Sophos Global Job Candidate Privacy Notice

1. CANDIDATE NOTICE STATEMENT

This policy is designed to provide information on how we deal with the privacy of job applicants who apply to Sophos for a job and the personal data we hold about them during the recruitment process.

2. OBJECTIVES

  • To provide you with details of what information we may collect about you and to give you confidence in how we will use this information; and
  • To comply with legal requirements including privacy laws.

3. ABOUT THIS DOCUMENT

3.1 We take your privacy seriously and we are fully committed to protecting your personal data and we recognise our responsibility to keep any information about you safe and secure at all times.

3.2 Sophos (referred to as “we”, “us”, “our”) will process and collect personal data and special categories of personal data about you and we recognise the need to treat that data in an appropriate and lawful manner, in accordance with applicable privacy laws.

3.3 The purpose of this notice is to provide you with information regarding the types of personal data and special categories of personal data that we hold and process about you and why.

3.4 Processing includes collecting, using, holding, storing, recording and destroying your personal data and special categories of personal data.

3.5 This notice is subject to change and any change will be notified on this page.

4. WHAT DO ‘PERSONAL DATA’ AND ‘SPECIAL CATEGORIES OF PERSONAL DATA’ MEAN?

4.1 “Personal data” includes information relating to a living person, who can be identified directly or indirectly by such information (e.g. name, ID number, location data, an online identifier, one or more factors specific to the physical, physiological, genetic, mental, economic or social identity of that person).

4.2 “Special categories of personal data” relates to personal information about you of a more private nature and means genetic data, biometric data, data concerning a person’s sex life or orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and health.

4.3 The personal data and special categories of personal data about you held and processed by us may be held automated/electronic filing systems.

5. WHAT DO WE DO WITH YOUR PERSONAL DATA AND ON WHAT LEGAL BASIS?

5.1 We use the personal data you provide to us for different reasons. These can be summarised as follows:

(a) To comply with our legal obligations. This includes the following information:

  • eligibility to work in the country you are applying for a position in as required by immigration laws, such as residency and work permit status, nationality, passport and visa documentation;
  • formal identification documentation relating to you, such as a passport or driving licence, to verify your identity;
  • legal claims made by you or against you, in order to comply with the court process and court orders;
  • relevant checks to validate driving licence information if the job role you apply for involves you driving company vehicles; and
  • relating to the occurrence, investigation or prevention of fraud.

(b) To pursue our legitimate interests as a business. This includes the following information:

  • your contact details such as your name, address, telephone number and personal email address which will be used to communicate with you in relation to the recruitment process;
  • your resume / CV and any education history and employment records, professional qualifications and certifications in order for us to consider your suitability for a job vacancy you are applying for;
  • details of the job role you are applying for any interview notes made by us following an interview with you, in order to assess your suitability for that role;
  • pay and benefit discussions with you to help determine whether a job offer may be made to you;
  • the results of any pre-employment checks carried out
  • voicemails, emails, correspondence, your resume / CV, and other communications created, stored or transmitted by you on or to our computer or communications equipment in order to progress the application through the recruitment process;
  • CCTV at our business premeses to ensure business efficiencies, the protection of company property and for health and safety reasons; and
  • network and information security in order for us to take steps to protect your information against loss, theft or unauthorised access.

(d) Where you have consented for us to do so. This includes as follows:

  • to understand and assess your suitability for a role.

6. WHAT DO WE DO WITH YOUR SPECIAL CATEGORIES OF PERSONAL DATA AND ON WHAT LEGAL BASIS?

6.1 We process your special categories of personal data for different reasons. These can be summarised as follows:

(a) To enable you and us to perform our respective obligations or exercise our respective rights in respect of employment and social security and social protection law. This includes the following:

  • equal opportunities monitoring information (for example race, ethnic origin, sex or religious information). Any such information is used in an anonymised form for statistical purposes only and is not used in relation to your application for employment with us; and
  • health information to assess and/or to comply with our obligations under employment, equal opportunities and health and safety legislation (for example a requirement to make reasonable adjustments to the interview process with you).

(b) To establish, defend or exercise legal claims in an employment tribunal or any other court of law;

(c) For occupational medicine reasons or where we are assessing your working capacity. This includes the following:

  • medical and health information/records/reports (for example, to assess whether any reasonable adjustments are required for you during the recruitment process, carrying out any medical assessment required for your role, pension and any insurance benefits);
  • sickness absence records, such as statement of fitness to work, reasons for absence and self-certification forms; and
  • records of return to work interviews/meetings.

