1. Scope
This Global Recruitment Data Protection Notice (“Notice”) explains how Sidley Austin LLP and affiliated partnerships (the “Firm”, “we”, “us” and “our”) process personal data (i.e., information that directly or indirectly identifies you) pertaining to individuals who apply for a position or role at the Firm (“Applicants”, “you”, “your”) as employee, self-employed lawyer or consultant, and all Applicants who are applying for an internship, vacation scheme, summer associate programs, work placement, or similar programs.
This Notice is issued by Sidley Austin LLP as data controller (i.e., a person or organisation who alone or jointly determines the purposes for which, and the way, any personal data is, or is likely to be, processed). For information on our processing activities and your rights related to those activities in particular jurisdictions, please consult Section 13 below. Personal information submitted elsewhere on Sidley Austin’s and its affiliates’ websites will be used in accordance with our general online Privacy Policy.
2. Collecting your personal data
We may collect certain personal data directly from you, as Applicant (when you apply or visit our offices), but we may also collect it from external recruitment agencies, background check vendors and other non-publicly accessible sources. If you do not provide us with the necessary personal data, or if we are unable to obtain it elsewhere, we may not be able to proceed with the application, consider you for a position or offer you an internship, vacation scheme, summer associate programs, work placement, or similar program.
Where we carry out background checks on you it may involve the processing of sensitive personal data, and we will only do so with your explicit consent or as permitted or required by law. It may also involve the processing of criminal record data and this will only be processed where such processing is specifically authorized or required by law.
If you participate in our internship, vacation scheme, summer associate programs, work placement, or similar programs. we will also collect information about your performance during job-related activities and assessments through the course of your placement with us.
3. What types of personal data we collect
During the recruitment process, or if you participate in one of our internship, vacation scheme, summer associate programs, work placement, or similar programs, we may collect and process the following types of personal data:
i) contact information (e.g., name, home and business address, phone numbers and email addresses);
ii) personal information (e.g., date of birth, nationality, passport or national ID numbers, photographs);
iii) employment and educational history (e.g., CV/resume, academic transcripts, references and organizational data such as department, work location, job title and seniority, professional qualifications, language skills);
iv) information from references or other individuals who know you and may speak to your professional qualifications and experience;
v) information in relation to sex/gender, race, nationality, ethnicity, religion, health and sexual orientation for equal opportunities monitoring and to support our diversity, equity, and inclusion initiatives;
vi) information about your legal entitlement to work (e.g., visas, permits, immigration status);
vii) bank account details;
viii) medical and health information (e.g., information in relation to any medical condition, health and sickness records to the extent that you require adjustments to be made to our assessment and interview processes);
ix) information about criminal convictions and offences committed by you;
x) social media or other online activity;
xi) next of kin and emergency contact information;
xii) start and end date of your placement;
xiii) the location of your placements;
xiv) information and opinions regarding your performance during your interviews and/or placement;
xv) CCTV footage and other information obtained through electronic means;
xvi) information about your use of our information and communication systems;
xvii) photographs of you; and
xviii) any other information which you may voluntarily disclose to us during the application process.
4. How we use your personal data
We process your personal data to assess your application for recruitment, employment or placement.
We may also need to process your personal data to:
i) comply with our legal and regulatory obligations;
ii) enter into contractual arrangements with you and to administer your ongoing relationship with the Firm;
iii) check whether you are legally entitled to work in the relevant jurisdiction;
iv) to improve our application procedures and processes;
v) ensure our insurance requirements are met;
vi) comply with our health and safety obligations;
vii) make adjustments to our recruitment processes as a result of any disability you may have;
viii) deal with any legal disputes, including any accidents at work;
ix) prevent fraud;
x) monitor your use of our information and communication systems to ensure compliance with our IT policies;
xi) ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution;
xii) carry out equal opportunities monitoring and to support diversity, equity, and inclusion initiatives.
5. Our legal basis for processing your personal data
Applicable laws require us to ensure we have a legal basis for all the processing activities that we carry out on your personal data. We conduct our processing activities on the basis that:
- it is necessary in order to enter into a contract with you (including to enable us to determine whether to enter into any contract with you);
- it is necessary to comply with a legal or regulatory obligation; and/or
- it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We have carefully balanced our legitimate interests in the recruitment process against your data protection rights. If you wish to obtain more information on the balancing exercise we performed, please contact us by using the contact details below.
