Overview

This Privacy Notice explains how we use your personal data (information that is personal to you and could identify you) and sets out your legal rights relating to personal data.

This Notice applies to all M&S job applicants, colleagues and contractors in the UK and Ireland, including employees, freelancers, and agency workers.

Any reference to "we", "us", "our" and “the Company” mean Marks and Spencer plc and other companies within the M&S Group, including Marks and Spencer (Ireland) Limited, where appropriate.

The M&S company identified in your employment contract or contract of engagement will be your main data controller. In addition, where processing of personal data is undertaken by other members of the M&S group, these associated companies may also be controllers of your personal information.

If you have any questions about this Notice or how we handle your data, you can contact our Data Protection Officer at dataprotectionofficer@marks-and-spencer.com

The data we collect about you

We collect, use, store and transfer different kinds of personal data about you which we’ve split into the categories listed below. Some  of the personal data we collect comes from you, for example you’ll usually provide this information directly to your manager, HR team(s) or enter it into our systems (eg, during the recruitment process, through direct access to our HR and onboarding systems, your participation in HR processes or emails you send).

We will usually receive information about you from third parties as part of managing your employment. This can happen for example, when we carry out background checks, obtain references from previous employers, confirm professional qualifications, or verify your right to work. We may also receive information from government bodies for tax purposes, or employee benefit providers such as occupational health specialists for fitness-to-work assessments. These activities help us meet our legal obligations and support your employment with us.

The main categories of data we collect are set out below

• Identification and Contact information: Includes your name, title, preferred name, date of birth, age, gender, gender identity, nationality, civil/marital status, home address, personal phone number, personal email address, national insurance/Personal Public Service Number, right to work data (passport or visa documentation), languages spoken, emergency contact details (such as name and phone number of spouse or family member).
• Employment details: Includes your job title/position, job/role description, accessibility information, office location and/or working location, employment contract, offer letter, hire and termination dates, reporting line (ie who you report to), employee or worker type, cost centre, working hours and patterns, exit interviews, and reasons for job changes, time & attendance records including punch information, absence records (including dates and categories of leave/time off), holiday dates, and family leave information.
• Recruitment & Talent data: Includes qualifications, education history, CV and application details, interview and assessment data, talent development, feedback, career and training history, references from previous employers and information obtained from professional networking sites, background check vendors or other public sources during recruitment.
• Background information:  Includes credit history and criminal records data (utilised for background screening and vetting purposes where appropriate and in accordance with applicable law and consultation requirements).
• Remuneration & Benefits data: Includes salary, allowances, bonuses and incentive plans, pension schemes, bank account details, tax information, union contributions, participation in benefits provided by third parties, and equity or incentive compensation such as share awards and options.
• HR Processes & Performance data: Includes colleague and manager feedback, objectives, performance ratings, internal talent management and succession planning, performance management processes, flexible working requests, restructure and redundancy information, consultation records, selection and redeployment data, disciplinary records, health and safety audits, risk assessments, incident reports, and training needs or records.
• Claims, Complaints and Disclosures data: Includes termination and settlement arrangements and payments, grievances, litigation and complaints, colleague involvement in incident reporting and disclosures (including whistleblowing), and information provided as part of insurance claims.
• Feedback and sentiment data: This includes responses to employee surveys and engagement tools, typically processed anonymously or in aggregated form.
• Travel & Expenses data: Includes data related to journeys taken, methods of transport, cost/payments, travel itineraries, visa information and accommodation bookings.
• Video, voice and image: We may collect and use your video, voice and image data, subject to the requirements of applicable law and internal policy.
• Security & Access Control data: Includes CCTV footage, access logs, building entry/exit records.
• Emergency & Disaster recovery data: Data collected during emergencies, such as natural disasters, safety incidents, such as check-in status or location confirmation.
• Workplace Technology, systems & applications data: Includes data from Office 365, Teams, Outlook, or internal business processes, including emails sent and received, calendar entries, to-do items, instant messages, technical data and information (containing only limited identifiers) in the context of using (online) applications, information system access, devices, device identifiers, IP addresses, system and application usage (including telemetry) when accessing and using buildings and assets.

