RECRUITMENT PRIVACY POLICY – EUROPEAN HIRING
Last Updated: October 15, 2024
BitSight Technologies, Inc. and its affiliates (“Bitsight,” “we,” “us,” “our”) is providing this Recruitment Privacy Policy – European Hiring (“Policy”) to individuals residing in Europe who apply to work at or for Bitsight (“Applicants”). Like most businesses, we hold and process a wide range of information, which relates to the individuals who apply, and those we recruit, to work for us. This Policy explains the type of information we process, why we are processing it and how that processing may affect you. We have a separate Employee Privacy Policy that applies to our current and former employees.
The purpose of this Policy, including the Supplementary Information contained in Appendix A, is to describe:
The purpose of this Policy is to describe:
- the purposes for which Bitsight uses such personal data;
- where the data comes from and who gets to see it,
- the types and sources of personal data that Bitsight collects about Applicants who reside in Europe;
- the legal grounds that allow us to process your personal data;
- how long we keep your personal data;
- how to access your personal data and other rights; and
- how to contact us.
Please contact [email protected] with any questions or to access an alternative form of this Policy.
A. PERSONAL DATA – PURPOSE FOR PROCESSING YOUR DATA
We process personal data for recruitment, management, administrative, employment and legal purposes. Appendix A – Supplementary Information provides detailed information on these purposes, the type of data that may be processed and the grounds on which we process data in the context of recruitment. See Appendix A: Supplementary Information “What are the legal grounds for processing?” and “Further information on the data we process and our purposes” for more information.
B. WHERE THE DATA COMES FROM AND WHO GETS TO SEE IT
When you apply to work for us, the initial data about you that we process is likely to come from you, for example, contact details, bank details and information on your immigration status and whether you can lawfully work. Where necessary and in accordance with this Policy, we will require references and information to carry out background checks. If you have concerns about this in a particular context, you should speak to your recruiter or our People Strategy department.
Other personal data may come from third parties, such as recruiters, agents, and similar organizations or from your references.
Your personal data will be seen internally by administrators, People Strategy (HR), lawyers and managers involved in the interview and decision-making process, and, in some circumstances (if you join us), colleagues. We will, where necessary and as set out in this Policy, also pass your data outside of Bitsight, for example to people you are dealing with and payroll agencies.
Further information on this is provided in the Supplementary Information. See Where the data comes from and Who gets to see your data?
C. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We keep your personal data in accordance with our document retention policy, and in any event we will not retain it for longer than is necessary for our lawful purposes. In general, if you become employed by us, we will keep your personal data for the duration of your employment and for a period afterwards, as described in our document retention policy. If you are unsuccessful in gaining employment with us, we will likely keep your personal data for a short period (generally around 6 months) after informing you that you were unsuccessful. In considering how long to keep your data, we will take into account its relevance to our business and your potential employment either as a record or in the event of a legal claim. Your data may also be kept on file and considered for other roles.
If your data is only useful for a short period, or we are only permitted by law to retain it for a specified period of time (for example, CCTV footage), we will delete it more frequently.
D. INTERNATIONAL TRANSFERS OF PERSONAL DATA
In processing your personal data, we act as a data controller. This means that we determine the purposes and means of the processing of your personal data. In most cases, the data controller for your personal data will be the Bitsight entity to which you apply for work. We may transfer your personal data outside of the EEA, Switzerland or the UK (as applicable) to other affiliated Bitsight companies in our international network and to third parties who provide services to us and to you, including to countries that may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located.
When we transfer your personal data to:
- Bitsight entities in countries where there has not been an Adequacy Decision (as defined below) for the protection of personal data (e.g. the United States) we do so in reliance on the standard contractual clauses approved by the European Commission and/or the UK Government (“SCCs”) as the permitted data transfer mechanism. These Bitsight entities will from time to time transfer your personal data onward to third parties outside of the UK and the EEA in accordance with the terms of the SCCs;
- Bitsight entities located in the EU or the UK, we do so in reliance on a decision by the European Commission or the UK government (as applicable) that the data privacy regimes of the EEA or the UK (as applicable) ensure an adequate level of protection (“Adequacy Decision”), and put additional safeguards in place to the extent required; and
- Third parties located outside of the UK or the EEA, for example to our service providers, external recipients of electronic communications, other counsel, accountants, insurers and advisors, we do so in reliance on an Adequacy Decision, SCCs, or your consent.