6. Sharing your personal data
6.1 Disclosure to Certain Third Parties
We may disclose certain personal data for the above purposes to the following recipients:
i) to other affiliated partnerships of the Firm, self-employed lawyers engaged by the Firm, service providers (e.g., IT service providers, background checks vendors and external recruitment agencies) and advisors;
ii) to fraud prevention agencies and law enforcement agencies;
iii) to courts, governmental and non-governmental regulators;
iv) to organizations or other certifying bodies for the purposes of equal opportunities monitoring and diversity, equity, and inclusion initiatives; or
v) as required or permitted by law, including to comply with a subpoena or similar legal process or government request, or when the Firm believes in good faith that disclosure is legally required or the Firm has a legitimate interest in making a disclosure, such as where necessary to protect the Firm’s rights and property.
6.2 Transfers of your personal data
The Firm may disclose your personal data, for the above listed purposes, to recipients (including affiliated partnerships) in locations that do not have data protection laws equivalent to those in Hong Kong, the UK, the EEA and Switzerland.
In such a case, the Firm will take all necessary steps to ensure the safety of your personal data in accordance with all applicable data protection laws at a standard substantially similar to, or that serves the same purposes as those of the relevant legislation (if applicable). For transfers of personal data within the Firm to offices outside of the UK and EEA the Firm has in place intra-group Data Transfer Agreements with EU Standard Contractual Clauses. You can request a copy of these agreements by contacting privacy@sidley.com.
7. Your rights in relation to your personal data
Under applicable data protection laws, you may have a right to:
- be informed about how your Personal Data is used;
- access your personal data;
- have inaccurate personal data rectified;
- have personal data erased in certain circumstances;
- restrict processing of personal data in certain circumstances;
- data portability (you can ask for a copy of your personal data to be provided to you, or a third party, in a digital format);
- object to processing of personal data in certain circumstances, including where personal data is used for marketing purposes; and
- not to be subject to automated decisions where the decision produces a legal effect or a similarly significant effect. (automated decisions are decisions about individuals that are based solely on the automated (i.e., computerized) processing of data and that produce legal effects or that significantly affect the individuals involved. As a rule, the Firm does not make use of automated decision-making as described above when considering you for a position at the Firm).
You may also have the right to lodge a complaint about the processing of your personal data with your local data protection authority, please contact us at privacy@sidley.com if you’re interested to find out the contact details of your local regulator/authority.
8. Securing your personal data
The Firm will take steps to protect your personal data against loss or theft, as well as from unauthorized access, disclosure, copying, use or modification, regardless of the format in which it is held.
9. Retaining your personal data
We will only keep your data for as long as necessary for the purposes for which it was collected, for us to fulfil our statutory obligations and where we have a legitimate interest to do so. The criteria used to determine our retention periods are: (i) the duration of the application process; (ii) the period of time that we have an ongoing relationship with you; (iii) as required by a legal obligation to which we are subject; and (iv) as advisable in light of our legal position (such as in regard of applicable statutes of limitations, litigation, or regulatory investigations).
In the event we make an offer and you accept, your personal data will be held and processed in accordance with our Internal Data Protection Notices and other relevant procedures and policies.
10. Passive Information Collection: Cookies and Similar Technology
Sidley Austin and its service providers use “cookies” and similar technology on our websites. Please see our Cookie Policy and/or our Privacy Policy for more information.
11. Diversity
Sidley Austin is an equal opportunity employer, which means we offer equal treatment to all candidates. Sidley Austin does not discriminate, either directly or indirectly, on protected grounds: race, colour, sex, gender identity, sexual orientation, nationality, national origin, ethnic origin, religion, beliefs or creed, age, disability, marital status, veteran status, or genetic information in any area of recruitment.
Sidley Austin also values the diversity of its attorneys and professional staff and supports a variety of diversity, equity, and inclusion initiatives. As provided in this Notice, we may ask you information in relation to sex/gender, race, nationality, ethnicity, religion, health and sexual orientation.