Special Categories of Data

• Health Data: This includes information about your physical and mental health, medical conditions, and any assessments or reports related to your fitness for work. For example, Occupational Health referrals and reports, records of sickness absence and reasons for absence, ‘fit notes’ and other information by medical practitioners.
• Equality & Diversity Data: Includes details about your race or ethnicity, and may include religious or philosophical beliefs, sexual orientation, political opinions, genetic or biometric data, and where applicable, information about your disability.
• Criminal Offence Data: This covers information about convictions, offences or suspected offences in the context of criminal activity, allegations, investigations and proceedings.

·       Trade Union Data: This includes information relating to an individual’s trade union membership (collected for payroll administration purposes, specifically the deduction of union subscriptions from wages and the transfer of those deductions to the relevant trade union).

How We Use Your Personal Data and Our Lawful Grounds for Doing So

We must tell you why we process your personal data and the lawful ground we rely on. There are several grounds but, in most cases, we rely on one or more of the following.

• Contract – this is where processing your data is necessary in connection with your employment contract with M&S.
• Consent – this is where you have provided permission to us to use your data for a particular purpose. Generally, we only rely on your consent when making an Occupational Health referral. If we request it for another purpose, we will make you aware at the time we collect your data. If you provide your consent, you can withdraw it at any time (see Your Rights section).
• Legitimate Interests - this is where we rely on our interests or the interests of third parties. These interests can include our commercial interests and legally recognised legitimate interests (for example where processing is necessary for responding to emergencies, the prevention or detection of crime, or safeguarding vulnerable individuals)
• Legal requirement - this is where we must process your data to comply with a legal obligation.

Where we process Special Category Data or Criminal Offence Data, we rely on one of the following lawful grounds.

• Explicit consent – this is where we collect your explicit consent to process your data
• Employment, Social Security and Social Protection Law – where processing is necessary to comply with legal obligations relating to employment (for example, managing sick pay, workplace adjustments, or diversity monitoring).
• Legal claims and rights – this is where we process your data to establish, exercise or defend legal claims or rights. This might be needed if you are involved in a dispute, grievance, disciplinary process, tribunal claim, or any legal proceedings.
• Substantial Public Interest – where processing is necessary for reasons of public interest set out in law, such as promoting equality and diversity, preventing or detecting unlawful acts, or safeguarding individuals.
• Vital Interests - in very rare cases, where processing is necessary to protect someone’s life (for example, using emergency contact details in a life-threatening situation).

In the table below, we’ve provided details of:

• how we use your data;
• the main categories of data we use for each key activity and the principal lawful ground(s) we rely on;
• the legitimate interest(s) of M&S and/or third parties for processing your data; and
• (where relevant) the legal requirements which require processing of your data.

For each key activity, we’ve also explained whether we share data with, or receive data from, third parties. Like all companies our size, we use lots of suppliers to help provide our goods and services, and we change suppliers from time to time. It’s not practical to list them all but we’ve provided examples of the main ones. Most of these third parties act as data processors which means they act on our instruction and cannot use your data for their own purposes - and we remain responsible for your data. Where the third party is a data controller, meaning they are responsible for your data, we’ve highlighted this by adding (C) next to their name. Privacy notices for these data controllers can be found on their websites.  

 

