Privacy Policy

ERM's Recruitment Fair Processing Notice

Updated 25 May 2018

ERM Worldwide Group Limited and our associated companies ("ERM", "Company", "we" or "us") hold and process data on applicants and recruitment candidates ("candidates" or "you").

We take your data protection rights and our legal obligations seriously. Your personal data will be treated securely, confidentially and in the manner set out in this Fair Processing Notice, or as otherwise notified to you in writing.

This Fair Processing Notice describes the categories of personal data we may process, how your personal data may be processed, the purpose/s for which we process your data and how your privacy is safeguarded during our relationship with you. This Notice is intended to comply with our duty to provide information about the Company's processing of your personal data under privacy laws. Where we use the term ‘employment’ in this Fair Processing Notice, this also includes other types of engagement or working relationships.

Processing of Personal Data
What Data Do We Process?
Special Categories of Data
How Does the Company Collect Data?
What Are the Purposes for Which Data Are Processed?
Legal Bases for Processing
Automated Decision Making and Profiling
Retention of Personal Data
Disclosures of Personal Data
Security of Data
International Transfer of Personal Data
Your Rights as a Data Subject
Additional Fair Processing Notices and Notice Of Changes

If you have any questions about this Fair Processing Notice, or if you would like to access the information it contains in a different format (e.g. in audio format) please contact us at:

ERM Recruitment Support
RE: Data Subject Requests
2nd Floor, Exchequer Square
33 St Mary Axe, London EC3A 8AA 
+44(0) 20 3206 5200
Email:recruitment.support@erm.com

Processing of Personal Data

ERM collects and processes your personal data for the purposes described in this Fair Processing Notice. ‘Personal data’ means any information describing or relating to an identified or identifiable individual. An ‘identifiable individual’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

The ERM Group company to which you apply for work will be the data controller of your personal data. In addition, where processing of your personal data is undertaken by other companies in the ERM Group, those other ERM companies will also be data controllers of your personal data. This Fair Processing Notice is provided on behalf of all such ERM Group companies. To contact the relevant ERM data controller, send a request to:

ERM Recruitment Support
RE: Data Subject Requests
2nd Floor, Exchequer Square
33 St Mary Axe, London EC3A 8AA 
+44(0) 20 3206 5200
Email:recruitment.support@erm.com

Back to top

What Data Do We Process?

ERM may collect various types of personal data about you, including:

  • Personal details: your title, name, previous name, gender, nationality, civil/marital status, date of birth, age, personal contact details (e.g. address, telephone or mobile number, e mail), national ID number, immigration and eligibility to work information, driving licence, languages spoken, details of any disability (and any adjustments required as a result);

  • Recruitment and selection data: skills and experience, qualifications, references, your CV / resume, application details, interview and assessment data, vetting and verification information (e.g. credit reference checks, criminal record checks, to the extent permitted by applicable law), right to work verification, information relating to the outcome of your application, details of any offer made to you;

  • Regulatory data: your educational records, professional licences, permits and / or registration with any applicable regulatory authority, your regulated status and regulatory certificates and references;

  • Equality and diversity data (where permitted by law and provided voluntarily): data regarding gender, age, race, nationality, religious beliefs and sexuality (stored anonymously for equal opportunities monitoring purposes);

  • Other personal data that you choose to disclose to us during the course of the recruitment process, whether verbally or in written form.

Back to top

Special Categories of Data

To the extent permitted by applicable law, ERM may collect and process a limited amount of personal data that falls into special categories (sometimes called ‘sensitive personal data’). The special categories of data that we may collect about you include:

  • racial or ethnic origin;
  • physical or mental health information (including details of accommodations or adjustments);
  • sexual orientation; and 
  • criminal records and information regarding criminal offences or proceedings.

Back to top

How Does the Company Collect Data?

ERM collects and records your personal data from a variety of sources, but mainly directly from you. You will usually provide this information when you submit your CV / resume, when you complete your profile or application via our recruitment platform, through your participation in the recruitment processes, in the emails and instant messages that you send to ERM, or through verbal information that you share with us that has been recorded. Also, information about you may come from the hiring manager and those in the HR team involved in the recruitment process.

