During any recruitment process, we collect and process personal data relating to individuals who make job applications with a Whitbread group company. We are committed to complying with data protection obligations and this notice explains what personal data we will hold about you, how it is collected and what use we may make of that data during the recruitment process. This notice is non-contractual and as such we may update it at any time.
Who is the data controller?
Whitbread plc, Whitbread Group plc (affiliated entities of each other and group companies, collectively ‘the Whitbread Companies’) are joint data controllers and collect and use certain personal information about you. The Companies may also use data collected by each other.
This notice explains how the Whitbread Companies process your personal data, therefore for the purpose of this notice the use of “we” and “us” shall mean all parties collectively and individually, whether acting as controller or processor.
If you have any queries about data protection, the contact details are as follows:
Post: Privacy Officer, Whitbread Court, Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5XE
What information do we collect?
We may collect a range of information about you, and this may be either personal data or special category data which is more sensitive than ordinary personal data. The data we may collect includes:
• your name, title, address and contact details, including email address and telephone number;
• biometric data such as photographs, including those on passports and driving licences;
• details of your education, qualifications, skills, experience and employment history, including start and end dates, with previous employers as well as any references taken up during the recruitment process;
• assessment results if applicable;
• your preferences for location, type and hours of work with us;
• information about your current level of pay, including entitlement to any benefits connected to your employment;
• your nationality and entitlement to work in the UK;
• details about medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments during the recruitment process (special category data); and
• equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief (special category data).
We may collect this information in a variety of ways. For example, data might be collected
through application forms, CVs or resumes, obtained from your passport or other identity
documents, or collected from you through interviews or other forms of assessment.
We may also collect personal data about you from third parties, such as your recruitment
agency, former employers, a relevant professional body, external organisations who carry out right to work checks, the Disclosure and Barring Service (where applicable and/or required for specific roles), the Home Office and, where applicable, external bodies which arrange assessments of applicants.
Data will be stored in a range of different places, including on your application record, in our HR management systems and in other IT systems.
Information about criminal convictions
We envisage that we may hold information about criminal convictions. This will usually be
where such processing is necessary to carry out our obligations.
We will only collect information if it is appropriate given the nature of the role and where we
are legally able to do so. Where appropriate, we will collect it as part of the recruitment
process. We will, if appropriate, use information about criminal convictions and offences to
review and consider your application in light of any such information disclosed to us.
We use your personal data in this way in order to carry out our obligations in respect of
safeguarding and to promote the legitimate interests of our business.
What if you do not provide personal data?
You are under no legal or contractual obligation to provide data to the organisation during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all. In relation to certain information, such as evidence relating to your right to work in the UK, we are under a legal obligation to obtain that information and if you do not provide it then we will be unable to offer you employment.
Automated decision-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
1. Where the decision is authorised or required by law;
2. Where it is necessary to consider whether to enter into, with a view to entering into, or
to perform a contract with you and appropriate measures are in place to safeguard
your rights; or
3. In limited circumstances, with your explicit written consent and where appropriate
measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal
information, we must have either your explicit written consent or it must be justified in the
public interest, and we must also put in place appropriate measures to safeguard your rights.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.
During the recruitment process we utilise an automated tool to match potential staff to
available roles within the business based on the information that you provide (for example the hours you wish to work and the location(s) you wish to work in) prior to entering into a
contract with them. We use the information at the first stage of the recruitment process and, if your application is identified by the automated tool as unsuitable based on the information you provide then it will not progress any further. You have the right to object to automated decision making, and you also have the right to challenge and request a review of any automated decision that is made about you. If you wish to exercise any of these rights please see the contact details below, under the heading Your Rights.
Why do we process personal data?
We need to process data to take steps at your request prior to entering into an employment
contract with you. We also need to process your data to then enter into an employment
contract with you if your application is successful. For example, we need to process your data to provide you with an employment contract which contains your correct details.
In some cases, we need to process data to ensure that we are complying with our legal
obligations. For example, we are required by law to check an applicant's eligibility to work in the UK before we are able to employ them. We may also process your data to respond to and defend legal claims make disclosures to law enforcement agencies or in relation to health and safety compliance and/or for auditing and regulatory purposes.
In other cases, we have a legitimate interest in processing personal data during the
recruitment process and for keeping records about the process. Processing data from
applicants allows us to properly and consistently manage the recruitment process, assess and confirm an applicant’s suitability for employment and decide whether an applicant should be offered employment. Where we rely on legitimate interests as the justification for processing personal data, we have carried out a balancing exercise in respect of those interests compared to the rights enjoyed by individuals and you can obtain more information about this from Employee Relations.
