Candidate Data Privacy Notice | HCLTech

HCLTech
Candidate Data Privacy Notice

Effective date: April 7, 2023

HCLTech is committed to protecting and securing the privacy and confidentiality of the Personal Data which it collects directly or indirectly from you when applying for a job at HCLTech or initiating an engagement with HCLTech as your Client1 either directly or through a third-party human resources agency/third party service provider. This notice (the “Notice”) outlines and explains how HCL Technologies Limited including its subsidiaries, local employing2 entities, associates, and affiliated companies [collectively referred to as “HCLTech”, “us,” “our”, or “we”] will process your Personal Data in accordance with applicable privacy legislation(s). Our EU representative is HCL (IRELAND) INFORMATION SYSTEMS LIMITED, 3rd Floor, Kilmore House, Park Lane, Spencer Dock, DUBLIN 1, D01 YE64, Ireland

Please refer to ‘Annexure B’ for definitions.

What Does This Notice Cover?

This Notice aims to provide you with information on what Personal Data we process about you, why and how we process your Personal Data, including details on the privacy principles we will abide by, and informing you of certain rights you may be able to exercise on your Personal Data.

This Notice applies globally to all job applicant(s)/candidate(s)/third party contractor(s) of HCLTech, subject to local caveats highlighted herein or as applicable otherwise.

In some cases, we may present you with an additional Personal Data Processing notice depending on the circumstances as they may exist. Typically, these additional notices would provide requisite information pertaining to, but not limited to, additional purpose(s) for Processing of your Personal Data which are not covered under this Notice. Such a notice shall act as a supplemental notice and apply only for those respective cases referred to therein and shall not affect the validity of this Notice.

What Personal Data Do We Process?

For the purposes of this Notice, ‘Personal Data’ means any information about you from which you can be identified (whether derived from that information on its own or when combined with other information that we or another party may hold about you).

Personal Data may be either provided to us by you or the supplier/service provider you represent, or collected through a third party as part of your recruitment/engagement process with HCLTech. Such Personal Data may include but is not limited to:

  1. Identifying data, such as name, email address;
  2. contact details, such as postal address and telephone number;
  3. recruitment-related information, such as right to work authorisation, citizenship, date of birth, residency, previous work experience information (including previous employer references), qualifications and work history, educational background, language skills, professional skills and talents, professional membership, community engagement, geographic location preferences, and recruitment company reports (where available), salary expectations, interactions over emails, webchats, audio/video conversations; and
  4. Any other Personal Data you voluntarily provide during the job application/pre-contractual relationship process for our consideration.

Special Categories of Personal Data (not applicable for third party contractors)

HCLTech may process Special Categories of Personal Data such as, racial/ethnic origin, and health information, in limited circumstances and only where we are permitted to do so under applicable legislation(s). Furthermore, we may be required from time-to-time to process your Special Categories of Personal Data in order to carry out our obligation(s) and exercise our right(s) in relation to employment law or any other law as it applies to us at any given point in time. HCLTech takes the protection and security of your Special Categories of Personal Data seriously, and the highest level of technical and organisational security controls are applied when we process your Special Categories of Personal Data.

Why We process your Personal Data?
  • We process your Personal Data for specified purposes and on the following legal grounds, for the various situations which may arise during the job application process or third-party contractual relationship with us:
    1. As it may be necessary for preserving our or a Third Party’s legitimate interests (please see ‘How do We use your Personal Data?’ section below);
    2. The Processing is necessary for us to perform contractual obligation(s) in respect of your employment or engagement with HCLTech e.g., the steps taken to enter into a contract with you, if your candidature is successful.
    3. As it is, or if it becomes, necessary to comply with any legal obligation(s), including but not limited to, any local law(s), to the extent of the applicability of such law(s) (e.g. conducting service provider due diligence or exercising our audit rights);
    4. As is necessary to protect your vital interests when you are physically or legally incapable of giving Consent; and
    5. Data Processing based on your Consent.
  • In exceptional circumstances you may request us to disclose your Personal Data to Third Parties or organisations such as a law firm handling a Data Subject claim on your behalf, or otherwise.
  • There may also be exceptional circumstances, where you may explicitly Consent to the Processing of your Personal Data, but only if the Consent is truly freely given and unambiguous e.g., Consent to publish your photograph on marketing materials.
How We Use Your Personal Data?

