SPAIN - Recruitment and Employment Data Privacy Notice

This privacy notice does not form part of any contract of employment, or other contract to provide services.

Hiscox is committed to protecting your privacy. This notice tells you what personal information we collect, why we need it, how we use it in connection with the recruitment and on boarding processes and during and after your employment or engagement with us and what protections are in place to keep your personal information secure. It also sets out your rights in relation to your personal information.

It is important that you read this notice, and any information notice that we may subsequently provide to you, carefully so that you are aware of how and why we are processing your personal information.

We may update, or otherwise amend, this notice at any time and you will be notified of such amendments.

Hiscox act as data controller in respect of the personal information that we process about you. This means that we are responsible for deciding how we hold and use personal information about you.

We have appointed a Data Protection Officer to oversee Hiscox’s compliance with data protection laws. The contact details of the Data Protection Officer are [email protected].

If you have any questions about this notice, how we handle your personal information or you would like to update the information we hold about you, we would strongly encourage you to speak to your local People Function (formerly HR) contact in the first instance, but if you wish you can also contact the Data Protection Officer.

Our obligations in relation to processing your personal information are set out in this notice, and in our data protection policy and related procedures. The data protection policy can be found on the intranet. 

You also have responsibilities in relation to personal information, and must comply with our data protection policy, which includes:

• taking appropriate steps to protect the security of personal information 
• being careful about who personal information is disclosed to 
• protecting your communications and devices 
• following other business processes in relation to the handling of customers’ personal information

Your 'personal information' means any information about you from which you can be identified - either by reference to an identifier (e.g. your name, location data or online identifier (e.g. IP address)) or from factors specific to your physical, cultural or social identity (e.g. your social background, outside interests etc).

It does not include information where the identity has been removed (such as anonymous information).

Hiscox collect and use personal information that you provide as part of the recruitment and on-boarding processes or which we have received as part of background screening and vetting processes, as well as additional personal information that is collected in the course of your employment or engagement (e.g. for performance reviews). We primarily use this personal information for the recruitment process, to comply with contracts of employment, for managing the workforce and business purposes. 

The personal information about you that we may collect, store and use includes, but is not limited to, the following categories of information: 

• General information such as your name, address, contact details (work and personal), date of birth, sex, marital status, dependents, next of kin and emergency contact information.
• Recruitment information such as your right to work documentation, driving licence, references, employment records, salary and benefits history and other information included in a CV or covering letter or otherwise received by Hiscox as part of the application and on boarding process. 
• Financial information, such as your bank account details, payroll records, tax status information and national insurance / public service number. 
• Remuneration and benefits information, such as salary, pension, benefits and annual leave.
• Current employment terms and employment records, such as start date, job title, workplace, working hours, attendance records, sick leave/ pay records, holiday and leave records, performance, disciplinary and grievance records, education and training records and professional memberships.
• Images and recordings, such as CCTV footage, electronic records – e.g  Swipe card footage (where used), photographs, video images, voice recordings, information about your use of our IT and communications systems to the extent that this is required by law 
• Information about family members (including dependents) for the purpose of providing benefits.

Please note that the type of personal information we collect about you will depend to some extent on your circumstances, your role and our legal obligations.

Certain 'special categories' of more sensitive personal information (such as information about racial/ ethnic origin, sexual orientation, political opinions, religious/ philosophical beliefs, trade union membership, biometric or genetic data and health data) are given a higher level of protection by data protection laws. 

The special categories of more sensitive personal information we may collect, store and use includes, but is not limited to, the following categories of information:

• Information about your health and sickness records

The provision of your personal information is necessary to enter into an employment contract with Hiscox.

Where the personal information is processed to perform the employment contract or to comply with a legal obligation, its provision is mandatory. Failure to provide such personal information would cause the impossibility for Hiscox to enter into or to continue the employment contract with you, or at least to perform its main obligations under the employment agreement.

We will only process your personal information when the law allows us to. In most cases, we will process your personal information where it is necessary:

• Basis 1 – to take steps necessary to enter into an employment contract or working relationship with you or to perform the contract we have entered into with you for the purposes of employment or engagement (e.g. your bank details in order to pay you)
• Basis 2 - to comply with a legal obligation (e.g. provision of tax information to a government department or regulatory body) 
• Basis 3 - for our legitimate interests as a business and as an employer (or those of a third party). Where we rely on legitimate interests as the reason for processing personal information (e.g. to monitor diversity as part of ensuring diversity across the company), we have considered whether those interests are overridden by any separate rights or freedoms of our workforce and have concluded that they are not.

