HCL Technologies candidate data privacy notice
Effective date: March 15 ,2022
HCLTech is committed to protecting and securing the privacy and confidentiality of the Personal Data which it collects directly or indirectly from you when applying for a job at HCLTech either directly or through a third-party human resources agency. This notice (the “Notice”) outlines and explains how HCLTech Limited including its subsidiaries, local employing entities, associates and affiliated companies [collectively referred to as “HCL”, “us,” “our”, or “we”] will process your Personal Data in accordance with applicable privacy legislation(s). Our EU representative is HCL (IRELAND) INFORMATION SYSTEMS LIMITED, 3rd Floor, Kilmore House, Park Lane, Spencer Dock, DUBLIN 1, D01 YE64, Ireland
Please refer to ‘Annexure B’ for definitions.
What Does This Notice Cover?
The aim of this Notice is to provide you with information on what Personal Data we process, why we process your Personal Data, how we process your Personal Data including details on the principles we will abide by, as well as informing you of certain rights that you may be able to exercise on your Personal Data.
This Notice applies globally to all job applicant(s)/candidate(s) of HCLTech, subject to local caveats which have been highlighted herein or as applicable otherwise.
In some cases, we may present to you an additional Personal Data processing notice, depending on the circumstances as they may exist. Typically, these additional notices would provide requisite information pertaining to, but not limited to, additional purpose(s) for processing of your Personal Data which are not covered under this Notice. Such a notice shall apply only for those respective cases referred to therein and shall not affect the validity of this Notice.
What Personal Data Do We Process?
For the purposes of this Notice, ‘Personal Data’ means any information about you from which you can be identified (whether derived from that information on its own or when combined with other information that we or another party may hold about you).
As part of your recruitment and/or on-boarding process, you may directly provide us or be requested to provide us your Personal Data. Personal Data may be either provided to us by you or collected through a third-party as part of your recruitment process with HCLTech. Such Personal Data may include but is not limited to:
- Identifying data, such as name, email address.
- contact details, such as postal address and telephone number.
- recruitment-related information, such as right to work authorisation, citizenship, date of birth, residency, previous work experience information (including previous employer references), qualifications and work history, educational background, language skills, professional skills and talents, professional membership, community engagement, geographic location preferences, and recruitment company reports (where available), salary expectations, interactions over emails, webchats, audio/video conversations; and
- Any other Personal Data you voluntary provide during the job application process for our consideration.
Special Categories of Personal Data
HCLTech may process Special Categories of Personal Data such as, racial/ethnic origin, health information, in limited circumstances and only where we are permitted to do so under applicable legislation(s). Furthermore, we maybe required from time-to-time to process your Special Categories of Personal Data in order to carry out our obligation(s) and exercise our right(s) in relation to employment law or any other law as it applies to us at any given point in time. HCLTech takes the protection and security of your Special Categories of Personal Data seriously, and the highest level of technical and organisational security controls are applied when we process your Special Categories of Personal Data.
Why We process your Personal Data?
- We process your Personal Data for specified purposes and on the following legal grounds, for the various situations which may arise during the job application process with us:
- As it may be necessary for preserving our or a third party’s legitimate interests (please see ‘How do We use your Personal Data?’ section below.);
- The processing is necessary for us to perform contractual obligation(s) in respect of your employment or engagement with HCLTech e.g., the steps taken to enter into a contract with you, if your candidature is successful.
- As it is, or if it becomes, necessary to comply with any legal obligation(s), including but not limited to, any local law(s), to the extent of the applicability of such law(s);
- As is necessary to protect your vital interests when you are physically or legally incapable of giving consent; and
- Data processing based on your consent.
- In exceptional circumstances you may request us to disclose your personal data to third parties or organisations such as a law firm handling a data subject claim on your behalf, or otherwise.
- There may also be exceptional circumstances, where you may explicitly consent to the processing of your personal data, but only if the consent is truly freely given and unambiguous e.g., consent to publish your photograph on marketing materials.
How We Use Your Personal Data?
We process your Personal Data, for the purposes including but not limited to the ones enlisted below, via both manual and automated means. We also use ATS (applicant tracking system) which stores your Personal Data once you have made an application in order to enable the relevant recruiting manager and recruiter to consider your application. We will always have human intervention in your candidacy assessment and never solely rely on automated decision-making, including profiling.
Talent Acquisition and onboarding:
|Processing Purposes||Legal Basis||Categories of recipients with whom we may share your personal data outside of HCL*|
If your application is successful and you agree to join HCLTech we need to capture personal data to complete your employment contract, legal and regulatory compliance, managing operations.
To determine an applicant’s/candidate’s eligibility for employment or engagement including but not limited to:
To process your personal information in order to comply with a legal obligation, such as keeping records for tax purposes or providing information to a public body or law enforcement agency;
Compliance with legal obligations which we are subject to, particularly in relation to tax law, employment law, social security law and immigration law
Where relevant and appropriate subject to local data protection regulations:
To conduct, and to analyse, our HR related marketing and branding activities.
