1. Introduction

This Notice describes the steps that Cleveland Clinic London Ltd (“CCL”, “we” or “us”), an affiliate of The Cleveland Clinic Foundation (“Cleveland Clinic”), takes to protect the personal data that we process about job applicants. In connection with your application to join CCL, we collect, store, use and otherwise process personal data about you for various purposes, as described in this Notice. We are committed to the protection of the personal data that we process about you in line with the data protection principles and requirements set out in the European Union General Data Protection Regulation 2016 (“GDPR”) and the UK Data Protection Act 2018 (“DPA”).

This Notice applies to all job applicant personal data which forms part of a filing system or is intended to form part of a filing system.  We may amend this Notice from time to time and will inform you in advance of the effective date of any material changes that we intend to implement.

Terms defined in the GDPR or in Section 12 below shall have the meaning set out therein.

  1. Identity of the Data Controller

CCL is responsible for processing your personal data and is the data controller. Our registered office is located at Suite 1, 3rd Floor 11-12 St. James’s Square, London, United Kingdom, SW1Y 4LB.

  1. How We Source Your Personal Data

Most of the personal data that we process about you has been provided by you directly to us. CCL may also collect personal data about job applicants from other third parties including:

  1. former employers;
  2. education establishments from which you have received qualifications;
  3. background check providers and criminal records check providers including the Disclosure and Barring Services, where required or permitted by law;
  4. professional bodies such as the General Medical Council;
  5. law enforcement agencies, government agencies, regulators and/or any other person having appropriate legal authority;
  6. recruitment agencies; and
  7. credit reference agencies.

We may also review social media profiles (generally professional networks) and consider information that you have made publicly available.

  1. Categories of Personal Data that We Process, Our Purposes for Processing and the Applicable Lawful Bases

The categories of personal data that we may process about you and our purposes for doing so are set out in the table below. The table also identifies our lawful basis for the processing and any condition for processing special categories of data or criminal convictions and offenses data.

Categories of Personal Data

Purpose of Processing

Lawful Basis

Special Condition*

  • Your name and contact details including address, telephone number, and email address

To communicate with you in relation to our job vacancies and the recruitment process

Legitimate interest

Not applicable

  • Qualifications

To assess your skills, qualifications and suitability for a role with us

Legitimate interest

Not applicable

  • Education history
  • CV
  • Application form
  • Evidence of previous experience, skills and qualifications
  • References
  • Details of your prior compensation
  • Professional licensure / registration details / work permit
  • Details of your practicing privileges
  • Interview notes
  • Test results
  • Disability

Determining ability to perform required activities









To make reasonable adjustments

Legitimate interest











Compliance with legal obligations

Processing is necessary for health or social care purposes, e.g. the assessment of the working capacity of an employee (Schedule 1, Part 1, paragraph 2 of the DPA).




Processing is  necessary for the purposes of performing or exercising obligations or rights imposed or conferred by employment, social security or social protection laws (Schedule 1, Part 1, paragraph 1 of the DPA).


The processing is in line with CCL’s policy on processing Special Categories of Personal Data.

  • Foreign national ID documents
  • National Insurance number
  • Passport

Determining eligibility for employment


Compliance with legal obligations


Not applicable

  • Health Data (including vaccinations, physical assessments and drug testing)

Prior to an individual becoming an employee, there are tests and evaluations related to the safety of patients and employees in a healthcare environment

Legitimate interest

Processing is necessary for  health or social care purposes, e.g., ensuring ability to facilitate health care or treatment (Schedule 1, Part 1, paragraph 2 of the DPA).


  • Sexual orientation

To monitor equality of opportunities and diversity within our work place


Legitimate interest

Processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with a view to enabling such equality to be promoted or maintained (Schedule 1, Part 2, paragraph 8 of the DPA). **

Processing is necessary for purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions (Schedule 1, Part 2, paragraph 9 of the DPA).

The processing is in line with CCL’s policy on processing Special Categories of Personal Data.

  • Data concerning health (e.g. disability)
  • Religion
  • Racial or ethnic origin


  • CCTV images

To ensure the safety of our premises, patients and employees

Legitimate interest

Not applicable

  • Criminal records checks for roles within a regulated activity, i.e. work involving children, provision of health and other care to vulnerable adults, such as patients.

To ensure patient safety

Compliance with legal obligation

Processing is necessary for the purposes of performing or exercising obligations or rights imposed or conferred by employment, social security or social protection laws (Schedule 1, Part 1, paragraph 1 of the DPA). 


The processing is in line with CCL’s policy on Criminal Records Checks.


*We may need to process data as necessary in connection with any legal claims or prospective legal claims.  (Schedule 1, Part 3, paragraph 33 of DPA.)

** The categories of personal data listed (sexual orientation, health data, religion or racial or ethnic origin) shall not be used for the purposes of measures or decisions in relation to a specific job candidate. Please note that you can always inform us in writing if you would prefer us not to process these categories of your personal data for this purpose.

  1. Data Sharing: Intra-Group and Third Party Recipients

The purposes for which we share personal data relating to job applicants with the Cleveland Clinic, and also with trusted third-party vendors and business partners, are set out below.

  1. Intra-group transfers

We may share your personal data with the Cleveland Clinic for the purposes set out below. Your personal data will only be accessible to competent employees of the Cleveland Clinic who within their job responsibility execute the purposes described in Section 5 and have a need to know this information. These transfers are protected by the obligations set out in an intra-group agreement that we have entered into with the Cleveland Clinic. These agreement covers personal data transferred for the following purposes:

  1. To allow the entities to carry out processing functions on our behalf including the storage and hosting of personal data for security purposes, including system back-up and failover;
  2. To provide services for the operations of CCL;
  3. To assist with employment benefits and other administrative issues;
  4. To  assist with managing staffing;
  5. To advise on roles and terms of employment;
  6. To assess matters that relate to employment, such as assistance in internal investigations in relation to compliance with internal policies and rules; and
  7. For regulatory purposes.