Purpose	Activity	Types of Data	Lawful Ground	Specific Legal Requirement	Legitimate Interest	Third Parties
Management of Employment / Working Relationship	Recruitment & Onboarding	Identification and Contact information, Recruitment & Talent data	Contract, Legal requirement, Legitimate Interests	We need to confirm you are legally allowed to work	Efficient hiring and onboarding processes to identify the best and most suitable candidates	We use a combination of recruitment platforms, assessment partners and background‑checking providers, such as Oracle, Clevry, and Rightcheck, to manage applications, run skills and behavioural tests, and complete Right to Work and pre‑employment checks
	Learning & Development	HR Processes & Performance data,	Legal requirement, Legitimate Interests	We need to provide training to keep you and others safe at work, to help you or M&S fulfil legal duties and to enhance performance and efficiency	Supporting career development and skills enhancement	We use external training platforms and content providers like Learning Pool to deliver mandatory learning, onboarding modules and professional development training.
	Employee Lifecycle	Employment details	Contract, Legal requirement, Legitimate Interests	We may need to confirm your ongoing legal right to work	Managing employment changes and terminations	We use HR systems like Oracle to manage employment changes, contract variations and key milestones throughout your time with M&S.
	Managing Performance	HR Processes & Performance data	Legitimate Interests		Monitoring and improving colleague performance	We use performance management tools such as Oracle to record objectives, track progress and manage colleague performance reviews
	Providing References	Identification and Contact information, Employment details	Legitimate Interests		Supporting colleagues with references	We use information held in Oracle to provide employment references, and share limited details with prospective employers when requested.
	Alumni	Identification and Contact information, Employment details	Legitimate Interests		Maintaining professional relationships and benefit M&S and ex-colleagues	We use platforms like Enterprise Alumni to keep former colleagues connected with updates, opportunities and the wider M&S community.
	Occupational Health Purposes	Health data, Employment details	Consent – Consent for this purpose only applies to the initial referral Legal Requirement, Employment, Social Security and Social Protection Law, Legitimate Interests	We need to assess and support your health at work which may involve providing reasonable adjustments	Supporting colleague wellbeing and meeting legal obligations	We work with occupational health providers such as PAM (C) to assess wellbeing, provide health advice and support workplace adjustments.
	Colleague Relations (Grievance, Disciplinary & Investigations)	HR Processes & Performance data, Claims, Complaints and Disclosures data, Health Data, Criminal Offence Data (where relevant)	Legal requirement, Legitimate Interests, Legal Rights & Claims	We need to handle complaints, disputes and investigation fairly and lawfully.	Ensuring fair treatment, resolving disputes, protecting business from legal risk	We use case‑management systems like Oracle and may work with legal advisers, regulators, law enforcement or tribunals where required to handle grievances, disciplinaries and investigations fairly and lawfully.
	Emergency Contact & Disaster Recovery	Emergency & Disaster Recovery data, Employment details	Legitimate Interests		Duty of care and emergency response. We need to contact someone in case of an emergency	We may share next‑of‑kin details with emergency services where necessary to protect a colleague’s safety in urgent situations.
	Workforce Planning & Analytics	Employment details	Legitimate Interests		Business planning and resource allocation	We use HR data systems to support workforce planning, forecasting and business decision‑making
Payroll, Compensation & Benefits	Reward & Benefits (including Salary, Payroll Bonus)	Remuneration & Benefits data, Employment details, HR Processes & Performance data, Trade Union Data	Contract, Legal requirement, Legitimate Interests, Employment, Social Security and Social Protection Law	We need to calculate and pay your salary and benefits correctly and comply with tax related duties	Ensuring timely and accurate payment of salary and benefits and resolving payroll issues, and deducting subscription payments	We work with a range of HR, payroll, reward and wellbeing partners,  including Reward Gateway, Blue Yonder and Oracle to provide colleague benefits, manage reward schemes and support overall financial and personal wellbeing. We work with payroll recovery partners like CWC to identify and manage any overpayments in a fair and transparent way.
	Pensions	Remuneration & Benefits data,  HR Processes & Performance data	Contract, Legal requirement	We need to enrol you in a pensions scheme and manage contributions	Administering pension schemes	We partner with pension administrators like Capita and pension providers like Legal & General (C) to manage pension enrolment, contributions and member communications.
