Protecting your personal data is very important, including making sure it's only used and shared when appropriate. This policy outlines how the personal data of applicants and prospective colleagues of M&S will be used, and your associated legal rights. Personal data is defined as information from which individuals may be identified.
This policy applies to all applicants to M&S in the UK and is in line with the UK GDPR and other data protection laws.
1. Types of Personal Data
M&S obtains personal data relating to prospective colleagues including, but not limited to: • name, address and other contact details; • information about previous employment, educational details, skills and experience;
• details of training and qualifications;
• information relating to your health and health conditions;
• race and ethnicity; • unspent criminal convictions;
• communications and correspondence;
• publicly available information, including via social networking sites and public profiles;
• other biographical and personal data; and
• salary expectations and information on preferred working arrangements.
Our standard data retention periods for prospective employees are as follows:
• Unsuccessful candidates – 12 months after the decision not to offer a position unless you've agreed to a longer retention period.
In exceptional cases, data may be held for longer periods where required.
2. Uses of Personal Data
M&S, and our partners and agents, use this data for a variety of purposes. These include, but are not limited to:
• recruitment, screening and assessment;
• activities relating to interviewing and selecting prospective employees (and maintaining related records);
• identifying and selecting possible candidates for employment opportunities which may arise in the future;
• compliance with statutory and regulatory obligations;
• managing legal disputes;
• exercising or fulfilling M&S’s legal rights and responsibilities; and
• prevention or detection of fraud, crime, or other unlawful or inappropriate conduct
3. Legal Basis for Using Prospective Colleague Data
In general, we may process prospective employees’ data on the basis of:
• it is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained
• it's necessary to fulfil our obligations or exercise our rights relating to employment, social security and social protection law
• it's necessary in connection with legal claims; or
• it's necessary for preventing or detecting unlawful acts Where data is collected and used solely on the basis of consent, you have the right to withdraw consent at any time.
4. Disclosures of Data
Where necessary and lawful, your personal data may be disclosed, for example, to:
• M&S management, colleagues, staff or contractors involved in recruitment and talent management;
• other M&S group companies or Joint Ventures; • our professional advisers, such as solicitors or accountants, and consultants;
• government departments and agencies; • police and law enforcement agencies; • courts and tribunals; and
5. Automated Decision-Making
For some roles in M&S, the first stage in the assessment process includes online testing. Subject to your right to request a review, if you don't ‘pass’ that test, you’re unable to proceed any further with their application. The test assessment is carried out using automated assessment software, applying criteria set by M&S, without human involvement. It's therefore likely to fall within the scope of Article 22 of the UK GDPR and section 14 of the Data Protection Act 2018 on ‘Automated individual decision-making’.
Where a decision not to progress an application is made solely on the basis such automated decision taking, you’ll be notified of this, and of your right to request a review of the decision.
6. International Trasnfers of Data
It is necessary for M&S to transfer some personal data outside of the European Economic Area, including to countries where local legislation doesn't provide adequate safeguards regarding the protection and security of personal data. This will typically occur when service providers that need to access such data, are located outside the EEA.
Where this takes place, we will make sure that the transfer is compliant with data protection law and that personal data is secure. In most cases, we will rely on standard data protection clauses which have been approved by the European Commission in accordance with the Regulation. A copy of the standard clauses can be found at the following link http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm
Where appropriate and lawful, we may exceptionally transfer data outside the EEA without relying on the standard data protection clauses, including where:
• the individual has explicitly consented to the transfer;
• it is needed as part of the contract between M&S and a colleague; or
• it's necessary in connection with legal disputes and claims.
7. Your Rights
You have a number of statutory rights under the Regulation. They include the right to request that M&S:
• Provides you with a copy of your personal data held;
• correct inaccurate information; and
• delete information which M&S don't have a legitimate basis to hold.
You also have rights to restrict the processing of data relating to you, object to processing and in certain circumstances to ‘data portability’ (this means that data is provided in a structured, commonly used and machine-readable format).
Detailed information on these rights can be found in the Regulation or the website maintained by the Information Commissioner’s Office at https://ico.org.uk
These rights can be exercised free of charge and M&S will normally respond within a month.
If you’re unhappy about the way your personal data has been handled by M&S, you have the right to lodge a complaint with either the M&S’s Data Protection Officer or directly with the Information Commissioner’s Office. Further information, including contact details, is available at https://ico.org.uk.