We process your Personal Data, for the purposes including but not limited to the ones enlisted below, via both manual and automated means. For candidates/applicants, we also use ATS (Applicant Tracking System) which stores your Personal Data once you have made an application in order to enable the relevant recruiting manager and recruiter to consider your application. We will always have human intervention in your candidacy assessment and never solely rely on Automated Decision-Making, including Profiling.

Talent Acquisition and onboarding:

Purpose Legal Basis Categories of recipients with whom we may share your Personal Data outside of HCLTech
If your application is successful and you agree to join/provide services to HCLTech we need to capture Personal Data to complete your employment contract/third-party service provider contract, legal and regulatory compliance, managing operations. Processing is necessary to (i) perform contractual obligation(s) in respect of your employment or engagement with HCLTech; (ii) to comply with applicable legal obligation(s), and/or iii) based on your consent. HCLTech may use service providers acting on HCLTech ‘s behalf to perform some of the services described above including for the purposes of verification / background checks or receive a copy of such checks reports from the supplier/service provider you represent. These background verification service providers may be located outside the country in which you live or the country where the position you have applied for is located.
To determine an applicant’s/candidate’s eligibility for employment or engagement including but not limited to:
  • Online skill assessments.
  • Interview process, including in person and online interviews.
  • Perform pre-employment/contractual background checks as part of your application/engagement, which would include but not limited to your legal right to work, carrying out or receive criminal record and credit history checks/reports subject to legal limits, and follow up references provided to us, including identification data, contact details, information about your qualification and employment/work history.
  • Offering information and/or services to individuals who visit our web site or offer information about employment opportunities.
  • Preventing fraud or criminal activity and to safeguard our IT systems.
  • Customizing individuals’ online experience and improve the performance, usability and effectiveness of HCLTech ’s online presence.
  • Meeting corporate and social responsibility obligations.
  • Improving our application and recruitment process.
  • Assessing if you have worked for us or applied with us before.
  • Selecting, assessing, and appointing suitable candidates/third-party contractors for jobs, new and/or other roles.
  • Suitability for attending site if required.
Processing is necessary to (i) preserve our legitimate interests in properly carrying out hiring and staffing procedures; (ii) take steps at your request prior to entering into a contract, (iii) comply with our applicable legal obligation(s) and/or iv) based on your consent. HCLTech may sometimes be required to disclose your information to external Third Parties such as to customers, local labour authorities, courts and tribunals, regulatory bodies and/or law enforcement agencies for the purpose of complying with applicable laws and regulations, or in response to legal process.
To process your personal information in order to comply with a legal obligation, such as keeping records for tax purposes or providing information to a public body or law enforcement agency. Processing is necessary to comply with applicable legal obligation(s). HCLTech will also share your personal information with other Third Parties to detect, prevent or otherwise address fraud, security or technical issues, or as otherwise required by law.

Where relevant and appropriate subject to local data protection regulations:

To conduct, and to analyse, our HR related marketing and branding activities.

To process equal opportunities data, such as racial or ethnic origin, religious or philosophical beliefs, and data concerning health or sexual orientation.

To analyse the diversity of our workforce. Also, to accommodate your application and interview and for compliance with legal obligations as well as to provide a suitable working environment, we may collect disabilities information.

Processing is necessary to (i) comply with applicable legal obligation(s) and/or (ii) based on your consent.  
Why We Share Personal Data

Only selected employees of HCLTech – such as your potential future manager(s), employees of HR and IT (for maintenance purposes only) - and selected employees of our external service providers who support us with the admission of recruitment application/third-party contractors, may have access to your Personal Data. Whenever we permit a Third Party to access Personal Data, we will make sure the data is used in a manner consistent with this Notice (and any applicable internal data handling guidelines consistent with the sensitivity and classification of the data).

Please note, in some circumstances, Third Parties may qualify as Controllers who process your Personal Data for their own purposes. Please refer to these Controllers’ privacy notices or statements. Otherwise, all Third Parties are Processors acting on the instructions of HCLTech. Wherever we engage a Processor, we require assurances that such Processors have implemented appropriate safeguards and controls in relation to the protection of your Personal Data. In addition to the Third Parties’ legal obligations, we require that such Third Parties be also contractually obligated to safeguard your Personal Data. Ongoing oversight is maintained on the relevant Processing activities being carried out by the Third Party.