We may also process your personal information in the following circumstances, but this is likely to be rare:

• with your specific consent
• where we need to protect your interests (or someone else’s interests)

We need all the personal information referred to above in 2B. We process your personal information for a number of purposes including, but not limited to, the following. In relation to each, we have also identified the legal basis for processing your personal information by reference to each legal basis set out in 4A above:

• Recruitment decisions and background checks conducted as part of the vetting process in connection with our recruiting and on boarding activities (1, 2 ,3) 
• Checking your legal entitlement to work in the country (2)
• Administering your employment contract (1, 2)
• Payroll (1, 2)
• Providing and facilitating benefits (1, 2)
• Education, training and development requirements (1, 2)
• Recording and managing attendance (1)
• Performance and salary reviews and promotions (1)
• Disciplinary and grievance processes (1)
• Recording and managing sickness absence and other leave (1, 2)
• Business management/ planning and risk compliance (1, 2, 3)
• Health and safety compliance (1, 2)
• Tax and regulatory authority compliance (2)
• IT and communications monitoring, security and compliance (1)
• Managing actual and potential legal disputes, including accidents at work (1, 2, 3)
• Managing the termination of your employment (1, 2, 3)

Some of the grounds for processing will overlap, and in some cases, there will be several grounds which justify our use of your personal information.

We will only use your personal information for the purposes for which we collected it - unless we reasonably consider that we need to use it for another purpose that is compatible with the original purpose. 

If we need to use your personal information for an unrelated purpose, we will notify you and explain the basis upon which that is necessary.

We may process special categories of personal information when the law allows us to, which will be in the following situations:

• Basis A - Where we need to do so to fulfil our legal obligations or exercise our rights in connection with employment (e.g. for making reasonable adjustments for individuals with a disability where this is required by law) 
• Basis B - Where it is needed to assess your working capacity on health grounds (e.g. for an occupational health report), subject to appropriate confidentiality safeguards 

• Basis C - Where it is necessary in order to establish, exercise or defend a legal claim 

  Where, in exceptional circumstances, it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent (e.g. in a medical emergency)

• Basis D - With your explicit consent, where the processing is voluntary - this will only be in limited circumstances

'Special categories' of particularly sensitive personal information attract higher levels of protection, and we must have specific justification for collecting, storing and using this type of personal information. We process special category data relating to you for a number of purposes including, but not limited to, the following. In relation to each, we have also identified the legal basis for processing your personal information by reference to each legal basis set out in 4D above.

Where we process such data, we will use such data in the following ways:

• Information about your health and sickness records to monitor and manage sickness absence, to assess your fitness to work, to provide appropriate workplace adjustments (where this is required by law), to ensure your health and safety in the workplace and to administer benefits (Basis A, Basis B and Basis C)

We may process information about criminal convictions.  Given the nature of our business, we ask successful candidates who have accepted a conditional offer of employment or engagement to disclose their criminal record history and we carry out criminal record checks as part of our background vetting process and in compliance with our obligations in connection with employment or engagement (Basis A). 

In some cases we are required to carry out these checks (for example, for regulated roles); in all cases, we carry out the checks in accordance with the applicable law. 

For regulated roles, the criminal record checks may be repeated periodically during the course of employment or engagement in accordance with our regulatory obligations.

We will always treat criminal record history as confidential and it will only be shared internally where there is a specific and legitimate purpose to do so. We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure. 

Criminal record information will be deleted once the applicable checks have been completed, subject to any exceptional circumstances and/or to comply with particular laws or regulations.  Criminal record information will typically be retained for a maximum of 6 months, although the outcome of any check will remain on the individual’s record.

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to act in accordance with our regulatory and other legal obligations and is in accordance with our data protection policy. 

There may be limited circumstances where the legal basis for processing your personal information as outlined at 4A and 4D does not apply.  In this case we will approach you to obtain your explicit consent to allow us to process certain particularly sensitive data, or other personal information. 

We will only seek and rely on your consent where you are fully informed and your consent can be freely given

We will provide you with full details of the information that we require and the reason we need it, so that you can carefully consider whether you wish to consent. 

If you do provide your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for that purpose.

If you wish to withdraw your consent, please speak to your local People Function contact in writing in the first instance, who will refer to the Data Protection Officer as needed.

Where this is relevant to their role, your line managers, certain People Function professionals, and in some cases certain colleagues (i.e. where necessary to fulfil business requirements) will have access to some of your personal information.

We may share your personal information with third parties, including third party service providers and other Hiscox Group companies in the following situations:

• where required by law 
• where it is necessary to administer the working relationship with you
• where we have another legitimate interest in doing so, as a business and as your employer or prospective employer

In these circumstances, we require third parties to ensure the security of your personal information and to treat it in accordance with the law.

The terms of our contracts with third parties include obligations on them in relation to what personal information they can process and what they can do with that information. All our third party service providers, professional advisers and other entities in the Hiscox Group are required to take appropriate security measures to protect your personal information in line with our policies.