If you wish to see details of these safeguards, please email [email protected].
E. YOUR DATA RIGHTS
You have a right to make a subject access request to receive information about the personal data that we process about you. This may include requesting the following information regarding the personal information we hold about you:
- The categories and/or specific pieces of personal information we collected
- The categories of sources from which personal information is collected
- The business or commercial purpose for collecting personal information
- The categories of third parties with whom we shared personal information
If you have provided us with data about yourself (for example your address or bank details), you have the right to be given the data in machine readable format for transmitting to another data controller. This only applies if the ground for processing is consent or contract.
If we have relied on consent as a ground for processing, you may withdraw consent at any time though if you do so that will not affect the lawfulness of what we did before you withdrew consent.
If we have relied on legitimate interests as a ground for processing, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, and we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defense of legal claims.
There are exceptions to these rights according to the GDPR, the UK GDPR and local laws. For example, it will not be possible for us to delete your data if we are required by law to keep it; and access to your data may be refused if making the information available would reveal personal information about another person or if we are legally prevented from disclosing such information.
If you are hired to work for us in France, you will have the right under French data protection laws to provide instructions regarding the management of your personal data after your death.
If you wish to exercise your rights, please contact [email protected] or by completing this form.
Further information about making a complaint about our processing of your personal data can be found in Appendix A: Supplementary Information under Section 10, Complaints.
F. CONTACT DETAILS
We have designated our Privacy Manager to oversee our compliance with applicable privacy laws. Questions and inquiries to us concerning your privacy may be directed by email to [email protected]. You may also reach us by phone at 1 (844) 735-0076, or you can write us at:
For Germany, the Netherlands, and other European Countries
BitSight Technologies, Inc.
111 Huntington Avenue, Suite 400
Boston, Massachusetts, United States of America 01945
For France
BitSight Technologies France SAS
128 rue la Boétie (lot 41)
75008 Paris
France
For Portugal
Alameda dos Oceanos n.º 59 - 3º Andar -
Bloco B
1990-207 Lisbon
Portugal
For the United Kingdom
BitSight Technologies UK, Limited
Suite 4, 7th Floor
50 Broadway, London, SW1H 0DB
United Kingdom
For information about submitting a complaint, please see Section 10 of Appendix A: Supplementary Information.
G. STATUS OF THIS POLICY
This Policy does not form part of any contract of employment you might enter into and does not create contractual rights or obligations. It may be amended by us at any time. Nothing in this Policy is intended to create an employment relationship between any Bitsight entity and any non-employee.
APPENDIX A: SUPPLEMENTARY INFORMATION
1. WHAT DO WE MEAN BY “PERSONAL DATA” AND “PROCESSING”?
“Personal data” is information relating to a natural person, from which such person may be identified. It includes not only facts about you, but also intentions and opinions about you.
"Processing" means doing anything with the personal data, whether or not by automated means, such as collecting, holding, disclosing and deleting the data. Examples of personal data processed automatically include information held on, or relating to use of, a computer, laptop, mobile phone or similar device. It covers data derived from equipment such as access passes within a building and sound and image data such as CCTV or photographs.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and the United Kingdom General Data Protection Regulation, which is the GDPR as incorporated into UK domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments) (EU Exit) Regulations 2019 (the “UK GDPR”) apply to the processing of personal data by automated means and otherwise when that data forms (or is intended to form) part of a filing system.
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data are subject to special protection and considered by the GDPR and the UK GDPR to be “special categories of personal data”.
