any other person with your consent to the disclosure (obtained separately from any contract between us).

5. How we keep your personal information secure

We take care to allow access to personal information only to those who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the information is used in a manner consistent with this Notice and that the security and confidentiality of the information is maintained.

We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures are designed to provide a level of security appropriate to the risk of processing your personal information. Specific measures we use include encryption; employing malware protections; and implementation of other reasonable security defences.

6. Data transfers abroad

We may transfer your personal data outside of the country where you are located. As a result, your personal data may be transferred to a jurisdiction that may not provide the same level of data protection. If we transfer your personal data internationally, we will take the steps to ensure that your personal data is treated securely, lawfully, and in accordance with this Notice.

Please note that laws vary from jurisdiction to jurisdiction, so the privacy laws applicable to the places where your information is processed may be different from the privacy laws applicable to the place where you are resident. When we transfer your personal information internationally we treat your personal information securely, lawfully, and in accordance with privacy obligations. Where we transfer your personal information to countries and territories outside of the European Economic Area and the UK, for example, which have been formally recognised as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” from the European Commission and “adequacy regulations" (data bridges) from the Secretary of State in the UK.

We may transfer personal information as detailed herein from the European Economic Area and the UK to the United States in reliance on Data Privacy Framework (defined below) or in accordance with an applicable adequacy decision. Where the transfer is not subject to an adequacy decision or regulations we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Notice and applicable laws.

Data Privacy Framework

Bloomreach has certified its compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-US Data Privacy Framework (collectively the "Data Privacy Framework") as set forth by the US Department of Commerce with respect to personal information concerning individuals from the European Economic Area, United Kingdom, and Switzerland. Please see our Data Privacy Framework Notice to learn more.

If there is any conflict between the terms in this Notice and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern.

7. Data retention

We will store the personal data we collect about you for no longer than necessary and in accordance with our legal obligations and legitimate business interests.

If your application is successful and you become an employee, where permitted by local law the personal data we collect during the application process may be transferred to your personnel file and stored in accordance with our internal policies.

If your application is not successful, we will hold your personal data to contact you (unless you have asked us not to) about any other relevant employment opportunities that may arise.

Where you have given us your consent to Process certain equal opportunities Information we may anonymise and aggregate this information, and store it in such form that does not personally identify you, for the purpose of monitoring and improving the application and recruitment process.

8. Your data privacy rights

You may exercise the rights available to you under applicable data protection laws as follows:

• If you wish to access, correct, update or request deletion of your personal data, you can do so at any time by contacting us using the contact details provided below.
• In certain circumstances, you can object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data. Again, you can exercise these rights by contacting us using the contact details provided below.
• If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
• You have the right to complain to a relevant data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

9. Updates to this Notice

We may update this Recruitment Notice from time to time in response to changing legal, regulatory, technical or business developments. When we update our Recruitment Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Recruitment Notice changes if, and where, required by applicable data protection laws.

You can see when this Recruitment Notice was last updated by checking the “last updated” date displayed at the top of this Recruitment Notice.

10. Contact details

You can contact us with your questions, comments, or concerns.

If you have any questions, comments, or concerns regarding our Notice and/or privacy practices, please contact us via email at dpo@bloomreach.com.