  1. Third Party Suppliers

CCL also shares personal data with trusted service providers and business partners pursuant to contractual agreements with them. These agreements will, as necessary, include appropriate safeguards to protect any personal data that we share with them. We may share job applicant personal data with third parties that perform services and carry out functions on our behalf and under our instruction as a data processor. These third parties include:

  1. IT service providers;
  2. recruitment administration software providers; and
  3. cloud storage service providers.

We may also disclose job applicant personal data to third parties acting as independent data controllers. All of these recipients are themselves responsible to determine the purposes and means of the processing and for the lawfulness of the processing. These third parties include:

  1. our auditors, lawyers, consultants, law enforcement and other public authorities (such as tax and social security bodies and NHS organisations);
  2. the police, prosecutors, courts and tribunals;
  3. current or previous employers;
  4. educational establishments and/or professional bodies;
  5. background check providers and criminal records check providers including the Disclosure and Barring Services;
  6. potential or actual purchasers should we decide to sell or transfer all or part of our business to another organisation;
  7. credit or reference agencies;
  8. our regulators, including, Information Commissioner’s Office, Care Quality Commission, Medicines and Healthcare products Regulatory Agency, and Health and Safety Executive.


  1. International Transfers: Intra-Group and Third Party Vendors


  1. Intra-Group

International transfers with the Cleveland Clinic are governed by EU Commission-approved Standard Contractual Clauses for controllers. You may request a copy of the relevant sections of these agreements by contacting us in one of the ways set out in Section 11.

  1. Third Party Suppliers

If and when transferring your personal data outside the EU or EEA, we will do so using one of the following safeguards:

  1. the transfer is to a non-EEA country that has been the subject of an adequacy decision by the EU Commission;
  2. the transfer is covered by a contractual agreement, which covers the GDPR requirements relating to transfers to countries outside the EEA;
  3. the transfer is to an organisation which has binding corporate rules approved by an EU data protection authority; or
  4. the transfer is to an organisation in the US that is EU-US Privacy Shield certified.

You may request a copy of the relevant sections of this relevant transfer documentation by contacting us in one of the ways set out in Section 11.

  1. Your Rights

You have the following rights:

      1. to obtain access to your personal data - you may request information on how your personal data is handled by us and request a copy of such personal data;
      2. to request us to correct or update your personal data if it is inaccurate or out of date;
      3. to object to the processing of your personal data for the purposes of our legitimate interests, unless we:
          1. demonstrate compelling legitimate grounds which override your right to object, or
          2. the processing is necessary for the establishment, exercise or defence of legal claims;
      4. to erase your personal data held by us:
          1. which are no longer necessary in relation to the purposes for which they were collected;
          2. to the processing of which you object; or
          3. which may have been unlawfully processed by us;
      5. to restrict processing by us, i.e. the processing will be limited to storage only:
          1. where you oppose the deletion of your personal data and prefer restriction of processing instead, or
          2. where you object to the processing by us on the basis of our legitimate interests;
      6. to transmit personal data you submitted to us back to you or to another organisation in certain circumstances; and
      7. to withdraw your consent in those circumstances where we rely on your consent to process your personal data.


These rights are not absolute and are subject to various conditions under:

  1. applicable data protection and privacy legislation; and
  2. the laws and regulations to which we are subject.

Should you wish to exercise the rights accorded by the GDPR and DPA, please contact us using the details in Section 11.

If you are not happy with how CCL processes your personal data or we could not provide you with a satisfactory resolution to your request, you also have the right to lodge a complaint with the data protection supervisory authority, the Information Commissioner´s Office (ICO) in the UK.

  1. Retention of Personal Data

We will keep and process your personal data only for as long as is necessary for the purposes for which it was collected. If you are successful and we hire you, we will keep your CV as part of your employee record for the duration of your employment with us. We will keep CVs and documents submitted by unsuccessful candidates for no longer than six months, unless we obtained their consent to keep it for longer or unless required to keep it longer by law.

  1. Statutory/Contractual Requirements

In certain cases, you may choose not to provide CCL with your personal data and/or provide incomplete personal data. However, please be aware that we may not be able to engage in a contractual relationship with you where your personal data is required for administrative purposes or otherwise as necessary for us to perform our contract with you, and/or to fulfil our statutory obligations.

  1. Automated Decision-Making and Profiling

Your personal data will not be used for automated decision-making or profiling.

  1. Contact Information

Questions, comments and requests regarding this Notice may be emailed to or sent by post to Suite 11, 3rd Floor, 11-12 St. James’s Square, London, S21Y 4LB, Attn: Rik Mannix, Data Protection Officer.

  1. Definitions

The following terms used within this Notice are defined as follows:

DPA” means the UK Data Protection Act 2018.

data controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or EU laws or regulations, the controller or the specific criteria for his nomination may be designated by national or EU law.

data processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.

"European Economic Area" or "EEA" means the Member States of the European Union, plus Norway, Iceland and Lichtenstein. 

filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

GDPR" means the EU General Data Protection Regulation 2016/679 including national laws implementing or supplementing the GDPR.

personal data” means any information relating to an identified or identifiable natural person (also referred to as ‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

process” or “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

special categories of personal data” are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of identifying an individual, data concerning health or data concerning a natural person’s sex life or sexual orientation. 

“supervisory authority” means an independent public authority, which is established by a Member State pursuant to article 51 of the GDPR. In the case of the UK this is the Information Commissioner’s Office.