In relation to special categories of personal data, we may process information about your
health if we need to make reasonable adjustments to the recruitment process for candidates who have a disability. This is in order to comply with our employment law obligations and exercise specific rights in relation to employment.
Where we process other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal
opportunities monitoring. This is in order that we can promote and maintain equality of
opportunity, and also in order that we can carry out monitoring which is for reasons of
substantial public interest for the purpose of keeping such equality of opportunity under
review.
Who has access to data?
Your information will be shared internally for the purposes of the recruitment exercise. This
includes members of the HR and recruitment team, interviewers involved in the recruitment
process, relevant managers in the business and IT staff if access to the data is necessary for the performance of their roles. We will also share information about your application with your recruitment agency, if applicable.
We share your data with third parties which provide IT hosting services to us under contract
in connection with the operation of the application system. If your application for
employment is successful then your data will be shared further for the purposes of managing both the business and the employment relationship, and a further privacy notice will be issued to you explaining how and why we will use your personal data as an employee.
How do we protect data?
We take the security of your data seriously and are committed to taking all reasonable steps to protect the data we hold. We have a range of internal policies and security controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees who need such access in the proper performance of their duties. We also have procedures and measures in place to address and respond to any potential data breach. Our security measures are kept under review and updated and enhanced as appropriate.
When we transfer your data to third parties we do so on the basis that they have entered into a written agreement with us to ensure the security of the data by implementing appropriate safeguards and technical measures.
Your data may be transferred outside the European Economic Area (EEA) for the purposes of processing or storage. If we do transfer information outside of the EEA we will ensure that it is protected by using one of the following safeguards:
• Transferring the data to a non-EEA country which the EU has decided provides the
same level of protection as required within the EEA.
• Entering into a contract with the recipient of the data which requires them to protect it
to the same standards as required within the EEA or use other sufficient mechanisms
and measures to achieve adequate protection. This may include the use of Standard
Contractual Clauses published by the EU.
• Transferring it to organisations that are part of Privacy Shield. This is a framework
that sets privacy standards for data sent between the US and EU countries and ensures
that those standards are similar to the ones used within the EEA.
• Using binding corporate rules. These are internal rules adopted by group companies to
allow international transfers of personal data to entities within the same corporate
group located in countries which do not themselves provide an adequate level of
protection.
For how long does the organisation keep data?
If your application for employment is unsuccessful, we will hold your data on file for 6
months after the end of the relevant recruitment process. If you provide consent to allow us to keep your personal data on file, we will hold your data for a further 6 months for
consideration for future employment opportunities that may become available after the time
that you originally made your application. At the end of the relevant period, or if you
withdraw your consent (if applicable), your data will be deleted or destroyed.
If your application for employment is successful, personal data gathered during the
recruitment process will be transferred to further internal systems and retained during your
employment. As mentioned above, a new privacy notice will be issued to you explaining how and why your data will be processed and retained if you enter into employment with us.
Your rights
As a data subject, you have a number of rights. You may be able, subject to the limitations
mentioned below, to:
• Make a data subject access request. You are entitled to receive a copy of the personal
data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you.
• Request erasure of your personal data. You are entitled to ask us to delete or remove
personal data where there is no good reason for us continuing to process it. You also
have the right to ask us to delete or remove your personal data where you have
exercised your right to object to processing (see below). Any requests for erasure will
be considered in line with our retention policy and subject to, for example, whether
the data may need to be retained in order to defend any legal claims, either actual or
potential.
• Object to processing of your personal data where we are relying on a legitimate
interest (or those of a third party) and your particular circumstances mean that you
want to object to processing on this ground.
• Request the restriction of processing of your personal data. This enables you to ask us
to suspend the processing of personal data about you, for example if you want us to
establish its accuracy or the reason for processing it.
• Request the transfer of your personal data to another data controller.
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where you object to us processing personal data but we have a
compelling justification for continuing to process it, or you ask us to erase information which we are required by law to keep or have another compelling reason to retain it. As indicated above not all rights set out above apply to every type of data processing, and relevant exemptions are also included within the data protection laws that apply in the UK. We will inform you of any relevant exemptions that apply and which we rely upon when responding to any request you make.
If you would like to exercise any of these rights, the contact details are as follows:
Post: Employee Relations, Whitbread Court, Porz Avenue, Houghton Hall Business Park,
Houghton Regis, Dunstable, Beds, LU5 5XE
If you believe that we have not complied with your data protection rights, please contact
privacyofficer@whitbread.com and we will investigate your concerns and take action if
appropriate.
You also have the right to contact the Information Commissioner. You can contact them by
V3 – January 2020