We also obtain some information about you from third parties, where permitted by applicable law. Examples of this might include information from recruitment agencies, references from previous employers or when we employ a third party to carry out a background check. Where permitted by applicable law, we may also collect data from publicly accessible sources, including your LinkedIn profile.

Where we require you to provide personal data on a mandatory basis, we will explain this you at the time of collection and explain if that information is required by contract or statute. If your failure to provide this information means that we cannot carry out certain processes, we will explain this to you at the time. In some cases this may mean that we are unable to proceed with your application as the Company will not have the data that we feel is necessary to make a recruitment decision or comply with our legal obligations in relation to recruitment.

Apart from personal data relating to you, you may also provide us with personal data of third parties (e.g., details of a referee that you provide). Before you provide third party personal data to ERM, you must inform those third parties of the data that you intend to provide and why it is being provided to us.

Back to top

What Are The Purposes For Which Data Are Processed?

ERM will process your personal data for the following purposes:

  • Recruitment and selection, including to:
    • assess your suitability to work for ERM, including candidate short listing, interviews and contracting;
    • conduct pre employment checks, including verification of your identity, checking your legal right to work, checking references or your physical well-being / fitness to work (where applicable and permitted by law);
    • conduct pre employment credit reference checks and checks in relation to suspected criminal activities (where applicable and permitted by law);
    • compare you with other applicants and make a decision whether to offer you employment;
    • consider any reasonable adjustments or accommodations that may be required in the event you have a disability;
    • make a job offer and provide a contract of employment;
    • contact you if you are not successful, and / or if another potentially suitable vacancy arises in the future; and 
    • deal with any query, challenge or request for feedback received in relation to our recruitment decision.

  • In preparation to bring you on board as an employee where you accept an offer of employment from us. In this case we will customise the data we gathered during the recruitment phase for purposes of your employment, and will transfer some of this to our employment systems and files.

  • Monitoring programmes to ensure equality of opportunity and diversity with regard to personal characteristics that may be protected under applicable anti discrimination laws.

Special categories of data may be collected and processed by ERM for the following purposes:

  • documentation such as work permits, details of residency, proof of citizenship may be collected to assess your eligibility to work for the Company in the relevant jurisdiction;

  • information regarding your racial or ethnic origin, sexual orientation or disability status may be: used for the collection of statistical data to monitor equality of opportunity where that information is voluntarily provided by you (where applicable and permitted by law); or used by the Company to defend a legal claim by or otherwise involving you (e.g., if you bring a discrimination claim related to our recruitment process or decision); 

  • health and medical information may be used to comply with disability discrimination laws to make reasonable accommodations or adjustments where necessary and to avoid unlawful discrimination related to disability during the recruitment process or decision.

Back to top

Legal Bases For Processing

Personal data

Whenever the Company processes your personal, data we do so on the basis of one or more lawful grounds for processing. In the majority of cases, those grounds will be because the processing is necessary:

  • for compliance with a legal obligation to which we are subject (for example, checking your right to work in the jurisdiction you are employed in and avoiding unlawful discrimination in the recruitment process and decision); or
  • to take steps at your request prior to entering into a contract (for example, checking that you have the skills and experience necessary to perform the role you have applied for).

Where the above two grounds do not apply, we will process your personal data when it is necessary for the legitimate interests pursued by ERM, unless such interests are overridden by your interests or fundamental rights / freedoms that require protection of personal data. ERM considers that it has legitimate interests in processing data: for the purposes set out in Section 6 (above); to ensure fair and effective recruitment of suitable personnel; to ensure that we continue to meet our short and long-term business objectives and goals; to maintain our reputation; and to continue to attract and retain high calibre staff.

We may on occasion process your personal data for the purpose of legitimate interests pursued by a third party (e.g. to meet the security requirements of our clients), unless such interests are overridden by your interests or fundamental rights / freedoms.

