PRIVACY NOTICE CONCERNING
THE PROCESSING OF JOB APPLICANT PERSONAL DATA
This Notice describes the steps that Cleveland Clinic London Ltd (“CCL”, “we” or “us”), an affiliate of The Cleveland Clinic Foundation (“Cleveland Clinic”), takes to protect the personal data that we process about job applicants. In connection with your application to join CCL, we collect, store, use and otherwise process personal data about you for various purposes, as described in this Notice. We are committed to the protection of the personal data that we process about you in line with the data protection principles and requirements set out in the European Union General Data Protection Regulation 2016 (“GDPR”) and the UK Data Protection Act 2018 (“DPA”).
This Notice applies to all job applicant personal data which forms part of a filing system or is intended to form part of a filing system. We may amend this Notice from time to time and will inform you in advance of the effective date of any material changes that we intend to implement.
Terms defined in the GDPR or in Section 12 below shall have the meaning set out therein.
CCL is responsible for processing your personal data and is the data controller. Our registered office is located at Suite 1, 3rd Floor 11-12 St. James’s Square, London, United Kingdom, SW1Y 4LB.
Most of the personal data that we process about you has been provided by you directly to us. CCL may also collect personal data about job applicants from other third parties including:
We may also review social media profiles (generally professional networks) and consider information that you have made publicly available.
The categories of personal data that we may process about you and our purposes for doing so are set out in the table below. The table also identifies our lawful basis for the processing and any condition for processing special categories of data or criminal convictions and offenses data.
Categories of Personal Data | Purpose of Processing | Lawful Basis | Special Condition* |
| To communicate with you in relation to our job vacancies and the recruitment process | Legitimate interest | Not applicable |
| To assess your skills, qualifications and suitability for a role with us | Legitimate interest | Not applicable |
| |||
| |||
| |||
| |||
| |||
| |||
| |||
| |||
| |||
| |||
| Determining ability to perform required activities
To make reasonable adjustments | Legitimate interest
Compliance with legal obligations | Processing is necessary for health or social care purposes, e.g. the assessment of the working capacity of an employee (Schedule 1, Part 1, paragraph 2 of the DPA).
Processing is necessary for the purposes of performing or exercising obligations or rights imposed or conferred by employment, social security or social protection laws (Schedule 1, Part 1, paragraph 1 of the DPA).
The processing is in line with CCL’s policy on processing Special Categories of Personal Data. |
| Determining eligibility for employment
| Compliance with legal obligations
| Not applicable |
| Prior to an individual becoming an employee, there are tests and evaluations related to the safety of patients and employees in a healthcare environment | Legitimate interest | Processing is necessary for health or social care purposes, e.g., ensuring ability to facilitate health care or treatment (Schedule 1, Part 1, paragraph 2 of the DPA).
|
| To monitor equality of opportunities and diversity within our work place
| Legitimate interest | Processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with a view to enabling such equality to be promoted or maintained (Schedule 1, Part 2, paragraph 8 of the DPA). ** Processing is necessary for purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions (Schedule 1, Part 2, paragraph 9 of the DPA). The processing is in line with CCL’s policy on processing Special Categories of Personal Data. |
| |||
| |||
| |||
| To ensure the safety of our premises, patients and employees | Legitimate interest | Not applicable |
| To ensure patient safety | Compliance with legal obligation | Processing is necessary for the purposes of performing or exercising obligations or rights imposed or conferred by employment, social security or social protection laws (Schedule 1, Part 1, paragraph 1 of the DPA).
The processing is in line with CCL’s policy on Criminal Records Checks.
|
*We may need to process data as necessary in connection with any legal claims or prospective legal claims. (Schedule 1, Part 3, paragraph 33 of DPA.)
** The categories of personal data listed (sexual orientation, health data, religion or racial or ethnic origin) shall not be used for the purposes of measures or decisions in relation to a specific job candidate. Please note that you can always inform us in writing if you would prefer us not to process these categories of your personal data for this purpose.
The purposes for which we share personal data relating to job applicants with the Cleveland Clinic, and also with trusted third-party vendors and business partners, are set out below.
We may share your personal data with the Cleveland Clinic for the purposes set out below. Your personal data will only be accessible to competent employees of the Cleveland Clinic who within their job responsibility execute the purposes described in Section 5 and have a need to know this information. These transfers are protected by the obligations set out in an intra-group agreement that we have entered into with the Cleveland Clinic. These agreement covers personal data transferred for the following purposes:
CCL also shares personal data with trusted service providers and business partners pursuant to contractual agreements with them. These agreements will, as necessary, include appropriate safeguards to protect any personal data that we share with them. We may share job applicant personal data with third parties that perform services and carry out functions on our behalf and under our instruction as a data processor. These third parties include:
We may also disclose job applicant personal data to third parties acting as independent data controllers. All of these recipients are themselves responsible to determine the purposes and means of the processing and for the lawfulness of the processing. These third parties include:
International transfers with the Cleveland Clinic are governed by EU Commission-approved Standard Contractual Clauses for controllers. You may request a copy of the relevant sections of these agreements by contacting us in one of the ways set out in Section 11.
If and when transferring your personal data outside the EU or EEA, we will do so using one of the following safeguards:
You may request a copy of the relevant sections of this relevant transfer documentation by contacting us in one of the ways set out in Section 11.
You have the following rights:
These rights are not absolute and are subject to various conditions under:
Should you wish to exercise the rights accorded by the GDPR and DPA, please contact us using the details in Section 11.
If you are not happy with how CCL processes your personal data or we could not provide you with a satisfactory resolution to your request, you also have the right to lodge a complaint with the data protection supervisory authority, the Information Commissioner´s Office (ICO) in the UK.
We will keep and process your personal data only for as long as is necessary for the purposes for which it was collected. If you are successful and we hire you, we will keep your CV as part of your employee record for the duration of your employment with us. We will keep CVs and documents submitted by unsuccessful candidates for no longer than six months, unless we obtained their consent to keep it for longer or unless required to keep it longer by law.
In certain cases, you may choose not to provide CCL with your personal data and/or provide incomplete personal data. However, please be aware that we may not be able to engage in a contractual relationship with you where your personal data is required for administrative purposes or otherwise as necessary for us to perform our contract with you, and/or to fulfil our statutory obligations.
Your personal data will not be used for automated decision-making or profiling.
Questions, comments and requests regarding this Notice may be emailed to londonprivacy@ccf.org or sent by post to Suite 11, 3rd Floor, 11-12 St. James’s Square, London, S21Y 4LB, Attn: Rik Mannix, Data Protection Officer.
The following terms used within this Notice are defined as follows:
“DPA” means the UK Data Protection Act 2018.
“data controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or EU laws or regulations, the controller or the specific criteria for his nomination may be designated by national or EU law.
“data processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.
"European Economic Area" or "EEA" means the Member States of the European Union, plus Norway, Iceland and Lichtenstein.
“filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
“GDPR" means the EU General Data Protection Regulation 2016/679 including national laws implementing or supplementing the GDPR.
“personal data” means any information relating to an identified or identifiable natural person (also referred to as ‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“process” or “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“special categories of personal data” are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of identifying an individual, data concerning health or data concerning a natural person’s sex life or sexual orientation.
“supervisory authority” means an independent public authority, which is established by a Member State pursuant to article 51 of the GDPR. In the case of the UK this is the Information Commissioner’s Office.