We may disclose your personal information to the third parties listed below where relevant to the purposes described in this notice. This might include:

• other companies within the Group as part of our regular reporting activities on company performance, in the context of a business reorganisation or Group restructuring exercise, for system maintenance support and hosting of data
• agents or contractors that provide services to us including, for example, payroll, pension administration, benefits provision and administration, IT services and background screening checks carried out as part of the recruitment process and any routine screening during the employment/working relationship
• relevant tax bodies
• visa and immigration authorities
• regulatory authorities
• professional advisers
• medical officers, occupational health officers

Further details can be obtained from your local People Function contact.

Any questions or details required regarding pre-employment background screening checks should be directed to the Central People Operations Team [email protected] and/or the Group Data Protection Officer [email protected].

Your personal information may be disclosed to members of the Hiscox Group outside of the EU or European Economic Area (EEA). Those countries (being the US and Bermuda) require additional protections to legitimise any data transfers, these are detailed in section B below. 

Certain suppliers and service providers may also have personnel or systems located outside the EUand EEA. Your personal information may therefore be transferred outside the EU to non-EEA countries, details of which are available from your local People Function contact if you would like further details.

Hiscox has an intra-Group data transfer agreement in place which regulates cross-border transfers of your personal information within the Group. Where required, Hiscox rely on the EU Standard Contractual Clauses within this agreement in order to legitimise this transfer of data. 

Where we share your personal data with third parties who are outside the EU or the EEA, we will take steps to ensure that your personal information receives an adequate level of protection, for example by, entering into the EU Standard Contractual Clauses.

You have a right to request further information relating to the transfer of your personal information and the safeguards in place. 

If you require further information about this, you can request it from your local People Function contact.

Please ensure you inform us if your personal information changes while you are an employee or work with us as it is important that the personal information we hold about you is accurate and current. We also encourage you to monitor and update your personal information on Workday where appropriate.

Certain information has to be provided so that we can enter into a contract with you (e.g. your contact details, right to work in the country and payment details).  You also have some obligations under your contract to provide certain information to us (e.g. to report absences). Without this information, we may not be able to consider your suitability for employment or engagement or enter into an employment contract or working relationship with you or carry out the rights and obligations efficiently that arise as a result of the employment or working relationship.

In addition, you may have to provide us with information so that you can exercise your statutory rights (e.g. parental leave (where applicable)).  If you fail to provide the necessary information, this may mean you are unable to exercise your statutory rights.

You have a number of rights in relation to the personal information that we hold about you (subject to certain exemptions).

You have the following rights (subject to certain exemptions): 

• to make a data subject access request: to obtain a copy of the personal information we hold about you
• to ask us to correct inaccurate personal information, including the right to have any incomplete information about you made complete
• to ask us to erase your personal data where it is no longer necessary in relation to the purposes for which it was collected
• to ask to restrict the processing of your personal information where:
  • the accuracy of the personal data is contested - while steps are taken to correct or complete it or to verify the accuracy
  • the processing is unlawful but the erasure of the personal data is not appropriate
  • we no longer require the personal data for the purposes for which it was collected but it is required for the establishment, exercise or defence of a legal claim
• to object to processing which we have justified on the basis of a legitimate interest - in which case the relevant processing will only continue where we have compelling legitimate grounds for processing your personal information
• to object to any decisions based solely on automated decision making
• to ask to obtain a portable copy of those parts of your personal data where we rely on consent or performance of the contract as the justification for processing, or to have a copy of that personal data transferred to a third party controller 
• to withdraw your consent to processing where, in rare circumstances, we have relied on your consent as the justification for processing your personal information 
• to ask to obtain a copy of any data transfer agreement, or to access information about safeguards under which your personal data is transferred outside of the European Economic Area
• to lodge a complaint with the appropriate supervisory authority. You have the right to raise any concerns about how your personal data is being processed with the National Commision for data protection, Commission Nationale pour la Protection des Données, by going to the website: https://cnpd.public.lu/fr.html or contacting them on (+352) 26 10 60 –1
• you may also raise any complain or concerns with the Spanish Data Protection Agency, Agencia Española de Protección de Datos (AEPD)by going to the website: https://www.aepd.es/es or contacting them on 900 293 183

Subject access requests

There is generally no fee to access the personal information that we hold about you, however we may charge a reasonable fee if your request is clearly unfounded or excessive or if you request further copies of the same information.

Alternatively, we may refuse to comply with a request that is unfounded or excessive.

No automated decision-making is performed regarding your personal data.

Further information about your rights is available from your local People Function contact.

If you want to make one of these requests, please speak to your local People Function contact or contact the Data Protection Officer at [email protected].