	Time & Attendance	Employment details, Security & Access Control data, Health Data	Contract, Legitimate Interests, Legal Requirement, Employment, Social Security and Social Protection Law	We need to record hours worked and manage leave in line with working time rules	Managing workforce scheduling and attendance	We use workforce management systems, including Oracle and BlueYonder, to record working hours, rota information, leave and absence data.
Monitoring, Security & Health & Safety	CCTV & Security Including Access Control Systems	Security & Access Control data, Video, voice and image, Criminal Offence Data	Legitimate Interests, Employment , Social Security and Social Protection Law, Legal requirement, Substantial Public Interest	We need to maintain a safe and secure working and shopping environment, for colleagues and customers under health and safety laws.	Protecting company assets and detecting or preventing crime, Manage access to sites and systems, and prevent, detect and investigate security incidents, health and safety matters, misconduct, or unlawful activity	We work with security partners such as Mitie and Auror, and where necessary police and law enforcement (C), to operate CCTV, manage access control and support investigations into security incidents, and further information on our wider security processes can be found in the Customer Privacy Policy
	IT Systems Monitoring	Workplace Technology, systems & applications data, Video, Voice, Image	Legitimate Interests		We need to ensure the security, stability and proper use of IT systems. Protect company data, prevent and detect cyber security threats and investigate suspected misuse of workplace technology.	We use IT service partners like TCS to monitor system performance, manage access and maintain cyber‑security controls.
	Health and Safety	Health Data	Legal requirement, Legitimate Interests, Employment, Social Security and Social Protection Law	We need to keep the workplace safe and report accidents or injuries when required	Maintaining a safe workplace and supporting wellbeing	We use health and safety systems such as Simple Compliance to record incidents, support investigations and meet reporting obligations.
	Fraud Prevention & Security Screening	Identification and Contact information Background information, Recruitment & Talent data,	Legal requirement, Legitimate Interests, Employment, Social Security and Social Protection Law	We are legally required conduct background checks and screening for certain roles	Preventing fraud and safeguarding assets	We work with external fraud‑prevention agencies and, where needed, law enforcement bodies to carry out background checks for certain roles and investigate suspected fraud.
Diversity & Inclusion	Diversity Reporting	Equality & Diversity Data	Legal requirement, Employment, Social Security and Social Protection Law, Substantial Public Interest Legitimate interests	Compliance with equalities legislation	Promoting equality and diversity	Regulators (C)
Feedback & Engagement	Employee Engagement	Feedback & Sentiment data (generally anonymised)	Legitimate Interests		Improving employee experience and engagement (M&S does not receive or access individual‑level responses and does not use this data to identify or profile individual employees. The aggregated insights are used solely to understand overall workforce trends and inform workplace improvements.)	We use engagement platforms like CultureAmp to run colleague surveys, analyse feedback and improve the overall employee experience.
Travel & Expenses	Travel & Expenses	Travel & Expenses data	Contract, Legitimate Interests, Legal Requirement	We need to manage travel and expenses in line with tax rules	Managing business travel efficiently and ensuring that colleagues are recompensed.	We use travel and expense partners, including ClarityGo and SAP, to manage business travel bookings, itineraries and expense processing.
Legal & Compliance	Corporate transactions / Insurance Administration	Identification and Contact information, Employment details	Legitimate Interests		Buying and selling business Mergers or partnerships Providing insurance cover	We work with legal advisers, potential partners, buyers/sellers and insurers when managing corporate transactions, business changes or insurance arrangements.
	Whistleblowing / Speak Up	HR Processes & Performance data, Claims, Complaints and Disclosures data	Legal requirement, Legitimate Interests, Employment, Social Security and Social Protection Law,	We are legally required investigate concerns and protect whistleblowers	Ensuring compliance and ethical standards	We work with regulators and legal advisers, where required, to investigate concerns raised through whistleblowing channels and ensure fair, lawful outcomes.
	Insurance Claims & Risk Management	Claims, Complaints and Disclosures data	Legitimate Interests, Legal rights and claims		Managing risk and processing claims	We work with insurers and legal advisers to assess, process and resolve insurance claims and manage business risk.
	Legal disputes, enforcement activity and prosecutions	Claims, Complaints and Disclosures data, Employment details, Health Data Criminal Offence Data	Legitimate Interests, Legal claims and rights		Exercising legal rights and defending M&S interests, including in relation to employment disputes and other legal claims or rights, and taking appropriate action in connection with enforcement and prosecutions.	We work with legal advisers and may disclose information to courts (C), law enforcement bodies and regulators (C),