References in this Policy to employment, work (and similar expressions) include any arrangement we may have under which an individual provides us with work or services, or applies for such work or services. By way of example, when we mention an “employment contract”, that includes a contract under which you provide us with services; when we refer to ending your potential employment, that includes terminating a contract for services. We use the word “you” to refer to anyone within the scope of this Policy.
2. WHAT ARE THE LEGAL GROUNDS FOR PROCESSING?
Under the GDPR and the UK GDPR (as applicable), there are various grounds on which we can rely when processing your personal data. In some contexts, more than one ground may apply. We have summarized these grounds as Contract, Legal Obligation, Legitimate Interests and Consent and outline what those terms mean in the following table. When processing your personal data for the purpose of recruitment in Germany, we also rely on §26 of the German Bundesdatenschutzgesetz (“BDSG”), which applies to data processing for employment related purposes.
| Term | Ground for Processing | Explanation |
|---|---|---|
|
Contract |
Processing necessary for performance of a contract with you or to take steps at your request to enter a contract |
This covers carrying out our contractual duties, exercising our contractual rights and taking the necessary steps to prepare your employment contract.; |
|
|
Processing necessary to comply with our legal obligations |
Ensuring we perform our legal and regulatory obligations. For example, depending on applicable law, providing a safe place of work, avoiding unlawful discrimination, including with regard to disabled workers and complying with our obligations relating to professional equality between women and men, fulfilling our obligations of tax and social declarations, and responding to relevant regulators, immigration authorities and other government departments or public bodies. |
|
|
Processing necessary for our or a third party’s legitimate interests |
We or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data. |
|
|
|
|
3. PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA
If we process special categories of personal data about you, as well as ensuring that one of the legal grounds for processing listed in the table above applies, we will make sure that the processing is:
- necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorized by law or collective agreement;
- related to data about you that you have made manifestly public (e.g., if you tell colleagues that you are ill);
- necessary for the purpose of establishing, making or defending legal claims;
- necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity, where permitted by applicable law;
- for equality and diversity purposes to the extent permitted by applicable law; or
- subject to your explicit consent.
If we decide to hire you, where required or permitted by applicable local law, we may also collect the following special categories of personal data:
- your health data as needed to allow us to comply with relevant employment laws, such as details of your disability in order to provide you with reasonable adjustments, information relating to your illness or pregnancy to process statutory payments (including medical and sickness certificates; and medical data and other documents required to confer special benefit status, where applicable),
- information about your physical and mental health;
- demographic information and diversity data needed to identify or review the equality of opportunity afforded to our staff;
- data necessary to identify suitable candidates and promote and maintain diversity in positions at Bitsight, and (with your explicit consent) as requested by clients for their own diversity monitoring purposes;
- criminal conviction and offences data as necessary in connection with any legal proceedings, in order to obtain any legal advice or otherwise as necessary to establish, exercise or defend a legal claim.
- your social security number for purposes of payroll and communication with social bodies;
- your health data in the event of a workplace accident or your voluntary disclosure to us of exposure to infectious disease, which may include symptoms and test results; and
- information about your religion if required for tax purposes and in compliance with applicable law and trade union affiliation, if you have informed us of your trade union membership and/or asked us to make payments to trade unions or for religious tax on your behalf.
4. FURTHER INFORMATION ON THE DATA WE PROCESS AND OUR PURPOSES
Additional information on the purposes we process your personal data, including examples of the personal data that may be processed and the grounds on which we process such data, are included in the table below for illustrative purposes and are not meant to be exhaustive.