To process equal opportunities data, such as racial or ethnic origin, religious or philosophical beliefs, and data concerning health or sexual orientation.
To analyse the diversity of our workforce. Also, to accommodate your application and interview and for compliance with legal obligations as well as to provide a suitable working environment, we may collect disabilities information.
Why We Share Personal Data
Only selected employees of HCLTech – such as your potential future manager(s), employees of HR and IT (for maintenance purposes only) - and selected employees of our external service providers who support us with the admission of recruitment application, may have access to your Personal Data. Whenever we permit a third party to access Personal Data, we will make sure the data is used in a manner consistent with this Notice (and any applicable internal data handling guidelines consistent with the sensitivity and classification of the data).
Please note, in some circumstances third parties may qualify as controllers who process your Personal Data for their own purposes. Please refer to these Controllers’ privacy notice or statement. Otherwise, all third parties are Processors acting on the instructions of HCLTech. Wherever we engage a Processor, we require assurances that such Processors have implemented appropriate safeguards and controls in relation to the protection of your Personal Data. In addition to the third parties’ legal obligations, we require that such third parties be also contractually obligated to safeguard your Personal Data. Ongoing oversight is maintained on the relevant processing activities being carried out by the third party.
If required, we may conduct background checks prior to you commencing employment with us. In order to do so, HCLTech may have a requirement to share your personal data with the relevant third parties. These checks will be performed by our Processors who conduct background screening on our behalf.
How Long Do We Retain your Personal Data?
We retain your Personal Data for as long as it is necessary to fulfil the purposes for which it is processed that is for the duration of your onboarding process. Post onboarding and pre-joining formalities your data will not be kept longer than necessary for the purpose for which it was processed. For example, we may need to retain your Personal Data to comply with Tax and other applicable Laws, for audit purposes and to exercise or defend any legal claims.
Is Your Data Transferred Across International Borders?
HCLTech is a truly global organisation so your Personal data may be transferred for the any of the above stated purposes to different
global locations. These transfers will be undertaken in compliance with applicable law(s) and regulation(s).
If it is necessary to transfer your Personal Data to countries that do not offer adequate protections, for example if Personal Data
originating from the EEA / EU will be transferred outside the EU/EEA then we will ensure that appropriate safeguards as required
by applicable laws are put in place prior to the transfer of the data.
To protect Personal Data when transferred outside the EU/EEA to countries which have not been deemed by the European Commission to adequately protect Personal Data, HCLTech will implement appropriate safeguards in order to adequately safeguard any such transfers in line with the requirements enshrined in applicable laws, e.g. by incorporating standard contractual clauses (a copy of which can be obtained through the contact information included below) into contract(s) / data transfer agreement(s) established between the parties transferring the Personal Data.
What are your rights and how can you exercise them?
Depending on your relationship with HCLTech you may have several rights in relation to your Personal Data. Please refer to the Annexure A for information on data subject rights. Please note, these rights are subject to exemption(s) and may not apply in all circumstances. If you wish to exercise these rights, then HCLTech will provide you with the requested information or action your request within one month after receipt of your verified request, subject to any extensions that maybe required and communicated to you.
You can use the following channels to exercise your rights or request more information about your rights
- Submit your requests on the Data Subject Request Portal which can be accessed through HCLTech.com (via Online Privacy Statement accessible via link at the footer of each webpage).
- Alternatively, you can contact HCLTech’s Privacy Office via email@example.com if you have any general query.
How Do We Safeguard your Personal Data We Have Collected from You?
We implement and maintain appropriate technical, organizational, and physical security measures to protect your Personal Data and these security measures are in line with industry best practices.
These include, but are not limited to:
- Access to data is based on need to know and least privilege principle to ensure data is only accessible to authorized individuals for performance of their duties.
- Layered security controls ranging from perimeter security to end user machine level controls such as Firewalls, Spam protection, Antivirus and Spyware solutions, security awareness trainings and incident management etc.
- To further reduce the risk associated with data processing, we make use of pseudonymisation / Anonymization techniques where possible.
- Using encryption mechanisms, where appropriate such as email encryption, encryption of data during transfer, secure VPN access and disk/file level encryption etc.
- Third parties that process personal data on our behalf, do so based on written instructions and are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
What if you do not provide Personal Data?
During the job application and pre-joining formalities it is in yours and our best interest for you to provide HCLTech with Personal Data, in particular certain information as mentioned above, such as contact details, education and professional experience details, and your right to work in a particular jurisdiction, have to be provided to enable HCLTech to enter into a contract of employment with you.
Certain information may be necessary to fulfil legal obligation under employment, Tax and other applicable laws and regulations and to exercise your statutory rights.