For applicants and candidates, if required, we may conduct background checks prior to you commencing employment/engagement with us. In order to do so, HCLTech may have a requirement to share your Personal Data with the relevant Third Parties. These checks will be performed by our Processors who conduct background screening on our behalf.

How Long Do We Retain your Personal Data?

We retain your Personal Data for as long as it is necessary to fulfill the purposes for which it is processed that is for the duration of your onboarding process. Post onboarding and pre-joining/contracting formalities your data will not be kept longer than necessary for the purpose for which it was processed. For example, we may need to retain your Personal Data to comply with Tax and other Applicable Laws, for audit purposes and to exercise or defend any legal claims.

Is Your Data Transferred Across International Borders?

HCLTech is a global organisation, so your Personal data, may be transferred for any of the above stated purposes to different global locations. These transfers will be undertaken in compliance with applicable law(s) and regulation(s).

If, it is necessary to transfer your Personal Data from your habitual place of residence to countries that do not offer adequate protections, then we will ensure that appropriate safeguards, as required by applicable laws, are put in place prior to the transfer of the data. For example, by incorporating standard contractual clauses (more information about such clauses is available here) or Binding Corporate Rules (BCRs) into contract(s) / data transfer agreement(s) established between the parties transferring the Personal Data and a copy of which can be requested, by registering your request at Data Subject Request Portal.

HCLTech Argentina may transfer your Personal Data to the HCLTech locations in Brazil, Costa Rica, Guatemala, India, Mexico and the United States of America. HCLTech Argentina implemented the Standard Contractual Clauses approved by the Argentina Data Privacy Agency.

What are your rights and how can you exercise them?

Depending on your relationship with HCLTech you may have several rights in relation to your Personal Data. Please refer to Annexure A for information on Data Subject Rights. Please note, these rights are subject to exemption(s) and may not apply in all circumstances. If you wish to exercise these rights, then HCLTech will provide you with the requested information or action your request within one month after receipt of your verified request, subject to any extensions that may be required and communicated to you.

You can use the following channels to exercise your rights or request more information about your rights

  • Submit your requests on the Data Subject Request Portal which can be accessed through HCLTech.com (via the Online Privacy Statement accessible via the link at the footer of each webpage).
  • Alternatively, you can contact HCLTech’s Privacy Office via privacy@hcl.com if you have any general queries.
How Do We Safeguard your Personal Data?

We implement and maintain appropriate technical, organizational, and physical security measures to protect your Personal Data and these security measures are in line with industry best practices.

These include, but are not limited to:

  • Access to data is based on need to know and least privilege principle to ensure data is only accessible to authorized individuals for performance of their duties.
  • Layered security controls ranging from perimeter security to end user machine level controls such as Firewalls, Spam protection, Antivirus and Spyware solutions, security awareness trainings and incident management etc.
  • To further reduce the risk associated with Data Processing, we make use of Pseudonymisation / Anonymization techniques where possible.
  • Using Encryption mechanisms, where appropriate such as email Encryption, Encryption of data during transfer, secure VPN access and disk/file level Encryption, etc.
  • Third Parties that process Personal Data on our behalf, do so based on written instructions and are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
What if you do not provide Personal Data?

During the job application and pre-joining/contracting formalities, it is in yours and our best interest for you to provide HCLTech with Personal Data, in particular certain information as mentioned above, such as contact details, education and professional experience details, and your right to work in a particular jurisdiction, have to be provided to enable HCLTech to enter into a contract with you.

Certain information may be necessary to fulfil legal obligation under employment, Tax and other Applicable Laws and regulations and to exercise your statutory rights.

If you do not provide the necessary information, this will impact our ability to manage the rights and obligations arising as a result of the hiring and onboarding process effectively.

How Do We Update This Notice?

We may update this Notice from time to time. We will post any updated version of this Notice on the HCLTech public facing websites and other relevant portal(s). We may also communicate changes to this Notice to you by email or by other necessary mean(s), if need be. Except as otherwise stated in this Notice, any updates to this Notice will be effective from the date on which they are communicated to the relevant parties.

Who can you contact?

Any questions or concerns about the operation of this document should be addressed to the relevant HR personnel/HR partner who may have been in contact with you.