| Purpose | Examples of personal data that may be processed | Grounds for Processing |
|---|---|---|
|
|
Standard data related to your identity, e.g., your name, address, email address, ID information and documents, telephone numbers, place of birth, contact details, and professional experience and education (including university degrees, academic records, professional licenses, memberships and certifications, awards and achievements, and current and previous employment details), financial information (including current salary information), language skills, and any other personal data that you present us with as part of your application, related to the fulfilment of the role (which may include special categories of personal data in the UK and Germany, as permitted by applicable law). Information concerning your application and our assessment of it, your references, any checks we may make to verify information provided or background checks (see below) and any information connected with your right to work in the relevant country. If we decide to hire you, if necessary, we will also process information concerning your health (UK and Germany) and/or any disability (all offices) in connection with any adjustments needed to working arrangements. |
Consent Contract Legal Obligation Legitimate Interests §26 BDSG (Germany) |
|
|
Your experience and qualifications for the position you are applying for (or any future job for which we think you are suitable). Communications with you in respect of any offer of employment we choose to make, providing you with information about our onboarding process, and requests for additional information. |
Legal Legitimate Interests §26 BDSG (Germany) |
| Conducting pre-employment screening to assess your suitability for employment |
Criminal records, credit worthiness, standing and capacity, sex offender records, insolvency records, bankruptcy filings, civil litigation history and national insurance numbers (UK). Certificate of Conduct issued by the German Federal Office of Justice and credit rating from SCHUFA (Germany) Extracts from your criminal record, i.e., “B3”, when this is necessary for the position you are applying for (or any future job for which we think you are suitable) (France) Education records, previous employment records, legal admissions, certificates of good standing and media publications (all offices). |
Contract Legitimate Interest Legal Obligation Consent §26 BDSG (Germany) |
| Entering into a contract with you (if you are made an offer by us) | Information on your terms of employment from time to time, including your hours and working patterns, your pay and benefits, such as your participation in pension arrangements, life and medical insurance, and any bonus schemes. |
Contract Legal Legitimate Interests §26 BDSG (Germany) |
| Contacting you or others on your behalf |
|
Contract Legitimate Interests §26 BDSG (Germany) |
|
|
|
Contract Legal Legitimate Interests §26 BDSG (Germany) |
|
|
Information such as your proposed salary and (if applicable) envisaged bonus levels. |
Legitimate Interests §26 BDSG (Germany) |
| Physical and system security | CCTV images upon attendance for interviews at our premises. |
Legal Obligation Legitimate Interests §26 BDSG (Germany) |
| Providing information to third parties in connection with transactions that we contemplate |
|
Legitimate Interests §26 BDSG (Germany) |
| Monitoring of diversity and equal opportunities |
Information on your nationality, gender, disability and age (in France, such data will only be aggregated and used for equality of opportunity monitoring purposes). Information on your racial and ethnic origin and sexual orientation (UK and Germany). |
Legitimate Interests Legal Obligation §26 BDSG (Germany) Substantial Public Interest |
| Disputes and legal proceedings |
|
Legitimate Interests Legal Obligation §26 BDSG (Germany) |
|
|
Information necessary to comply with rights asserted by you over the personal data that we process. |
Legal Obligation §26 BDSG (Germany) |
Please note that if you accept an offer from us, we will process further information as part of the employment relationship. We will provide you with our full Employee Privacy Policy as part of the on-boarding process.
5. WHO GETS TO SEE YOUR DATA?
Internal use: Where necessary and as set out in this Policy, your personal data will be disclosed to relevant lawyers, People Strategy (HR) and administrators for the purposes of your application as mentioned in this Policy. We will also disclose this to other Bitsight affiliated entities where necessary for decision making regarding your application – this will depend on the type of role you are applying for.
External use: We will only disclose your personal data outside Bitsight if disclosure is consistent with a ground for processing on which we rely and doing so is lawful and fair to you.
We will disclose your data if it is necessary for our legitimate interests as a firm or the legitimate interests of a third party (but we will not do this if these interests are overridden by your interests or fundamental rights and freedoms).
We may also disclose your personal data based on your consent, or where we are required to do so by law, or in connection with criminal or regulatory investigations.
Please note that, when we disclose your data in such circumstances, we will ensure that any necessary due diligence has been undertaken on the recipient and any necessary contractual documentation is in place to ensure the integrity and security of the data as required by law.