In exceptional circumstances ERM may carry out the processing on the basis of your consent. Where we rely on your consent as the basis for our processing, we will make this clear at the time.

Special categories of data

Where we process special categories of data it will be justified by one or more of the conditions set out in Section 7.1, and by one of the following additional conditions:

  • The processing is necessary for the purpose of fulfilling the obligations and rights of you or the Company in the field of employment law, social security and social protection law (where applicable);
  • The processing is necessary to protect the vital interests of you or another person if you are physically or legally incapable of giving consent (for example, in exceptional emergency situations or other medical emergencies);
  • The processing is necessary for purposes authorised by applicable law;
  • The processing is necessary for the establishment, exercise or defence of legal claims.

In exceptional circumstances, we may seek your consent to process special categories of data that is not justified under one of the grounds noted above. If consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Note that it is not a condition or requirement of your application to agree to any request for consent by ERM.

Processing data relating to criminal convictions and offences

A criminal record check may be carried out on recruitment, transfer or intermittently where ongoing screening is required. Personal data relating to criminal convictions and offences will only be processed when, and to the extent, authorised by applicable law.

Back to top

Automated Decision Making and Profiling

ERM does not currently rely on automated decision making. We may, however, carry out a small amount of profiling during the recruitment process for certain roles. This may be considered as part of the process or for identifying areas to discuss in interviews, but is not used as the sole basis for any decision. For example, we may at times utilize automated online tools including artificial intelligence and self-recorded video interviewing to assist in the early screening stages of candidates. This will typically be for more junior roles that attract a high number of applications.

Back to top

Retention of Personal Data

The Company endeavours to ensure that personal data is kept up to date and that irrelevant or excessive data is deleted or de-personalised as soon as reasonably practicable.

The Company's approach is to retain personal data only for as long as is required to satisfy the purpose for which it was collected by us or provided by you. This will usually be the period of the recruitment process, plus the length of any applicable statutory limitation period following completion of the process. If, however, you are offered and accept a contract with ERM, then data relevant to our ongoing relationship with you will be retained and transferred into our HR records and you will receive a further fair processing notice explaining how we will use your information during our relationship with you.

If you are not successful in your application, or you do not accept a role with the Company, normally your data will be retained for 12 months following completion of the recruitment process (unless otherwise required by local law) so that you can be considered for suitable roles that may arise in the future. If we do retain your data for this purpose, we will let you know and you will have the ability to opt out. The Company may retain your data for a longer period if a challenge or claim is made (to enable the Company to respond), or if otherwise required by applicable local law. If applicable law requires your consent, we will obtain this.

Back to top

Disclosures of Personal Data

Within ERM, your personal data can be accessed by, or disclosed (on a need to know basis):

  • to local, regional and global Human Resources team members involved in the recruitment and on-boarding process;
  • to the hiring manager and any local, regional and global management team responsible for hiring decisions;
  • to recruitment system administrators; and
  • where necessary for the performance of specific tasks or system maintenance by staff in ERM (e.g. Finance, IT, Global HR, Information Security, Legal, etc.).

Your personal data may also be accessed by, or provided to, third parties and their associated companies and sub contractors who provide services to ERM in connection with recruitment, including, but not limited to, providers of our recruitment platform on Workday, recruitment agents and/or professional advisers. In such cases your personal data will only be disclosed to these parties to the extent necessary to provide the required services. Where these third parties act as a data processor for ERM, they carry out their tasks on ERM’s behalf and act on our instructions for the specified purposes. The Company expects such third parties to process any data disclosed to them in accordance with applicable law and contract terms, which will include data confidentiality and security.

ERM may also share your data with national authorities to comply with our legal obligations, e.g., in the event of legal proceedings or a statutory audit.

Back to top

Security of Data

The Company is committed to protecting the security of the personal data you share with us. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk and in accordance with applicable laws.

