1.1 General Policy

Spherica (hereinafter referred to as ‘the Company’, ‘we’ and ‘us’) is committed to protecting the rights of data subjects with regard to the processing of their personal data for the purpose of recruitment. We are also committed to facilitating the exercise of a data subjects rights over their data. This document lays out our policy on which the personal data collected from you or provided to us by you will be processed in connection with our recruitment process.

Terminology:
EU – European Union
EEA – European Economic Area
ICO – Information Commissioner’s Office
GDPR – General Data Protection Regulation

1.2 Where and By Who Data is Stored

For the purpose of the General Data Protection Regulations, we are the Data Controller. The Data Subject is the person to who’s data is being processed. Our appointed Data Protection Officer is Jessica Harper. Their contact details are [email protected]. Spherica are located within the UK and will only process your data within the UK, however some of our suppliers who are crucial to our recruitment process may store and operate data within the EEA and outside UK and EAA.

As part of our recruitment process, we use Workable, an online application provided by Workable Software Limited. We use Workable to process all personal data that is provided or sourced during our recruitment process. Workable is only entitled to process your personal data as we instruct and cannot use personal data for reasons undisclosed to us.

Your data may be accessible to Workable’s employees in the USA and EU and/or may be stored by Workable’s hosting service provider on servers in the USA as well as in the EU. By submitting your personal data, you agree to understanding this information and the storing, processing and transfer of your personal data by the means described above.

AS the USA does not have the same data protection laws as the UK and EEA, a data processor agreement has been signed between Workable Software Limited and its overseas companies and each of its data processors. These data agreements are designed to help safeguard your privacy rights.

Where you apply for a job opening posted by us, the provisions within this policy and any other Data Protection and Privacy Policy that Spherica publish to their website will apply to our processing of your personal data. Where you apply for a job opening via the application function on a job site or a similar online service provider (“Partner”) you should note that the Partner may retain your personal data and may collect from us data, in respect of the progress of your application. Any use of collection of data used by a job site or Partner will be in accordance with their own privacy notice and not Spherica’s.

1.3 Data collection and Processing

We rely on legitimate interest as the lawful basis on which we collect and use your personal data. The data collected and processed from you is deemed, by the company as legitimate interests to our recruitment process and we honour not to collect data that we deem illegitimate. The data and information collected from you will consist of all or some of the following:

• Name, email address, address, telephone numbers, date of birth, qualifications, experience, employment history and skills.
• Visual data – video interviews
• Verbal data – phone interviews, data provided on phone calls/interviews.
• A record of your progress through the application and hiring process
• Details of your visits to Workable’s Website including, but not limited to, traffic data, location data, weblogs and other communications data, the site that referred you to Workable’s Website and the resources that you access.
• Information that you provide when applying for a role, including applications through our careers page, online job site, in person and or by any other method you choose.

Workable provides us with the facility to link the data you provide to us, with other publicly available information about you, that you have published on the internet. This may include sources such as LinkedIn and other social media profiles. The technology that Workable provides, allows us to search various databases to source possible candidates to approach about our job openings. These data bases may include your personal data (such as your CV) which may or may not be publicly available depending on where it has been situated. Where we find you in this way, we will obtain your personal data from these sources.

We may receive your personal data from a third party who recommends you as a candidate.

1.4 Purpose of Processing

We use the personal data held on you for the following purposes:

• To consider your suitability following your application to an open role
• To consider your application in respect of others
• To communicate with you through the recruitment process
• To enhance any information we receive from you with information obtained from third party data providers
• To source suitable candidates to fill job openings
• To help our service providers (such as Workable and its processors and data providers) and Partners (such as sites through which you may have applied for) improve their services

Where you apply for a job opening through the Indeed Apply function, we rely on your consent which is freely given by you during the application process, to disclose your personal data to indeed.

1.5 Data Retention

We will hold your personal data for 6 months. The period following 6 months, all personal data will be anonymised. Your personal data may be deleted for the following reasons:

• Deletion of your personal data made by you
• At the written request by you to us

1.6 Information Security Concerning Personal Data

We shall assess the risks of processing of the data subject and will deploy appropriate security measures.
To ensure security, where appropriate, we:-

• Train our team members to understand the importance of personal data and how it must be correctly treated
• Control access to personal data by using authentication and authorisation, to keep it confidential, including limiting access to your data to those who have a genuine business need to know
• Keep backups to help us guard against loss and damage
• Ensure personal data is available when and where it is required
• Only use operating systems and software that allow single sign on to better protect from security breaches
• Have procedures in place to deal with suspected data security breach and notification to the data subject where required

We do our best to protect all personal data held by us, however, unfortunately the transmission of information via the internet is not completely secure and therefore any transmission remains at your own risk.

