Job Applicant Privacy Notice

Last Updated: June 30, 2023

Suzy, Inc. and its affiliates (collectively, “Suzy”, “we”, “our”, or “us”) are committed to protecting your personal data and privacy. We created this Job Applicant Privacy Notice (“Notice”) as a supplement to Suzy’s Privacy Policy to explain how and why we collect personal data about you, what that data is, under what circumstances we may disclose or share it, how we use it, how long we store it, and what rights you have with respect to your personal data.

This Notice explains the personal data we collect from or about you when you apply to work for us, whether as an employee, worker, or contractor. It will apply when you submit your resume, CV, cover letter, or other materials submitted with an application form (together or each separately, an “Application Packet”) directly to us, through our online careers portal, https://app.careerpuck.com/page/suzy-suzy-open-roles, or https://careers-suzy.icims.com/, or where your application packet has been sent to us by a recruitment agent on your behalf.

This Notice does not cover your use of Suzy’s products or services as a consumer or customer. For more information on what privacy notices apply to those uses, please visit the Suzy Trust Center.

By submitting an Application Packet, you acknowledge that you have read and understood and accept the disclosures set forth in this Notice.

Table of Contents

  • Personal Data: When we use the term "Personal Data" in this Notice, we use it as a catchall term to mean any information that is linked or reasonably linkable to you. This includes information that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household. Some states and countries refer to this as "personal information" or "personally identifiable information." References to Personal Data means information that we collect or for which we act as custodian.

    Sensitive Personal Data: Some Personal Data is so sensitive that it requires heightened care and protection. Different laws consider different types of personal data sensitive but generally include:

    • Financial information

    • Health information (physical health, mental health, and/or substance use information)

    • Citizenship / immigration status

    • Sexual orientation, sexual preferences, or sexual practices

    • Driver's license information

    • Passport information or other government-issued identification information

    • Zip code

    • Genetic information

    • Biometric information

    • Data of children under the age of 13

    • Racial or ethnic origin

    • Religious or philosophical beliefs

    • Political opinions or affiliations

    • Trade union membership

    • Criminal history / record information

    • Precise geolocation information

  • We collect Personal Data about you in a variety of ways, including through:

    Direct interactions. The majority of the information we collect will come directly from you in the following ways:

    o Information you voluntarily upload to our careers/recruitment website or forms;

    o Notes made by our recruitment team during a recruitment interview; and

    o Information from official documentation you provide to us such as for background checks.

    Indirect sources. Other details may be collected indirectly from the following sources:

    o Recruitment agencies

    o Your named references

    o Background check providers

    o Credit reference agencies

    o Third-party platforms such as Indeed or LinkedIn; and

    o Publicly available sources such as social media sites (to the extent necessary and relevant to the job role).

    Cookies. As you interact with our sites, we, our service providers, and business partners will automatically collect certain technical data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, web beacons, and other similar technologies. Read our Cookie Policy here.

    Linked data. If you have submitted your application through our recruitment portal, we may also link the data you provide to us with other publicly available information about you that you have published on the internet, including sources such as LinkedIn and other social media profiles.

  • You will not be subject to decisions that will have a significant impact on your candidacy based solely on automated decision-making.

  • We will retain your Personal Data for as long as necessary to assess your candidacy for a position with Suzy. If you join Suzy, your Personal Data will be kept in your personnel file; if you don’t, your data will be destroyed or de-identified when we no longer need it, or sooner upon your request, except where we are required by law to keep it. We will keep some details so we can stay in touch regarding future opportunities, unless you ask us not to.

    Please note that, in certain circumstances, we may retain limited information about you for the period of time during which you are able to bring a discrimination claim under your local law. We retain the information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment process in a fair and transparent way. We will only retain the minimum amount of Personal Data required in these circumstances and will securely delete all other Personal Data that we hold about you.

  • Suzy is based in the United States, our servers and systems are located in the United States, and many of our third-party service providers are based in the United States.