If you are an EU/EEA, UK or Switzerland applicant/candidate/third-party contractor, and you have any concerns about how your Personal Data has been processed then you can contact the HCLTech ’s Data Protection Officer via hcldpo@hcl.com.

If you are an applicant/candidate/third-party contractor from India, and you have any concerns about how your Personal Data has been processed then you can contact the Grievance Officer for India (Prashant Yadav) at grievance-india@hcl.com.

If you are an applicant/candidate/third-party contractor that does not belong to EU/EEA, UK, Switzerland or India, and you have any concerns about how your Personal Data has been processed then you can contact the Global Privacy Office via privacy@hcl.com.

Complaints

We want to address any privacy concerns you may have, so please contact us in the first instance. You have a right to lodge a complaint with a data protection Supervisory Authority in particular in the jurisdiction of your habitual residence, place of work or place of the alleged infringement.

Annexure A

Data Subject Rights:

Your rights may differ depending on local laws applicable, but generally (as far as applicable laws provide you with such rights). You would be entitled to: object to the Processing of Personal Data, access your data and have inaccurate data corrected, obtain a copy of Personal Data (in some cases in a portable format), ask us about any relevant details of Processing, ask for erasure or restriction of Processing, and to lodge complaints with relevant authorities (in particular in the country where you live, work or where the alleged infringement took place). These rights can be summarised in broad terms with the EU/UK General Data Protection Regulation as a baseline:

  1. Right of access 

    You have the right to confirm with us whether your Personal Data is processed, and if it is, to request access to that Personal Data including the categories of Personal Data processed, the purpose of the Processing and the recipients or categories of recipients. We can only provide you with your Personal Data, not Personal Data about another person. Also, where access would adversely affect another person’s rights, we’re not required to provide this. Due to legal privilege, there are some records we are not able to share in connection with a claim or legal proceeding.

  2. Right to rectification 

    You may have the right to rectify inaccurate or incomplete Personal Data concerning you. We encourage you to review this information regularly to ensure that it is accurate and up to date.

  3. Right to erasure (right to be forgotten) 

    You may have the right to ask us to erase Personal Data concerning you. The right to erasure does not apply where your information is processed for certain specified reasons, including for the exercise or defence of legal claims.

  4. Right to restriction of processing 

    In certain situations, you have the right to ‘block’ or suppress further use of your information. When Processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their Personal Data to be ‘blocked’ to make sure the restriction is respected in future. This may affect our ability to provide services to you.

  5. Right to data portability

    You may have the right to receive Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another entity.

  6. Right to object and rights relating to Automated Decision-Making

    Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the Processing of your Personal Data, including Profiling, by us and we can be required to no longer process your Personal Data. This may include requesting human intervention in relation to an automated decision so that you can express your view and to contest the decision.

You are entitled to receive your Personal Data free of charge except in the following circumstances where we may charge a reasonable fee to cover our administrative costs of providing the Personal Data for:

  • manifestly unfounded or excessive/repeated requests, or
  • further copies of the same information.

To exercise any of the above mentioned rights please submit your request through our Data Subject Request Portal.

Annexure B - Definations:
Applicable Law Local laws applicable to HCLTech.
Employer The local entity which offers employment and/or is demarcated as employer on the employment agreement signed by the employee.
Controller The entity/person who (either alone or jointly or in common with other entities/persons) determines the purposes for which and the manner in which any Personal Data are or are to be processed.
Processor Any person or an entity who processes the data on behalf of the Controller.
Data Subject Any identified or identifiable living individual natural person.
Personal Data Any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Special Categories of Personal Data Any Personal Data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Data Processing/ Processing Any operation or set of operations which is performed on personal data, such as collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making the data available, aligning or combining data, or blocking, erasing or destroying data. Not limited to automatic means.
Encryption The method by which plaintext or any other type of data is converted from a readable form to an encoded version that can only be decoded by another entity if they have access to a decryption key.
Automated Decision-Making Subject to local applicable law, every data subject has the right not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him.
Supervisory Authority Independent Authority or division associated with an Authority in any relevant jurisdiction, whose primary purpose and function is to regulate matters related to personal data.
Pseudonymisation The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Anonymization The process of either encrypting or removing personal data from a database, so that the individuals whom the data describe remain anonymous. This is done for the purpose of protecting individuals’ private activities while maintaining the integrity of the data gathered and shared.
Consent Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Profiling Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Third Party A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.