Specific circumstances in which your personal data may be disclosed include:
- Disclosure to organizations that process data on our behalf, such as our payroll service, our bank and organizations that host or support our IT systems and data - this would normally occur if you accept an offer from us and would be carried out as part of the on-boarding process;
- Disclosure to third party recruitment consultants and similar businesses (including online recruitment portals) as a part of the recruitment process;
- Disclosure to any regulator as necessary as part of the recruitment process;
- Where permitted in the jurisdiction where you reside, disclosure to a third party background report service provider for the purposes of conducting pre-employment screening in relation to the following areas (as applicable to the role you are applying for): education verification; previous employment verification; legal / bar admissions; criminal records; credit worthiness; standing and capacity; sex offender notification and disclosure scheme; insolvency; bankruptcy filings; and civil litigation.
We also use a third party HR management system which tracks your application and stores your personal data for us once you have made an application.
6. COMPLAINTS
If you have complaints relating to our processing of your personal data, you should raise these with our People Strategy (HR) department at [email protected] in the first instance. You may also submit the complaint directly to our Legal Department by completing this form or with the relevant Data Protection Authority, as detailed below:
For the United Kingdom:
Information Commissioner’s Office (ICO). For contact and other details please contact our People Strategy (HR) department at [email protected] or see: https://ico.org.uk/ICO.
For France:
Commission Nationale de l’Informatique et des Libertés (CNIL). For contact and other details please contact our People Strategy (HR) department at [email protected] or see: https://www.cnil.fr/
For Germany:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit. For contact and other details please contact our People Strategy (HR) department at [email protected] or see: https://datenschutz.hessen.de/
For Portugal:
Comissão Nacional de Proteção de Dados (CNPD). For contact and other details please contact our People Strategy (HR) department at [email protected] or see: https://cnpd.pt.
For the Netherlands:
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens). For contact and other details please contact our People Strategy (HR) department at [email protected] or see autoriteitpersoonsgegevens.nl.
Last Updated: November 22, 2022
BitSight Technologies, Inc. and its affiliates (“BitSight,” “we,” “us,” “our”) is providing this Recruitment Privacy Policy (“Policy”) to individuals residing in California who apply to work at or for BitSight (“Applicants”). For purposes of this Policy, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an Applicant.
Please contact [email protected] with any questions or to access an alternative form of this Policy.
The purpose of this Policy is to describe:
- the categories and sources of Personal Information that BitSight collects about Applicants who reside in California; and
- the purposes for which BitSight uses such Personal Information including the categories of third parties to which BitSight discloses the information.
A. TYPE AND SOURCES OF PERSONAL INFORMATION COLLECTED
We may collect, hold and use the following types of personal information about you:
| Category of Personal Information | Categories of Sources |
|---|---|
|
Identification Information: e.g., your name, address, email address, telephone numbers, date of birth, social media profiles/handles, and other contact details |
|
|
Sensitive Information: e.g. your social security number, passport number, driver’s license or state ID card number, and insurance information. |
|
|
Application Information: e.g. your resume information (including school(s) attended, years of attendance, degree, major, employment history, languages spoken, interests, skills, and prior or desired salary), questionnaire responses, interview evaluations, reference information, offer letter information, and background check information (including criminal record checks, credit reports, standing and capacity, sex offender records, insolvency records, bankruptcy filings, and civil litigation history). |
|
|
Employment Information: e.g. your green card status, federal or state identification forms and numbers, beneficiary/dependent information (including names, addresses, dates of birth and social security numbers), past employment history (including references) current employment information (including job titles, salary information, and performance evaluations), as well as information related to hours, working patterns, pay and benefits. |
|
|
Financial Information: e.g. your bank account and compensation information. |
|
|
Demographic Information: e.g. your nationality, racial and ethnic origin, gender, gender identity, sexual orientation, religion, disability and age. |
|
|
Physical and Biometric Information: e.g. your fingerprints and photographs and physical descriptions of you. |
|
|
Health Information: e.g. if necessary, we will process other information concerning your health and/or any disability. |
|
|
Communication Information: e.g. information contained in communications sent and received. |
|
|
Education Information: e.g. your education history (including, but not limited to, school(s) attended, years of attendance, courses taken, degree, major, and grade point average). |
B. BUSINESS PURPOSES FOR WHICH YOUR PERSONAL INFORMATION MAY BE USED:
We use Personal Information for the following business purposes:
- To administer our recruitment process, including to source, recruit, and evaluate Applicants;
- To assess eligibility for employment;
- To perform background checks;
- To communicate with Applicants;
- To perform financial planning and budgeting and payroll administration;
- To prepare immigration, payroll, and tax filings;
- To offer and administer benefits;
- To assess and report on the diversity of our Applicants;
- To determine whether any adjustments to work arrangements are needed for health or other reasons;
- To secure our premises and systems;
- To exercise and defend against legal claims and comply with applicable legal requirements (including but not limited to regulatory and legal obligations related to reporting); and
- Other internal purposes, for example authorizing, granting, administering, monitoring, and terminating access to or use of BitSight systems, software, facilities, records, property, and infrastructure.