We use this data for equal opportunities monitoring and supporting our diversity, equity, and inclusion initiatives, such as in obtaining and maintaining professional registrations or third-party certifications.
12. Updates
We evaluate our privacy notices, policies and procedures to implement improvements and refinements from time to time. If we make material changes to this Notice that affect you, we will notify you by regular communication channels.
13. Enquiries, Requests or Concerns
All enquiries, requests or concerns regarding this Notice, your rights, or relating to the processing of your personal data (including our legal basis for processing in each case), should be sent to privacy@sidley.com.
14. Jurisdiction-specific notices and exceptions
14.1 California
For California residents, this Notice serves as our notice at collection as required by the California Consumer Privacy Act and California Privacy Rights Act.
Collection and Disclosure of Personal Information
The table below provides the categories of Personal Information we collect and process. It also provides information on our processing and disclosure of Personal Informal for our operational business and hiring and recruitment purposes. This information encompasses our collection, processing, and disclosure activities within the 12 months preceding the date this Policy was last updated.
|
Category of Personal Information |
Examples |
Categories of Third Parties with Whom Information is Shared |
|
Identifiers |
Name, alias, postal address, email address, telephone number, job applicant portal username and password, Social Security Number, driver's license or state identification card number, IP address, online identifiers |
Affiliates, IT and cloud/hosting service providers, vendors performing background checks and HR services, professional advisors (lawyers, accountants, auditors), former employers and references, public and governmental authorities, business partners |
|
Personal Information |
Name, signature, physical characteristics or description, address, telephone number, education, employment information |
Affiliates, IT and cloud/hosting service providers, vendors performing background checks and HR services, professional advisors, former employers and references, public and governmental authorities, business partners |
|
Protected Class Information |
Race, ethnicity, national origin, sex, gender, sexual orientation, gender identity, age, disability, military/veteran status, marital status, medical condition, pregnancy |
Affiliates, IT and cloud/hosting service providers, vendors performing background checks and HR services, professional advisors, public and governmental authorities, business partners |
|
Commercial Information |
Travel information and expenses |
Affiliates, service providers for travel arrangements and expense management, IT service providers, public and governmental authorities |
|
Internet or Network Activity |
IP addresses, access logs, browsing history, search history, usage history with respect to job applicant portals or systems |
Affiliates, IT and cloud/hosting service providers, public and governmental authorities |
|
Geolocation Data |
Approximate location of devices used to access websites or online application portals, derived from IP address |
Affiliates, IT and cloud/hosting service providers, public and governmental authorities |
|
Audio, Electronic, Visual, and Similar Information |
Photographs, audio recordings, voicemail, CCTV footage |
Affiliates, IT and cloud/hosting service providers, vendors performing background checks and HR services, professional advisors, public and governmental authorities |
|
Education Information |
Student transcripts, grade point average, grades, academic standing, confirmation of graduation |
Affiliates, IT and cloud/hosting service providers, vendors performing background checks and HR services, professional advisors, public and governmental authorities, business partners |
|
Professional or Employment-Related Information |
Work history, prior employer, information from reference checks, work experience, qualifications, training and skills, work authorization, CV, résumé, cover letter, professional and other work-related licenses, permits and certifications, publicly accessible information posted on professional social media accounts |
Affiliates, IT and cloud/hosting service providers, vendors performing background checks and HR services, professional advisors, public and governmental authorities, business partners |
|
Inferences |
Inferences drawn from any of the personal information listed above to create a profile about an individual's preferences, characteristics, predispositions, and abilities |
Affiliates, IT and cloud/hosting service providers, vendors performing background checks and HR services, professional advisors, public and governmental authorities, business partners |
|
Sensitive Personal Information |
Social Security, driver's license, state identification card, or passport number; account log-in; racial or ethnic origin, citizenship, immigration status, union membership; personal information collected and analyzed concerning an individual's sex life or sexual orientation |
Affiliates, IT and cloud/hosting service providers, vendors performing background checks and HR services, professional advisors, public and governmental authorities |
We do not “sell” or “share” your Personal Information, including Sensitive Personal Information, for purposes including cross-context behavioural advertising, as defined under the California Consumer Privacy Act. We have not engaged in such activities in the 12 months preceding the date this Policy was last updated. Without limiting the foregoing, we do not sell or “share” the Personal Information, including the Sensitive Personal Information, of minors under 16 years of age.