Automated Decision Making

For some roles in M&S, the first stage in the recruitment assessment process includes online testing. If you don't ‘pass’ that test, you’re unable to proceed any further with your application although you do have the right to request a review of this. The test assessment is carried out using automated assessment software, applying criteria set by M&S, without human involvement. This means your result is determined through an automated process.

Where a decision not to progress an application is made solely on the basis of automated decision taking, you’ll be notified of this, and of your right to request a review of the decision.

International transfers

This section of the Notice is for people in the UK or Ireland and in most cases that is where your personal data is generally processed, stored and used. However, we work with some suppliers that operate in, or from, various countries worldwide. This means that your information will be transferred to, or accessed from a country outside of your country of residence. For example, we use a HR system supported by a team based in India and sometimes they might need to access your data to provide technical support or maintenance. We also work with suppliers and partners who may make use of Cloud and/or hosted technologies across multiple geographies.

When we transfer your personal data to, or make it accessible from, countries outside of the UK or Ireland we must meet certain requirements as outlined below:

Protection by local law

The UK government and European Commission consider some countries safe to transfer your personal information since they have adequate data protection laws. The UK’s list is here and the European Commission’s is here.

Transfers of data to such jurisdictions can be made as freely as transfers within the UK or Ireland.

Protection by other safeguards

We can also transfer personal information to countries that have not been assessed as adequate if we use appropriate safeguards. The main safeguards we use are:

• regulator-approved Standard Contractual Clauses (Those clauses can be accessed here and here)
• additional contractual, organisational, and technical measures (as required following a risk assessment of the transfer)

How long do we keep your data?

For unsuccessful applicants, we will not normally keep your data for any longer than 12 months after the decision not to offer a position, unless you’ve agreed to use retaining it for longer.

For colleagues, we will not keep your personal data for longer than necessary and will delete it when we no longer need it. The longest time we'll hold personal data for is normally seven years after your employment ends, but this depends on the type of data. In exceptional cases, data may be held for longer periods where required.
Your data protection rights

You have the right to:

• ask for a copy of personal data that we hold about you (the right of access);
• request that we delete personal data held on you; where we no longer have a valid reason to retain it (the right of erasure or to be forgotten);
• ask us to update and correct any out-of-date or incorrect personal data that we hold about you (the right of rectification);
• opt out of any marketing communications that we may send you and to object to us using/holding your personal data if we have no legitimate reasons to do so (the right to object);
• to ask us to ‘restrict processing of data’; which means that we would need to secure and retain the data for your benefit but not otherwise use it (the right to restrict processing); and
• to ask us to supply you with some of the personal data we hold about you in a structured machine-readable format and/or to provide a copy of the data in such a format to another organisation (the right to data portability).

To exercise your rights, email datasubjectrights@marks-and-spencer.com. The above rights may be limited in some circumstances, for example, if fulfilling your request would reveal personal data about another person, if you ask us to delete data which we’re required to have by law, or if we have compelling legitimate interests to keep it. We’ll let you know if that is the case.

Privacy queries and complaints

If you have any queries in relation to use of your personal data or believe we’ve not complied with data protection laws, you can contact our Data Protection Officer by emailing datasubjectrights@marks-and-spencer.com. We will acknowledge receipt within 30 days and will, without undue delay, investigate the complaint and inform you of the outcome.

You can also make a complaint to the relevant data protection regulator. For UK Residents the relevant regulator is the Information Commissioner’s Office (https://ico.org.uk) and for ROI Residents it’s the Data Protection Commission (https://www.dataprotection.ie/.

Although you can complain to the relevant data protection regulator, they expect you to raise the issue with us first so if you haven’t already done so, please contact our Data Protection Officer at datasubjectrights@marks-and-spencer.com and we’ll try and help.

Changes to this Notice

This Privacy Notice was last updated on 30^th April 2026. Any changes we may make to our Privacy Notice in the future will be posted on this page. If we make material changes to the way we process your personal data, such as using your data for a new purpose, we will notify you.