Privacy Notice: Data protection under the EU General Data Protection Regulation (EU GDPR)

EMFI takes your privacy seriously. This privacy notice contains information on what personal data EMFI and its group companies (“EMFI”, “we”, “our”, or “us”) collect(s), what they do with that information, and what rights you have. If you have any questions or comments about this notice, please contact our Data Protection Officer using the following e-mail address: compliance@emfi.uk

To run our business, EMFI collects and uses information about living individuals (also known as “personal data”), including information about our prospective, current and former Employees ("Employees") for employment with EMFI. As part of our commitment to protect your personal data in a transparent manner, we want to inform you:

• why and how EMFI collects, uses and stores your personal data;
• the lawful basis on which your personal data is processed; and
• what your rights and our obligations are in relation to such processing.

1. What does this Privacy Notice cover?

This notice applies to any and all forms of use of personal data (“processing”) by us in the European Economic Area (“EEA”).

2. What type of personal data do we collect?

For prospective, current and former Employees, we collect basic identification information, such as your name, title, position, professional history, experience and contact details.

If you actively apply for a role with EMFI, we will usually also collect:

• Detailed identification information (e.g. name, position, title, office location, business telephone number, date and place of birth, picture, ID card, passport numbers and other national ID numbers as required, private email and/or postal address, and country etc.);
• Personal and physical characteristics (e.g. gender, date of birth, immigration status, and physical characteristics);
• Education and employment information (e.g. remuneration at your current employer, employment dates with your current employer, interview performance evaluation and scores in any online testing, position information such as position title, and language skills); and
• Information submitted as part of your application (e.g. recordings of any video interviews in which you participate, and anything you choose to submit by choice in support of your application).

Information you submit as part of your application must be true, accurate, complete and not misleading. You understand that any false or misleading statements or omissions made by you during the application process, including your application and any assessments and interviews, may be sufficient cause to justify the rejection of your application or, if you have already become an employee, the immediate termination of your employment, subject to due process.

If you provide information about your family or any other third party to us as part of your application (e.g. emergency contacts or referees) then, before providing us with such information, you must inform the relevant individuals that you will disclose their personal data to us and provide a copy of the information in this notice to them.

If you accept a role with EMFI, then in order to conduct any necessary background checks and create your record in the EMFI Group employee database, we will usually also collect:

• Family information (e.g. marital status, and details of any family or personal relationships within EMFI); and
• Financial information (e.g. summary credit history, bank account details, tax-related information, and information required to undertake required checks for money laundering, criminal activities, corruption, terrorist financing and related matters).

In some cases, the personal data that we process will also include special categories of data, such as diversity-related information (including data about racial and ethnic origin, religious beliefs and other beliefs of a similar nature) and data about alleged or proven criminal offences, in each case where permitted by law.

In some cases, the personal data we collect from you is needed to meet our legal or regulatory obligations. If so, we will indicate to you that the provision of this information is mandatory, and the consequences if we cannot collect this information.

In some cases, EMFI will also collect personal data indirectly from third parties, such as recruitment agencies that you used to apply to EMFI, background check providers and other administration services providers (for instance who provide Employee shortlisting services), or from publicly available sources such as business- and employment-orientated social networking services and job boards.

3. On which legal basis and for which purposes do we process personal data?

3.1 Legal basis for the processing

We are not allowed to process personal data if we do not have a valid legal ground. Therefore, we will only process your personal data if:

• the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request, such as preparing a contract of employment for you following a decision to make you an offer of employment;
• the processing is necessary to comply with our legal or regulatory obligations, such as reference requirements;
• the processing is necessary to protect the vital interests of the relevant individual or of another natural person, such as providing disability access to EMFI premises for interviews where applicable;
• the processing is necessary for the legitimate interests of EMFI, and does not unduly affect your interests or fundamental rights and freedoms (see below);
• the processing is necessary for the performance of a task carried out in the public interest; or
• in some cases, and if requested from you from time to time, we have obtained prior consent.

Examples of the ‘legitimate interests’ referred to above are:

• to benefit from cost-effective services (e.g. we may opt to use certain IT platforms offered by suppliers);
• to determine whether an Employee or potential Employee’s skills and experience are suitable for a role within EMFI, and determine whether or not to either (i) make an offer of employment with EMFI; or (ii) approach a potential Employee with a view to making an offer of employment with EMFI, on this basis;
• at the appropriate stage in the recruitment process (i.e. as part of making an offer of employment to you), to verify the accuracy of information you have provided to us as part of your application, including through background screening;
• to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks and security of EMFI premises;
• to exercise our rights under Articles 16 and 17 of the Charter of Fundamental Rights, including our freedom to conduct a business and right to property; and
• to meet our corporate and social responsibility objectives.

To the extent that we process any special categories of data relating to you, we will do so because:

• the processing is necessary to carry out our obligations under employment, social security or social protection law;
• the processing is necessary for the establishment, exercise or defence of a legal claim;
• the processing is necessary for reasons of substantial public interest; or
• you have given your explicit consent to us to process that information (where legally permissible).

