Protecting your personal data is very important, including making sure it is only used and shared when appropriate. This policy outlines how the personal data of applicants and prospective employees of M&S will be used, and your associated legal rights. Personal data is defined as information from which individuals may be identified.
This policy applies to all applicants to M&S in the UK and is in line with UK GDPR and other data protection laws.
Types of Personal Data
M&S obtains personal data relating to prospective employees including, but not limited to:
- name, address and other contact details;
- information about previous employment, educational details, skills and experience;
- details of training and qualifications;
- information relating to your health and health conditions;
- race and ethnicity, religion, trade union membership (ROI);
- unspent criminal convictions;
- communications and correspondence;
- publicly available information, including via social networking sites and public profiles;
- other biographical and personal data; and
- salary expectations and information on preferred working arrangements
Our standard data retention periods for prospective employees are as follows:
- Unsuccessful candidates – six months after decision not to offer a position, unless you have agreed to longer retention.
- Other prospective employees – 12 months following collection of personal data, unless you object, or agree to a longer retention period.
In exceptional cases, data may be held for longer periods where required.
Uses of personal data
M&S, and our partners and agents, use this data for a variety of purposes. These include, but are not limited to:
- recruitment, screening and assessment;
- activities relating to interviewing and selecting prospective employees (and maintaining related records);
- identifying and selecting possible candidates for employment opportunities which may arise in the future;
- compliance with statutory and regulatory obligations;
- managing legal disputes;
- exercising or fulfilling M&S’s legal rights and responsibilities; and
- prevention or detection of fraud, crime, or other unlawful or inappropriate conduct.
Legal basis for using prospective Colleague data
In general, we may process prospective employees’ data on the basis of:
- is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained
- it is necessary to fulfil our obligations or exercise our rights relating to employment, social security and social protection law
- it is necessary in connection with legal claims; or
- it is necessary for preventing or detecting unlawful acts
Disclosures of data
Where necessary and lawful, your personal data may be disclosed, for example, to:
- M&S management, employees, staff or contractors involved in recruitment and talent management;
- other M&S group companies or Joint Ventures;
- our professional advisers, such as solicitors or accountants, and consultants;
- government departments and agencies;
- police and law enforcement agencies;
- courts and tribunals; and
- partners, suppliers, agents and service providers.
For some roles within M&S, the first stage in the assessment process includes on-line testing. Subject to your right to request a review, if you do not ‘pass’ that test, you are unable to proceed any further with their application. The test assessment is carried out using automated assessment software, applying criteria set by M&S, without human involvement. It is therefore likely to fall within the scope of Article 22 of the UK GDPR and section 14 of the Data Protection Act 2018 on ‘Automated individual decision-making’.
Where a decision not to progress an application is made solely on the basis such automated decision taking, you will be notified of the fact and of your right to request a review of the decision.
International transfers of data
It is necessary for M&S to transfer some personal data outside of the European Economic Area, including to jurisdictions where local legislation does not provide adequate safeguards regarding the protection and security of personal data. This will typically occur when service providers that need to access such data, are located outside the EEA.
Where this takes place, we will ensure that the transfer is compliant with data protection law and that personal data is secure. In most cases, we will rely on standard data protection clauses which have been approved by the European Commission in accordance with the Regulation. A copy of the standard clauses can be obtained at the following link http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm
Where appropriate and lawful, we may exceptionally transfer data outside the EEA without relying on the standard data protection clauses, including where:
- the individual has explicitly consented to the transfer;
- it is required as part of the contract between M&S and an employee; or
- it is necessary in connection with legal disputes and claims.
You have a number of statutory rights under the Regulation. They include the right to request that M&S:
- Provides you with a copy of your personal data held;
- correct inaccurate information; and
- delete information which M&S do not have a legitimate basis to hold.
You also have rights to restrict the processing of data relating to you, object to processing and in certain circumstances to ‘data portability’ (this means that data is provided in a structured, commonly used and machine-readable format).
Detailed information on these rights can be found in the Regulation or the website maintained by the Information Commissioner’s Office at https://ico.org.uk.
These rights can be exercised free of charge and M&S will normally respond within a month.
If you wish to exercise any of the above rights, please email DataProtectionOfficer@marks-and-spencer.com
If you are unhappy about the way your personal data has been handled by M&S, you have the right to lodge a complaint with either the M&S’s Data Protection Officer or directly with the Information Commissioner’s Office. Further information, including contact details, is available at https://ico.org.uk.