If you do not provide the necessary information, this will impact our ability to manage the rights and obligations arising as a result of the hiring and onboarding process effectively.
How Do We Update This Notice?
We may update this Notice from time to time. We will post any updated version of this Notice on the HCLTech public facing websites and other relevant portal(s). We may also communicate changes to this Notice to you by email or by other necessary mean(s), if need be.
Except as otherwise stated in this Notice, any updates to this Notice will be effective from the date on which they are communicated to the relevant parties.
Who can you contact?
Any questions or concerns about the operation of this document should be addressed to the relevant HR personnel who may have been in contact with you.
If you are an EU/EEA applicant/candidate, and you have any concerns about how your Personal Data has been processed then you can contact the HCLTech ’s Data Protection Officer via firstname.lastname@example.org
If you are an applicant/candidate from India, and you have any concerns about how your Personal Data has been processed then you can contact the Grievance Officer for India (Prashant Yadav) at email@example.com
If you are an applicant/candidate that does not belong to EU/EEA or India, and you have any concerns about how your Personal Data has been processed then you can contact the Global Privacy Office online via firstname.lastname@example.org
We want to address any concerns you have so please contact us in the first instance. You have a right to lodge a complaint with a data protection supervisory authority in particular in the jurisdiction of your habitual residence, place of work or place of the alleged infringement.
Data Subject Rights:
Your rights may differ depending on local laws applicable, but generally (as far as applicable laws provide you with such rights). You would be entitled to: object to the processing of Personal Data, access your data and have inaccurate data corrected, obtain a copy of Personal Data (in some cases in portable format), ask us about any relevant details of processing, ask for erasure or restriction of processing, and to lodge complaints with relevant authorities (in particular in the country where you live, work or where the alleged infringement took place).These rights can be summarised in broad terms with the EU General Data Protection Regulation as a baseline:
- Right of access
You have the right to confirm with us whether your Personal Data is processed, and if it is, to request access to that Personal Data including the categories of Personal Data processed, the purpose of the processing and the recipients or categories of recipients. We can only provide you with your Personal Data, not Personal Data about another person. Also, where access would adversely affect another person’s rights, we’re not required to provide this. Due to legal privilege, there are some records we are not able to share in connection with a claim or legal proceeding.
- Right to rectification
You may have the right to rectify inaccurate or incomplete Personal Data concerning you. We encourage you to review this information regularly to ensure that it is accurate and up to date.
- Right to erasure (right to be forgotten)
You may have the right to ask us to erase Personal Data concerning you. The right to erasure does not apply where your information is processed for certain specified reasons, including for the exercise or defence of legal claims.
- Right to restriction of processing
In certain situations, you have the right to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their Personal Data to be ‘blocked’ to make sure the restriction is respected in future. This may affect our ability to provide services to you.
- Right to data portability
You may have the right to receive Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another entity.
- Right to object and rights relating to automated decision-making
Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data, including profiling, by us and we can be required to no longer process your Personal Data. This may include requesting human intervention in relation to an automated decision so that you can express your view and to contest the decision.
You are entitled to receive your Personal Data free of charge except in the following circumstances where we may charge a reasonable fee to cover our administrative costs of providing the Personal Data for:
- manifestly unfounded or excessive/repeated requests, or
- further copies of the same information.
To exercise any of the above mentioned rights please submit your request through our Data Subject Request Portal.
Annexure B – Definitions:
|Applicable Law||Local laws applicable to HCLTech.|
|Employer||The local entity which offers employment and/or is demarcated as employer on the employment agreement signed by the employee.|
|Controller||The entity/person who (either alone or jointly or in common with other entities/persons) determines the purposes for which and the manner in which any Personal Data are or are to be processed.|
|Processor||Any person or an entity who processes the data on behalf of the Controller.|
|Data Subject||Any identified or identifiable living individual natural person.|
|Personal Data||Any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.|
|Special Categories of Personal Data||Any Personal Data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.|
|Data Processing||Any operation or set of operations which is performed on personal data, such as collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making the data available, aligning or combining data, or blocking, erasing or destroying data. Not limited to automatic means.|
|Encryption||The method by which plaintext or any other type of data is converted from a readable form to an encoded version that can only be decoded by another entity if they have access to a decryption key.|
|Automated decision making||Subject to local applicable law, every data subject has the right not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him.|
|Supervisory authority||Independent Authority or division associated with an Authority in any relevant jurisdiction, whose primary purpose and function is to regulate matters related to personal data.|
|Pseudonymisation||The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.|
|Anonymization||The process of either encrypting or removing personal data from a database, so that the individuals whom the data describe remain anonymous. This is done for the purpose of protecting individuals’ private activities while maintaining the integrity of the data gathered and shared.|
|Consent||Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.|
|Data Retention||The policies and processes used within HCLTech for determining the time period for archiving and storing of personal data.|
|Profiling||Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.|
|Third Party||A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.|