3.2 Purposes of processing

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process Employees’ personal data to:

• undertake recruitment activities, such as determining the suitability of an Employee’s qualifications, checking for any existing or potential conflicts of interest or any other restrictions which may otherwise restrict or prevent an Employee’s employment with EMFI;
• assist us in managing external providers (e.g. recruitment agencies – see below for further information about when we work with third parties);
• manage our HR records and update the EMFI Group employee database;
• where relevant, manage and make available personal data within the EMFI Group;
• reply to an official request from a public or judicial authority with the necessary authorisation;
• comply with any legal obligations imposed on EMFI in relation to its recruitment practices; and
• to enable a transfer to a potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger of part or all of EMFI’s business or assets, or any associated rights or interests, or to acquire a business or enter into a merger with it.

4. How do we protect personal data?

All personnel accessing personal data must comply with the internal rules and processes in relation to the processing of personal data to protect them and ensure their confidentiality. They are also required to follow all technical and organisational security measures put in place to protect the personal data.

We have also implemented adequate technical and organisational measures to protect personal data against unauthorised, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other unlawful forms of processing. These security measures have been implemented taking into account the state of the art of the technology, their cost of implementation, the risks presented by the processing and the nature of the personal data, with particular care for sensitive data.

5. Who has access to personal data and with whom are they shared?

5.1 Within the EMFI Group

We make available personal data to members of our personnel and of other companies of the group to which we belong (the “EMFI Group”) to complete the purposes indicated in section 3.2 above. Such other companies of the EMFI Group will either act as another controller under this notice or will only process personal data on behalf and upon request of the controller.

5.2 Outside the EMFI Group

We usually also transfer personal data to third parties outside the EMFI Group to complete the purposes listed in section 3.2 above including:

• third party service providers, such as our IT systems providers, our hosting providers, cloud service providers, database providers, consultants (including the recruitment agency whom you used to apply to EMFI, if applicable, and lawyers) and third parties who carry out pre-employment checks on prospective employees (such as HireRight) - each of these service providers has signed contracts to protect your personal information;
• a potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger of part or all of EMFI’s business or assets, or any associated rights or interests, or to acquire a business or enter into a merger with it;
• any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request;
• the referees provided on your application form to EMFI;
• any central or local government department and other statutory or public bodies; and
• any legitimate recipient of communications required by laws or regulations.

5.3 Transfers outside the European Economic Area

The personal data transferred within or outside the EMFI Group as set out in sections 5.1 and 5.2, is in some cases also processed in a country outside the EEA, which covers the EU member states, Iceland, Liechtenstein and Norway. Non-EEA countries may not offer the same level of personal data protection as EEA countries.

If your personal data is transferred outside the EEA, we will put in place suitable safeguards to ensure that such transfer is carried out in compliance with applicable data protection rules. To ensure this level of protection for your personal information, EMFI may use a data transfer agreement with the third-party recipient based on standard contractual clauses approved by the European Commission or ensure that the transfer is to a jurisdiction that is the subject of an adequacy decision by the European Commission or to the US under the EU-US Privacy Shield framework. You may request additional information in this respect and obtain a copy of the relevant safeguard by exercising your rights as set out below. Where EMFI transfers personal data to other group companies, we rely on the standard contractual clauses.

A list of the countries in which EMFI operates (inside and outside the EEA) can be found at https://www.emfi.uk/english/about#presence

6. How long do we store your data?

We will only retain personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements. In general, although there may be limited exceptions, data relating to unsuccessful potential Employees for roles within EMFI is kept for 36 months after the date on which we notify you that your most recent application has been unsuccessful; and data relating to successful Employees for roles within EMFI is kept for 36 months from the date of our last communication with you.

However, if individuals wish to have their personal data removed from our databases, they can make a request as described in section 7 below, which we will review as set out therein.

7. What are your rights and how can you exercise them?

7.1 Your rights

You may have a right to access and to obtain a copy of your personal data as processed by EMFI. If you believe that any information we hold about you is incorrect or incomplete, you may also request the correction of your personal data.

You may also have the right to:

• object to the processing of your personal data;
• request the erasure of your personal data;
• request restriction on the processing of your personal data; and/or
• withdraw your consent where EMFI obtained your consent to process personal data (without this withdrawal affecting the lawfulness of any processing that took place prior to the withdrawal).

EMFI will honour such requests, withdrawal or objection as required under applicable data protection rules but these rights are not absolute: they do not always apply and exemptions may be engaged. We will usually, in response to a request, ask you to verify your identity and/or provide information that helps us to better understand your request. If we do not comply with your request, we will explain why.

7.2 Exercising your rights

To exercise the above rights, please send an email to: compliance@emfi.uk

If you are not satisfied with how EMFI processes your personal data, please let us know and we will investigate your concern. Please raise any concerns via the following e-mail address: complaints@emfi.uk

If you are not satisfied with EMFI’s response, you have the right to make a complaint to the data protection authority in the jurisdiction where you live or work, or in the place where you think an issue in relation to your data has arisen. The contact details of each Data Protection Authority can be found at the following website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

In the interests of keeping personal data properly up to date and accurate, we ask you to inform us of any change in relation to your personal data (such as a change of address).

8. Updates to this notice

This privacy notice was updated in May 2018. We reserve the right to amend it from time to time. Any future changes or additions to the processing of personal data as described in this notice affecting you can be viewed on the EMFI website at https://www.emfi.uk/english/privacy-policy