    By submitting an Application Packet, you freely and specifically give us your consent to export, process, and/or store your Personal Data in the United States. You understand that the United States may not have the same data protection / privacy laws as your country and that data stored in the United States may be subject to lawful requests by the courts or law enforcement authorities in the United States.

    In some cases, we may transfer your data overseas to our service providers in places with different laws and protections. We’ll use appropriate technical and organizational measures and safeguards to protect your data during international transfers and at all other times it is in our care.

    If you are resident in or a visitor of the EEA, United Kingdom, or Switzerland, we will protect your Personal Data when it is transferred outside of such locations by processing it in a territory which the European Commission has determined provides an adequate level of protection for personal information or otherwise implementing appropriate safeguards to protect your Personal Data, including through the use of Standard Contractual Clauses or another lawful transfer mechanism approved by the European Commission.

  • We use appropriate security measures to prevent Personal Data from being lost, used, or accessed in an unauthorized way, altered, or improperly disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors, and other third parties who have a business need-to-know. They only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.

    We have put in place procedures to respond to any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

  • Requests to exercise your privacy rights may be made by:

    • submitting a Privacy Request;

    • e-mailing trust@suzy.com; or

    • writing to: Suzy, Inc. Attn: Legal, 228 Park Avenue South, PMB 85529 Broadway, New York, NY 10003

    We will not charge you fees in connection with the exercise of your rights, unless the request is manifestly unfounded or excessive (for example, because of its repetitive character).

    Response timing and format

    We will respond to your request in a reasonably timely manner and typically within 30-60 days, depending on the laws applicable to you. We'll either fulfill your request or explain why we're not taking action. If we don't take action, and if the applicable laws so require, we'll also provide instructions on any rights to appeal our decision.

    In order to protect the security of your Personal Data, we will not honor a request if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you. The method used to verify your identity will depend on the type, sensitivity and value of the information, including the risk of harm to you posed by any authorized access or deletion. Generally speaking, verification will be performed by matching the identifying information provided by you to the Personal Data that we already have.

    If you are in the European Union and you are not satisfied with our response, you have the right to complain or seek advice from your local data protection supervisory authority and/or bring a claim against us in any court of competent jurisdiction.

    In so far as practicable, we will notify any third parties to whom we have disclosed your Personal Data with any correction, deletion, and/or restriction to the processing of your Personal Data.

  • You can contact us by:

    • e-mailing trust@suzy.com;

    • submitting a Privacy Request; or

    • writing to: Suzy, Inc. Attn: Legal, 228 Park Avenue South, PMB 85529, New York, NY 10003

    • If you are in the European Union, European Economic Area or UK, you can contact our Article 27 Data Protection Representative.

  • The Data Controller of your Personal Data is listed below. If we can’t resolve your concerns (we hope we can!), you may also raise your concerns to your local statutory authority.

    United States

    Suzy, Inc.

    Address: 228 Park Avenue South, PMB 85529, New York, NY 10003

    Request Portal: Privacy Request Form

    Email: trust@suzy.com

    United Kingdom

    Data Protection Representative Limited

    Address: available here

    Request Portal: http://www.datarep.com/data-request

    Email: datarequest@datarep.com

    European Union

    Data Protection Representative Limited

    Address: available here

    Request Portal: http://www.datarep.com/data-request

    Email: datarequest@datarep.com

  • The Suzy careers website is not intended for minors under the age of 16, and Suzy does not process or disclose personal information of minors under sixteen years of age.

  • We reserve the right to amend this Notice at any time in order to address future developments of Suzy, its careers website, or changes in industry or the law. We will post the revised Notice online. You can determine when the Notice was revised by referring to the “Last Updated” date on the top of this Notice.

    Any changes will become effective upon the posting of the revised Notice online, and by continuing to use Suzy’s careers website or submitting an Application Packet following such changes, you will be deemed to have read, understood, and agreed to such changes. If you do not agree with the collection and processing of your Personal Data as described in this Notice, in whole or part, you can choose not to continue to use the careers website or apply for a role with Suzy.