1.7 Data Subject Rights

We are committed to respecting and facilitating the exercise of data subject rights. We train our staff to recognise requests from data subjects and create procedures to satisfy the exercise of those rights. You have the following right including, but not limited to :

• Access to your personal data
• Be informed about how we process and store your personal data
• Inform of any mistakes to your personal data (Rectification)
• Request to erasure of personal data held by us
• Request to receive the personal data we hold on you (Data Portability request)
• Object to the processing of your personal data or request a restriction of processing
• Contact ICO if you are concerned about any breach by us of data protection laws

1.7.1 Right to be Informed

We will provide all individuals with clear and concise information about what we do with their personal data. We will provide them with:-

• Our name and contact details
• The purposes of any processing
• The lawful basis for any processing
• Information pertaining to their rights as a data subject
• All other relevant details about the processing and their ability to refuse processing

1.7.2 Right to Access

When access is requested, where possible, we will:-

• Check the identity of the data subject before releasing personal data to them
• Protect the rights of other natural persons while fulfilling a data subject access request
• Explain the processing and the categories of personal data being processed
• Respond to a data subject access requests within 28 days

If it is not possible to provide access, we will tell the data subject.

1.7.3 Right to Rectification

You have a right to request rectification, but we will also make our best efforts to ensure that personal data is accurate. When we become aware that personal data is inaccurate, we will try to update it. Where this is not possible, we will stop processing the data.
When rectification is requested, where possible, we will:-

• Correct personal data without delay
• Complete incomplete personal data
• Add extra information in the form of notes
• Notify any recipient of the personal data of the rectification

If it is not possible to rectify the personal data, we will tell the data subject.

1.7.4 Right to Erasure

When erasure is requested, where possible, we will:-

• Erase the personal data without delay
• Notify any recipient of the personal data of the erasure

If it is not possible to erase the personal data, we will tell the data subject.

We will keep enough personal data to ensure we do not direct market to the data subject again. This data will be processed only for suppression purposes, on the basis of having a ‘legal obligation’ to do so.

1.7.5 Right to Restriction of Processing

When a restriction of processing is requested, where possible, we will:-

• Temporarily restrict processing of the personal data without delay
• Notify the data subject before we lift the restriction
• Only process restricted personal data with the explicit consent of the data subject
• Notify any recipient of the personal data of the restriction of processing

If it is not possible to restrict processing of the personal data, we will tell the data subject.

1.7.6 Right to Data Portability

When we receive a request for data portability, where possible, we will:-

• Check the identity of the data subject before releasing personal data to them
• Protect the rights of other natural persons while fulfilling a data portability request
• Provide the data in CSV form without delay

If it is not possible to provide data portability, we will tell the data subject.

1.7.7 Right to Object

When there is an objection to data processing, where possible, we will:-

• Stop processing the personal data without delay

If it is not possible to stop processing of the personal data, we will tell the data subject.

1.7.8 Automated Individual Decision Making, Including Profiling

We may use Workable’s technology to source and select candidates for us to consider based on the suitability of an open role, or in relation to a role for which you have applied for. The process of sourcing suitable candidates is automated, however decisions made on who we will engage with to fill any job openings is made by Spherica.

For further information on your rights please visit the ICO website on individuals’ rights under GDPR.

If you choose to exercise any of your rights, please contact the Data Protection Officer providing the following information:
Your full name and your request
&
Proof of your identification

1.8 Disclosure of Your Information

We will act responsibly when disclosing personal data to other controllers and processors. We pass your data onto our third-party providers, including Workable, who use it in accordance with our instructions and as otherwise required by law.

Where you have applied for a job opening through Indeed, and where you have consented to this disclosure, we will disclose to Indeed certain personal data that we hold. Indeed’s Privacy Notice is available on their website.

Where you have applied to a job opening through a service provider, including Indeed, we may disclose data including but not limited to:

• A unique identifier used to identify you.
• Information about your application progress and our hiring process
• Tangible, intangible, visual, electronic, present and future information that we hold about you

In the event data is disclosed as described above (Disposition Data), the service provider shall be the data controller of this data and shall be responsible for complying with all applicable laws and regulations of the use of the data following its transfer from us.

1.9 Cooperation with the ICO

We will cooperate with the ICO on any personal data protection issues.

1.10 Personal Data Breach Detection

We will take appropriate measures to detect a personal data breach.