This Global Recruitment Data Protection Notice (“Notice”) explains how Sidley Austin LLP and affiliated partnerships (the “Firm”, “we”, “us” and “our”) process personal data (i.e., information that directly or indirectly identifies you) pertaining to individuals who apply for a position or role at the Firm (“Applicants”, “you”, “your”).
This Notice is issued by Sidley Austin LLP as data controller (i.e., a person or organisation who alone or jointly determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed).
The Notice applies to Applicants who are applying for a role at the Firm as employee, self-employed lawyer or consultant, and all Applicants who are applying for an internship, vacation scheme or work placement.
2. Collecting your personal data
We may collect certain personal data directly from you, as Applicant (when you apply or visit our offices), but we may also collect it from external recruitment agencies, background check vendors and other non-publicly accessible sources. If you do not provide us with the necessary personal data, or if we are unable to obtain it elsewhere, we may not be able to proceed with the application, consider you for a position or offer you an internship, vacation scheme, or work placement.
Where we carry out background checks on you it may involve the processing of sensitive personal data, and we will only do so with your explicit consent or as permitted or required by law. It may also involve the processing of criminal record data and this will only be processed where such processing is specifically authorized or required by law.
If you participate in our internships, vacation schemes and work experience placements we will also collect information about job-related activities and assessments through the course of your placement with us.
3. What types of personal data we collect
During the recruitment process, or if you participate in one of our vacation schemes or placements, we may collect and process the following types of personal data:
i) contact information (e.g., name, home and business address, phone numbers, and email addresses);
ii) personal information (e.g., date of birth, nationality, passport, or national ID numbers, photographs);
iii) employment and educational history (e.g., CV, references and organizational data such as department, work location, job title and seniority, professional qualifications, language skills);
iv) equal opportunities monitoring information (e.g., information in relation to sex/gender, race, nationality, ethnicity, religion, health, and sexual orientation);
v) information about your legal entitlement to work (e.g., visas, permits, immigration status);
vi) bank account details;
vii) medical and health information (e.g., information in relation to any medical condition, health and sickness records to the extent that you require adjustments to be made to our assessment and interview processes);
viii) information about criminal convictions and offences committed by you;
ix) next of kin and emergency contact information;
x) start and end date of your placement;
xi) the location of your placements;
xii) information regarding your performance during your placement;
xiii) CCTV footage and other information obtained through electronic means;
xiv) information about your use of our information and communication systems;
xv) photographs of you; and
xvi) any other information which you may voluntarily disclose to us in the course of the application process.
4. How we use your personal data
We process your personal data to assess your application for recruitment, employment or placement.
We may also need to process your personal data to:
i) comply with our legal and regulatory obligations;
ii) enter into contractual arrangements with you and to administer your ongoing relationship with the Firm;
iii) check whether you are legally entitled to work in the relevant jurisdiction;
iv) to improve our application procedures and processes;
v) ensure our insurance requirements are met;
vi) comply with our health and safety obligations;
vii) make adjustments to our recruitment processes as a result of any disability you may have;
viii) deal with any legal disputes, including any accidents at work;
ix) prevent fraud;
x) monitor your use of our information and communication systems to ensure compliance with our IT policies;
xi) ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution;
xii) carry out equal opportunities monitoring.
5. Our legal basis for processing your personal data
The GDPR requires us to ensure we have a legal basis for all the processing activities that we carry out on your personal data. We conduct our processing activities on the basis that:
- it is necessary in order to enter into a contract with you (including to enable us to determine whether to enter into any contract with you);
- it is necessary to comply with a legal or regulatory obligation; and/or
- it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We have carefully balanced our legitimate interests in the recruitment process against your data protection rights. If you wish to obtain more information on the balancing exercise we performed, please contact us by using the contact details below.
6. Sharing your personal data
6.1 Disclosure to Certain Third Parties
We may disclose certain personal data for the above purposes to the following recipients:
i) to other affiliated partnerships of the Firm, self-employed lawyers engaged by the Firm, service providers (e.g., IT service providers, background checks vendors and external recruitment agencies) and advisors;
ii) to fraud prevention agencies and law enforcement agencies;
iii) to courts, governmental and non-governmental regulators;
iv) or as required or permitted by law, including to comply with a subpoena or similar legal process or government request, or when the Firm believes in good faith that disclosure is legally required or the Firm has a legitimate interest in making a disclosure, such as where necessary to protect the Firm’s rights and property.