  • • N/A

We will use the following categories of Personal Data. Your Personal Data will be seen by hiring managers, Suzy’s talent acquisition and People team, and relevant Suzy team members.

Type of Data

Use

Lawful Purpose

Publicly available information advertised by individuals for the purpose of professional networking and work opportunities (e.g., your LinkedIn profile)

For Suzy’s talent acquisition purposes (including assessing your skills, capabilities, and experience in consideration of your suitability for employment with Suzy)

Legitimate interest

Contact Information. Name, email address, phone number, postal address.

·        Managing our recruitment process and talent community;

·        Contacting you or others on your behalf, such as your emergency contacts;

·        Maintaining appropriate business records during the application/ interview process;

·        Assessing and making hiring decisions about new team members; and

·        Complying with our obligations under applicable laws.

Legitimate interest

Identity information. Date of birth, national ID or social security number, personal photograph

·        Managing our recruitment process and talent community;

·        Maintaining appropriate business records during the application/ interview process;

·        Assessing and making hiring decisions about new team members; and

·        Complying with our obligations under applicable laws.

Legitimate interest

Legal obligation

Consent

Resume or employment-related information. Employment history, skills, experience, employment details, performance, notice periods, work status, and other information you provide in application forms

For Suzy’s talent acquisition purposes (including assessing your skills, capabilities, and experience in consideration of your suitability for employment with Suzy)

Legitimate interest

Consent

Education information. Educational history, academic qualifications and details, professional admissions, industry certifications, and other information you provide in application forms

For Suzy’s talent acquisition purposes (including assessing your skills, capabilities, and experience in consideration of your suitability for employment with Suzy), (if successful) to establish the relationship between you and Suzy, and to update you about Suzy careers.

Legitimate interest

Consent

Security and safety information. Criminal background checks, CCTV images and office access records for in-person recruitment activities (e.g., onsite interviews)

To ensure our team members and contacts are safe from threats and harms.

To establish whether you have any criminal convictions and verify your identity. We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us to do so.

Legitimate interest

Consent

Compensation and benefits information. Information associated with your salary/compensation, benefits, vacation and time/off entitlements and similar information

For Suzy’s talent acquisition purposes and if successful to establish the relationship between you and Suzy, including to determine employment offers and negotiations

Legitimate interest

Consent

Sensitive Personal Data and protected class information. Information about your race or ethnicity; veteran status; information about your citizenship and right to work; information about your health or disability status, including any medical condition, health and sickness records; and information about criminal convictions and offenses.

·        We will use information about your medical or disability status to consider whether we need to provide appropriate adjustments or accommodations during the recruitment process, for example whether adjustments need to be made during a test or interview.

·        We will use information about your race or national or ethnic origin to ensure meaningful Equal Employment Opportunity/Affirmative Action record keeping, reporting, and other legal requirements. Where local law prohibits us from requesting information about race, national or ethnic origin, we will not request this information and ask that you please do not disclose this information to us.

·        If we decide to offer you the role, we may undertake checks to establish whether you have any criminal convictions and verify your identity. We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us to do so.

Our legal basis for using your Sensitive Personal Data is consent. Providing U.S. Equal Opportunity Information and Self-Identification of Disability is completely voluntary.

We sometimes rely on third-party products and services to assist us with our recruitment process. Such products and services are provided under the terms and conditions (including privacy notices) of the vendors that provide them. Suzy does not control how these vendors use the personal data they collect.

We will share your Personal Data with third parties for the purposes of processing your Application Packet. All of our third-party service providers are required to take appropriate security measures to protect your Personal Data in accordance with the law and our policies. Those service providers include:

Service

Entity(ies) Name

Location

Background check provider(s)

Clearstar, Inc.

Checkr, Inc.