7. BACKGROUND CHECKS

7.1 We may process, in carrying out our obligations in employment and social security and social protection law, personal data relating to carrying out background checks (including criminal conviction personal data) where necessary for a particular role within the business.

8. OTHERS WHO MAY RECEIVE OR HAVE ACCESS TO YOUR PERSONAL DATA

8.1 We may share your personal data internally for the purposes set out above to HR employees involved in the recruitment process and/or line managers in the business who are involved in the recruitment process for the job role(s) you are applying.

8.2 We may share your personal data with sub-processors where necessary to facilitate assessments for your desired role.

8.3 For successful applicants who become employees, we may share your personal data and special categories of personal data to third parties, agents, subcontractors and other organisations, as listed below, for the purposes of providing services to us or directly to you on our behalf

(a) occupational health providers;

(b) financial product providers;

(c) pension providers;

(d) insurance providers;

(e) employee benefits providers; and

(f) providers of legal services

8.4 We may share your personal data with the relevant local government and law enforcement agencies in order to comply with our legal obligations.

8.5 When we use third party suppliers or providers, we only disclose to them any personal information that is necessary for them to provide their service and we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.

9. RECEIVING YOUR PERSONAL DATA

We may obtain personal data and/or special categories of personal data about you from third party sources, such as recruitment agencies, job boards, recruitment assessment centres, referees and occupational health professionals. Where we receive such information from these third parties, we will only use it in accordance with this notice. In some cases, they will be acting as a controller of your information and therefore we advise you to read their privacy policy.

10. WHERE DO WE STORE YOUR PERSONAL DATA OR SPECIAL CATEGORIES OF PERSONAL DATA?

10.1 Your personal data and special categories of personal data is stored electronically on our secure servers which are located within the United States of America ("USA").

10.2 For individuals residing in the European Economic Area (EEA) or the UK: we transfer your personal data or special categories of personal data to, or store it in, countries located outside of the EEA or the UK (as applicable) and as such, we ensure that appropriate safeguards are in place for that transfer and storage as required by applicable privacy laws. This is because some countries outside of the EEA or the UK do not have adequate data protection laws equivalent to those in the EEA or the UK. These safeguards will include imposing contractual obligations on the recipient of your personal information or ensuring that the recipients are subscribed to international frameworks that seek to ensure adequate protection.

11. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

11.1 We keep your personal data and special categories data for as long as is necessary to fulfil our legal obligations and in accordance with applicable privacy laws.

11.2 When you apply for a job vacancy which we have advertised, we will compile and keep an electronic file containing information about you which relates to your application for a job with us. Your information will be kept secure and will be used for the purposes of your job application.

11.3 If you are offered and you accept a job with us, your personal information will be transferred to an electronic personnel file. When your employment with us ends, we will retain your personal data in accordance with our data retention policy. The retention period varies depending on the role(s) which you have held during your employment with us, and your personal data will be permanently and securely deleted at the end of this retention period.

11.4 If you are unsuccessful in your application for a job with us, Sophos will, by default, remove your information within 12 months. However, if you have consented to Sophos retaining your information for the purpose of considering you for future opportunities, Sophos will retain your data. We will reseek your consent every 12 months using the email address you have provided for us.

12. YOUR DUTIES

12.1 We encourage you to ensure that the information that we hold about you is accurate and up to date by keeping us informed of any changes to your personal data. You can do this by updating your details within our Applicant Tracking System.

13. YOUR RIGHTS

13.1 Under applicable privacy laws, you may have the following data protection rights:

  • the right to access, delete or request portability of your personal data.
  • the right to ask us to correct or update your personal data, object to processing of your personal data, or ask us to restrict processing of your personal data.
  • where we have collected and process your personal data with your consent, then you can withdraw your consent at any time.

To exercise any of these rights, please submit a request via our data protection rights request portal.

Please note some of the rights detailed above are not absolute and may not be applicable in certain scenarios. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable privacy laws.

If you have a complaint about our processing of your personal data, please contact us first using the contact details provided under the “Contact us” below. If you are unhappy with our response, you have the right to complain to the data protection authority in your country.

14. CONTACT US

14.1 If you have any questions about this privacy policy or complaints about the manner in which we treat your personal data, please contact our Data Protection and Privacy team at dataprotection@sophos.com.

This document was last updated on 11 December 2024.