6.2 Transfers of your personal data
The Firm may disclose your personal data, for the above listed purposes, to recipients (including affiliated partnerships) in locations that do not have data protection laws equivalent to those in Hong Kong, the UK, the EEA, and Switzerland.
In such a case, the Firm will take all necessary steps to ensure the safety of your personal data in accordance with all applicable data protection laws at a standard substantially similar to, or that serves the same purposes as those of the relevant legislation (if applicable). For transfers of personal data within the Firm to offices outside of the UK and EEA the Firm has in place Data Transfer Agreements with EU Standard Contractual Clauses. You can request a copy of these agreements by contacting firstname.lastname@example.org.
7. Your rights in relation to your personal data
Under applicable data protection laws, you may have a right to:
- be informed about how your Personal Data is used;
- access your personal data;
- have inaccurate personal data rectified;
- have personal data erased in certain circumstances;
- restrict processing of personal data in certain circumstances;
- data portability (you can ask for a copy of your personal data to be provided to you, or a third party, in a digital format);
- object to processing of personal data in certain circumstances, including where personal data is used for marketing purposes; and
- not to be subject to automated decisions where the decision produces a legal effect or a similarly significant effect. (automated decisions are decisions about individuals that are based solely on the automated (i.e., computerized) processing of data and that produce legal effects or that significantly affect the individuals involved. As a rule, the Firm does not make use of automated decision-making as described above when considering you for a position at the Firm).
You may also have the right to lodge a complaint about the processing of your personal data with your local data protection authority, please contact us at email@example.com if you’re interested to find out the contact details of your local regulator/authority.
8. Securing your personal data
The Firm will take steps to protect your personal data against loss or theft, as well as from unauthorized access, disclosure, copying, use, or modification, regardless of the format in which it is held.
9. Retaining your personal data
We will only keep your data for as long as necessary for the purposes for which it was collected, in order for us to fulfil our statutory obligations and where we have a legitimate interest to do so.
In the event we make an offer and you accept, your personal data will be held and processed in accordance with our Internal Data Protection Notices and other relevant procedures and policies.
We evaluate our privacy notices and procedures to implement improvements and refinements from time to time. If we make material changes to this Notice that affect you, we will notify you by regular communication channels.
11. Enquiries, Requests or Concerns
All enquiries, requests or concerns regarding this Notice, your rights, or relating to the processing of your personal data (including our legal basis for processing in each case), should be sent to firstname.lastname@example.org.
12. Jurisdiction-specific notices and exceptions
The following applies to our data collection and processing activities in Belgium:
- Sidley Austin (CE) LLP Brussels Branch, located at Rue Montoyer 51, 1000 Brussels, Belgium is the data controller responsible for your personal data
- Section 3 (viii) information is not collected
- Section 3(iv) only data in relation to sex/gender and nationality is collected
The following applies to our data collection and processing activities in Germany:
- The data controller for the processing of the Applicant's personal data is Sidley Austin (CE) LLP, Maximilianstraße 35, 80539 Munich, Germany, Phone +49 89 24440 9100, MU-Reception@sidley.com
- Our Data Protection Officer can be reached via email@example.com or by writing to Sidley Austin (CE) LLP c/o Willem Lubbe, Maximilianstraße 35, 80539 Munich, Germany
- Section 3 (iv) only data in relation to gender is collected
- The data in 3(vi) is only collected where the Applicant has requested a refund of their travel expenses incurred for the interview
- Section 3 (vii) information is not collected
- Section 3 (viii) information is not collected
- Section 3 (v) information is only collected if the Applicant is successful, and as part of the offer process
- Section 3 (xv) is entirely voluntary
- Section 3 (ix) to (xiv) is not applicable
- Section 4 (iii) has limited application
The following applies to our data collection and processing activities in Japan:
- The data in 3(vi) is not collected