GA, USA

CA, USA

Recruitment portal provider(s) and Candidate profiling service provider(s)

iCIMS, Inc.

Career Puck, Inc.

LinkedIn Corporation

Gem Software, Inc.

Orgnostic, Inc.

NJ, USA*

CA, USA*

CA, USA*

CA, USA

Cambridge, USA

Contractor(s)/consultant(s) providing HR services to Suzy

None

N/A

Privacy compliance tool(s) used to respond to privacy rights requests

Zendesk, Inc.

Subtle Web Inc.

Relyance Inc.

Atlassian PTY Ltd.

CA, USA*

Canada

CA, USA

CA, USA*

*May also include outside the USA if the applicable services involve global data or necessitate non-USA processing

In certain circumstances, you have the following rights regarding your Personal Data. Your rights and choices may vary depending on the laws applicable to your Personal Data. Such laws may extend additional rights and choices to you or may limit or except the rights listed below.

Right

Details

Right of Access

Find out what kind of Personal Data we process about you and request details of this information, including categories of recipients to whom the Personal Data have been or will be disclosed and purposes of processing.

Right to Know

Ask us for a notice identifying the categories of Personal Data that we collect (and from whom), disclose, or share (and to whom we disclose or share), as well as our business or commercial purposes for collecting, disclosing, or selling that Personal Data. In most respects, this Notice serves as such notice.

Right to Rectify, also known as Right to Correct

Ask for your Personal Data to be rectified, updated or, corrected. We may need to verify the accuracy of the new information you provide to us.

Right to Transfer, also known as Right to Data Portability

Ask us to package up your Personal Data in a structured, commonly used and machine-readable format, so you can move, copy, or transfer it to another organization in a secure manner and without interrupting the integrity and usability of the information.

Right to Restrict or Object to Processing

Object to certain types of processing of your Personal Data, including profiling, targeted advertising, direct marketing, and statistical, scientific, or historical research purposes.

Right to not be Subject to Fully Automated Decisions

Ask to not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your Personal Data, unless you have given us your explicit consent or where necessary for the performance of a contract with us.

Right to Limit Use of Sensitive Information

Tell us to limit or stop processing your Sensitive Personal Data.

Right to Withdraw Consent at Any Time

Withdraw any consent you may have previously given us

Right to Delete, also known as the Right to be Forgotten

Request that your Personal Data be erased. Where required, we will delete your Personal Data. We will decline your request for deletion if processing of your Personal Data is necessary: (i) for us to comply with our legal obligations; (ii) for the establishment, exercise, or defense of legal claims; (iii) for the performance of a task in the public interest, or (iv) for us to perform certain actions in accordance with applicable laws, such as detecting security incidents and protecting against fraudulent activity.

Right to Opt-Out of the Sale or Sharing of your Personal Data

Direct us not to sell your Personal Data to third parties.

California residents: You have the right to tell us not to sell or share your Personal Data to third parties. This right is referred to as the "right to opt-out of sale or sharing."

In addition to your Privacy Rights, there are mechanisms you can use to control your Personal Data.

Control

Details

Advertising Controls

Some of the business partners that may collect information about your activities on our sites may be members of organizations or programs that provide choices to individuals regarding the use of their browsing behavior for purposes of targeted advertising.

·        For example, you may opt out of receiving targeted advertising through members of the Network Advertising Initiative by clicking here or the Digital Advertising Alliance by clicking here.

·        European users may opt out of receiving targeted advertising through members of the European Interactive Digital Advertising Alliance by clicking here, selecting your country, and then clicking "Choices" (or similarly-titled link).

Marketing Emails and Service Announcements Controls

Individuals may unsubscribe from receiving marketing or other commercial emails from us by following the instructions included in the email. However, even if an individual opts out of receiving such communications, we retain the right to send them non-marketing communications (such as emails regarding changes to this Notice). You do not have an option to opt out of these emails, which are not promotional in nature.