Purposes for the Collection, Use, and Disclosure of Sensitive Personal Information
We collect, use, and disclose Sensitive Personal Information for only the following purposes:
- performing services on behalf of our business;
- providing services and goods as requested by you;
- ensuring the quality or safety of the services we manage or enhancing those services;
- ensuring the security and integrity of our infrastructure and the individuals we interact with;
- receiving and processing your job application; evaluating your suitability for the position(s) you are applying for;
- making you an offer (subject to our discretion);
- short-term transient use;
- securing access to, and use of, our facilities, equipment, systems, networks, applications, and infrastructure;
- preventing, detecting, and investigating security incidents;
- resisting and responding to fraud or illegal activities; and
- other collection and processing activities that are not intended to infer characteristics about an individual.
Individual Rights and Requests
California law provides you with the following rights concerning your personal information:
- You have the right to request that we provide you with the following information:
- The categories of Personal Information we have collected about you and the categories of sources from which we collected such Personal Information;
- The business or commercial purpose for collecting Personal Information about you; and
- The categories of Personal Information about you that we disclosed and the categories of third parties to whom we disclosed such Personal Information.
- You have the right to request that we correct inaccuracies in your Personal Information.
- You have the right to request that we delete Personal Information we have collected from you under certain circumstances.
- You have the right to request to receive the specific pieces of your Personal Information, including a copy of the Personal Information you provided to us in a portable format.
- You have the right to not be discriminated against or face retaliation in the exercise of your rights under California law.
To make a privacy request, please contact us at privacy@sidley.com, via our webpage for submitting online requests. We make every effort to respond to requests promptly and without delay. In any event we will verify your identity and acknowledge your request within 10 days. We will respond to your request within 45 days, including whether will need to extend the response time. If so, we will provide a complete response within an additional 45 days.
Authorized Agents
If an agent wishes to make a request on your behalf as permitted by applicable law, the agent may use the submission methods noted in the section entitled "Individual Rights and Requests." As part of our verification process, we may request that the agent provide proof of their status as an authorized agent. Additionally, we may require that you verify your identity as described in the section entitled "Individual Rights and Requests" or confirm that you have given the agent permission to submit the request.
14.2 Belgium
The following applies to our data collection and processing activities in Belgium:
- Sidley Austin (CE) LLP Brussels Branch, located at Rue Montoyer 51, 1000 Brussels, Belgium is the data controller responsible for your personal data.
- Section 3 (viii) information is not collected
- Section 3(iv) only data in relation to sex/gender and nationality is collected
14.3 Germany
DATENSCHUTZHINWEISE FÜR BEWERBER
The following applies to our data collection and processing activities in Germany:
- The data controller for the processing of the Applicant’s personal data is Sidley Austin (CE) LLP, Maximilianstraße 35, 80539 Munich, Germany, Phone +49 89 24440 9100, E-Mail MU-Reception@sidley.com
- Our Data Protection Officer can be reached via privacy@sidley.com or by writing to Sidley Austin (CE) LLP c/o Willem Lubbe, Maximilianstraße 35, 80539 Munich, Germany.
- Section 3 (iv) only data in relation to gender is collected
- The data in 3(vi) is only collected where the Applicant has requested a refund of their travel expenses incurred for the interview
- Section 3 (vii) information is not collected
- Section 3 (viii) information is not collected
- Section 3 (v) information is only collected if the Applicant is successful, and as part of the offer process
- Section 3 (xv) is entirely voluntary
- Section 3 (ix) to (xiv) is not applicable
- Section 4 (iii) has limited application
14.4 Japan
The following applies to our data collection and processing activities in Japan:
- The data in 3 (vi) is not collected
15. Contact Us
For questions about this Global Recruitment Data Protection Notice and other of Sidley Austin’s privacy practices, please contact:
David A. Lindner
Chief Privacy Officer
Sidley Austin LLP
1501 K Street, N.W.
Washington, D.C. 20005
privacy@sidley.com