Applicant Privacy Policy for residents of the European Union


Scope of privacy notice

This Recruitment Privacy Notice explains the type of information we process, why we are processing it and how that processing may affect you in relation to the recruiting process for residents of the European Union (EU). This Recruitment Privacy Notice, along with our CBS Online Privacy Policy available on governs our use of your data.

What do we mean by “personal data” and “processing”?

“Personal data” is information relating to an identified individual (or from which an individual may be identified, whether directly or indirectly) which is processed by automatic means or which is (or is intended to be) part of a structured manual filing system. It includes not only facts about an individual, but also intentions and opinions about individual.

“Processing” means doing anything with the data. For example, it includes collecting it, holding it, disclosing it and deleting it.

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data (if used to uniquely identify a natural person) are subject to special protection and considered by EU privacy law to be “sensitive personal data”.

Your personal data

We process your data for the purposes of fulfilling our recruitment practices. Some of the personal data that we process about you comes from you. For example, you tell us your contact details. Other personal data about you is generated from references and third party companies such as recruitment agencies. Your personal data will be seen internally by managers, administrators, HR, and other personnel involved in making a recruitment decision about you.

You are not obliged to provide us with this data. However, not doing so may adversely affect your chances of recruitment.

How long do we keep your personal data?

If you are successful in your application your data will be kept on your personnel file. If you are unsuccessful, your data will be deleted twelve months after you have been informed that you were unsuccessful. Your data may be kept on file and considered for other roles. Irrelevant data such as CCTV images of you attending our premises for interview may be deleted after a short period.

Transfers of personal data outside the EEA

We may transfer your personal data outside the EEA to members of our group and/or processors in the United States, which may have lower data protection standards that are customary in the EEA. Where necessary, these transfers are covered by the intra-group transfer agreement.

The recipients of the personal data are indicated in Annex 1.

The transfer of personal data to recipients based outside of the EEA is carried out to obtain approval for new hires and remuneration levels. We will ensure that the transfer is lawful by using model clauses where necessary, and that there are appropriate security arrangements in place.

If you wish to see details of the safeguards we have put in place, please ask the Data Protection Officer.

Contact details

In processing your personal data, we act as a data controller. Our contact details are as follows:

Data Protection Officer

Legal grounds for processing personal data

What are the grounds for processing?

Under data protection law, there are various grounds on which we can rely when processing your personal data. In some contexts more than one ground applies. We have summarised certain grounds as Legal obligation and Legitimate Interests and outline what those terms mean below.

Term Ground for processing

Contract Processing necessary for the performance of a contract with you or to take steps at your request to enter a contract This covers carrying out our contractual duties and exercising our contractual rights.
Legal obligation Processing necessary to comply with our legal obligations We process certain data in order to perform our legal and regulatory obligations. For example, providing a safe place of work and avoiding unlawful discrimination or for diversity monitoring purposes.
Legitimate Interests Processing necessary for our or a third party’s legitimate interests We or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data. Your data will not be processed on this basis if our or a third party’s interests are overridden by your own interests, rights and freedoms.

Processing sensitive personal data

If we process sensitive personal data about you, as well as ensuring that one of the grounds for processing mentioned above applies, we will make sure that one or more of the grounds for processing sensitive personal data applies, including that the processing is for equality and diversity purposes to the extent permitted by law.

Further information on the data we process and our purposes

Examples of the data and the grounds on which we process data are in the table below. The examples in the table cannot, of course, be exhaustive.

Purpose Examples of personal data that may be processed Grounds for processing

Standard data related to your identity (e.g. your name, address, place of birth, nationality, gender, contact details, professional experience, education, language skills, and any other personal data that you present us with as part of your application related to the fulfilment of the role).

Information concerning your application and our assessment of it, your references, any checks we may make to verify information provided or background checks and any information connected with your right to reside and work in the UK. If relevant, we may also process information concerning your health, any disability and in connection with any adjustments to working arrangements.

  • Contract
  • Legal obligation
  • Legitimate interests
  • Exercising specific rights in the field of employment
Contacting you or others on your behalf Your address and phone number, emergency contact information and information on your next of kin
  • Contract
  • Legitimate interests
Security CCTV images
  • Legitimate interests
Monitoring of diversity and equal opportunities Information on your nationality, racial and ethnic origin, gender, sexual orientation, religion, disability and age
  • Legitimate interests
  • Necessary to carry out obligations relating to employment and social protection law

Who gets to see your data?

Your personal data may be disclosed to managers, HR and administrators for employment, administrative and management purposes as mentioned in this document. We may also disclose this to other members of our group as reasonably necessary to make a recruitment decision about you.

We may disclose your personal data on a confidential basis to our advisers, our insurers, or the courts or regulatory authorities in the event of any claims or threatened claims.

We may also disclose your personal data to government agencies for immigration purposes.

Access to your personal data and other rights

We try to be as open as we reasonably can about personal data that we process. If you would like specific information, just ask us. You can contact us at

You also have a legal right to make a “subject access request”. If you exercise this right and we hold personal data about you, we are required to provide you with information (subject to certain exemptions), including a description of the personal data, and an explanation of why we are processing it.

If you make a subject access request and there is any question about who you are, we may require you to provide information from which we can satisfy ourselves as to your identity.

As well as your subject access right, you may (in certain circumstances) have a legal right to have your personal data rectified or erased, to object to its processing or to have its processing restricted. If you have provided us with data about yourself (for example your address or bank details), you have the right to be given the data in machine readable format for transmitting to another data controller. This only applies if the ground for processing is Consent or Contract.

If we have relied on consent as a ground for processing, you may withdraw consent at any time – though if you do so that will not affect the lawfulness of what we have done before you withdraw consent.


If you have complaints relating to our processing of your personal data, you should raise these with HR or the Data Protection Officer in the first instance. You may also have the right to raise complaints with the appropriate Data Protection Authority and lodge a complaint.


This notice does not form part of any contractual relationship between the Company and a job applicant. This notice can be changed at any time.

Annex 1 – Data recipients located outside of the EEA

Recipients Country
CBS Corporation and subsidiaries United States