International Transfer of Personal Data

From time to time your personal data (including special categories of personal data) may be transferred to other members of the ERM Group to process for the purposes described in this Notice. This may apply, for example, when the relevant ERM company is responsible for conducting or approving the relevant data processing activity. These associated companies may be located within the European Union or any other location in the world where ERM has offices. Personal data may also be transferred to third parties (e.g., service providers or regulatory authorities) located outside the European Union.

As a result, your personal data may be transferred to countries whose data protection laws are less stringent than the laws of the European Union. In those situations ERM will put appropriate and suitable safeguards in place to protect your personal data and ensure that such transfers comply with applicable data protection laws.

The Company members have entered into Intra-Group Data Transfer Agreement which regulates cross border transfers of personal data within the ERM Group. Where required by law, ERM will enter into standard contractual clauses as approved by the European Commission with service providers who are located outside the European Union.

You have a right to request a copy of any data transfer terms employed by the Company, and to have access to information on the safeguards we use to protect your data. Any data transfer agreement made available to you may be redacted for reasons of commercial sensitivity. To request a copy of these contracts, contact us at:

ERM Recruitment Support
RE: Data Subject Requests
2nd Floor, Exchequer Square
33 St Mary Axe, London EC3A 8AA
+44(0) 20 3206 5200
Email: recruitment.support@erm.com

Back to top

Your Rights as a Data Subject

Right to access, correct and delete your personal data

ERM aims to ensure that all personal data it holds is correct. You also have a responsibility to ensure that information provided by you or on your behalf (e.g., through a recruitment agent) is correct and that we are notified of any changes to your personal details (e.g., change of name or address) so that we can keep your data up to date.

You have the right to request access to any personal data that the Company may hold about you, and to request correction of any inaccurate data. You also have the right to request deletion of any irrelevant data that we hold about you.

You can see and update some of your data yourself via Workday.

Back to top

Data portability

When ERM is relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party, as the legal basis for processing and that data is processed by automatic means, you have the right to receive data that you provided to us in a structured, commonly used and machine readable format. You also have the right to require us to transmit the data to another controller (where this is technically feasible).

Right to restrict processing

You have the right to restrict our processing of your personal data where:

  • you contest the accuracy of the personal data, until such time as ERM has taken sufficient steps to correct or verify its accuracy;
  • the processing is unlawful, but you do not want us to erase the data;
  • ERM no longer needs the personal data for the stated purpose for processing, but you require it for the establishment, exercise or defence of legal claims; or 
  • you have objected to our processing on ‘legitimate interest’ grounds, pending verification as to whether ERM has compelling legitimate grounds to continue processing.

When personal data is subjected to any of these restrictions, we will only process it with your consent or for the establishment, exercise or defence of legal claims.

Right to withdraw consent / complain / object to processing

  • Consent: Where we have relied on your consent to process particular information, you have the right to withdraw such consent at any time.

  • Raise complaints: You have the right to lodge a complaint with your relevant data protection regulatory authority if you consider that processing of your personal data infringes applicable law.

  • Right to object to processing: Where we are relying upon ‘legitimate interests’ to process data, then you have the right to object to that processing. If you object, we must stop that processing unless we can demonstrate: compelling legitimate grounds for the processing that override your interests, rights and freedoms, or that we need to process the data for the establishment, exercise or defence of legal claims.

How to enforce your rights

You can enforce your data subject rights by either:

  • updating or deleting your data from Workday, where applicable (although the data may remain in back ups and linked systems until deleted in accordance with ERM’s data retention policy); or
  • contacting ERM at:

    ERM Recruitment Support
    RE: Data Subject Requests
    2nd Floor, Exchequer Square
    33 St Mary Axe, London EC3A 8AA 
    +44(0) 20 3206 5200
    Email:recruitment.support@erm.com

Back to top

Additional Fair Processing Notices and Notice Of Changes

We may undertake certain processing of personal data that is subject to additional Fair Processing Notices and we shall bring these to your attention where applicable.

The Company may change or update this Fair Processing Notice at any time. Should we change our approach to data protection, you will be informed of these changes or made aware that we have updated the Fair Processing Notice so that you know which information we process and how we use this information.

Back to top