C. DISCLOSURE OF PERSONAL INFORMATION; CATEGORIES OF THIRD PARTIES
We may share the information collected from and about you as described in Section A for various business purposes as explained in Section B of this Privacy Policy, with the following categories of third parties:
- Business Communication and Collaboration Tool;
- Data Analytics Provider;
- Data Storage Service Provider;
- Finance and Accounting Tool; and
- Other Service Providers and Third Parties, including our business partners.
Over the preceding twelve (12) months, we disclosed certain categories of California residents’ personal information to the categories of third parties described above. We do not and will not sell California residents’ personal information.
D. RETENTION OF PERSONAL INFORMATION
Personal information will not be kept for longer than is necessary for the business purpose described above for which it is collected and processed and will be retained in accordance with our internal document retention policies.
E. HOW TO ACCESS AND CONTROL YOUR DATA
California residents have the right to request that we disclose what personal information we collect from you, to delete that information, and to opt-out of the sale of your personal information, subject to certain restrictions. You also have the right to designate an authorized agent to exercise these rights on your behalf. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.
Right to Opt-Out of the Sale of Your Personal Information.
California residents may opt-out of the “sale” of their personal information. California law broadly defines what constitutes a “sale” – including in the definition making available a wide variety of information in exchange for “valuable consideration”. We do not, and will not, sell your personal information.
Right to Request Access and Request Deletion of Your Personal Information
Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use and disclose this information), to delete their personal information, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights.
California consumers may make a request pursuant to their rights under the CCPA by sending an email to [email protected], or submitting a request to our online web form found here or by calling toll free at 1 (844) 735-0076. We will only use the information you submit to respond to your request, and we may need to identify you and your state of residence before we can respond.
We may withhold some personal information where the risk to you or our business is too great to disclose the information, or where we cannot verify your identity in relation to such personal information, to comply with legal obligations, for our own internal purposes reasonably related to your relationship with us, or to comply with legal obligations. Thus, for security purposes (and as required under California law), we will verify your identity – partly by requesting certain information from you – when you request to exercise certain of your California privacy rights.
Once we have verified your identity, we will respond to your request as appropriate.
If we are unable to complete your requests fully for any of the reasons above, we will provide you with additional information about the reasons why we could not comply with your request.
Right to Nondiscrimination.
We do not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise these rights.
Information About Persons Under 16 Years of Age
We do not knowingly collect personal information from minors under 16 years of age in California unless we have received legal consent to do so. If we learn that personal information from such California residents has been collected, we will take reasonable steps to remove their information from our database (or to obtain legally required consent).
F. CONTACT DETAILS
We have designated our Privacy Manager to oversee our compliance with applicable privacy laws. Questions and inquiries to us concerning your privacy may be directed by email to [email protected]. You may also reach us by phone at 1 (844) 735-0076, or you can write us at:
BitSight Technologies, Inc.
111 Huntington Ave, Suite 2010
Boston, MA 02199
United States
Attn: Legal Department/Privacy Manager