Table of contents
- Before we begin
- What information we collect
- How we’ll use your information
- How we make decisions about you
- Tracking or recording what you say or do
- Enhanced Vetting
- Criminal Convictions
- Credit Reference Checks
- Compliance with laws and regulatory compliance obligations
- Who we might share your information with
- Sharing aggregated or anonymized information
- How long we’ll keep your information
- Transferring your information overseas
- Your rights
- What we need from you
- How we keep your information secure
- More details about your information
Before we begin
This notice (Privacy Notice) applies to personal information relating to your application for employment with HSBC Group held by members of the HSBC Group as data controllers, as described below. It explains what information we collect about you, how we'll use that information, who we'll share it with, the circumstances when we'll share it and what steps we’ll take to make sure it stays private and secure. This Privacy Notice covers all aspects of your interaction with HSBC in your capacity as an applicant, including recruitment and pre-employment screening and we may update this notice at any time.
Some of the links on our websites lead to other HSBC or non-HSBC websites with their own privacy notices, which may be different to this notice. You'll need to make sure you're happy with their privacy notices when using those other sites.
Wherever we've said "you" or "your", this means you or any authorised person who engages with us on your behalf (e.g. recruitment agencies you have authorised to liaise with us on your behalf).
When we say "we", we mean HSBC Group companies (as set out in Appendix 1) which act as a data controller in respect of your personal data in your applicant capacity. Unless otherwise stated below, the data controller for the purposes of this notice will be the HSBC Group company that you have applied for employment with.
If you'd like to get in touch with us, you can also find contact details set out in the "More details about your information" section below.
Appendix 1 – Legal Entities
What information we collect
We’ll only collect your information in line with relevant regulations and law. We may collect it from a range of sources and it may relate to any of the roles you apply for, currently hold or have held in the past both within and outside of the HSBC Group. We may also collect information about you when you interact with us, e.g. call us, visit our websites or mobile channels, or use services we make available to you in your applicant capacity (e.g. online tests).
Some of it will come directly from you, e.g. when you provide ID to verify your identity or right to work. It can also come from your previous employers, other HSBC companies, or other sources you’ve asked us to obtain information from. We might also get some of it from publicly available sources. The information we collect may include:
Information that you provide to us, e.g:
- personal details, e.g. name, previous names, gender, date and place of birth, employment history;
- contact details, e.g. address, email address, landline and mobile numbers;
- information concerning your identity e.g. passport information, National Insurance number, National ID card;
- information concerning any qualifications you hold e.g., university education, professional certifications;
- health data including medical condition, health and sickness records or confirmation if you are able to perform a given position (as applicable), information about any disabilities you might have;
- market research, and information and opinions expressed when participating in applicant surveys;
- other information about you that you give us by filling in forms or by communicating with us (e.g. interviews or assessments), whether face-to-face, by phone, email, online, or otherwise.
Information we collect or generate about you, e.g:
- information we use to identify and authenticate you, e.g. your signature, or additional information that we receive from external sources that we need for compliance purposes;
- geographic information, e.g. about which HSBC offices you visit;
- investigations data, e.g. due diligence checks, fraud, sanctions and anti-money laundering checks, external intelligence reports, content and metadata related to relevant exchanges of information between and among individuals, organizations, including emails, voicemail, live chat;
- complaints information;
- application data including information about your individual performance in assessments or online tests;
- records of correspondence and other communications between us, including email, live chat, instant messages and social media communications;
- information that we need to support our regulatory obligations, e.g. information about transaction details, detection of any suspicious and unusual activity and information about parties connected to you or these activities (e.g., politically exposed person and sanction checks).
Information we collect from other sources, e.g:
- information you’ve asked us to collect for you or we collect as part of our vetting process, e.g. work references from previous employers.
How we’ll use your information
We’ll only use your information where we have your consent or we have another lawful reason for using it. These reasons include where we:
- need to pursue our legitimate interests (e.g., to assess your suitability for the role you are applying for);
- need to process the information to comply with a legal obligation;
- believe the use of your information as described is in the public interest (e.g. for the purpose of preventing or detecting crime or for equal opportunity monitoring and or reporting purposes).
The reasons we use your information include:
- to administer your applicant relationship with us e.g. schedule interviews, communicate decisions etc.;
- to carry out your instructions, e.g. send you details of online tests or assessments;
- to manage our relationship with you, including (unless you tell us otherwise) telling you about other roles and services we think may be relevant for you;
- to prevent or detect crime including fraud and financial crime, e.g. financing for terrorism and human trafficking;
- for security, staff vetting, and business continuity;
- for risk management;
- to conduct applicant surveys and data analytics, to better understand our workforce and assist us with succession planning;
- to protect our legal rights and comply with our legal obligations;
- for service, system or product development and planning, insurance, audit and administrative purposes.
Further details of how we’ll use your information can be found in Appendix 2 below.
Appendix 2 – How we process your information
How we make decisions about you
We may use automated systems to help us make decisions about the outcome of your application. We may use technology that helps us identify the level of risk involved in your work for us, e.g. for fraud or financial crime reasons, or to identify market misconduct through analysis of irregular trades.
You may have a right to certain information about how we make these decisions. You may also have a right to request human intervention and to challenge the decision. More details can be found in the ‘Your rights’ section below.
Tracking or recording what you say or do
We may record details of your interactions with us. We may record and keep track of conversations you have with us including phone calls, face-to-face meetings, letters, emails, live chats, video chats and any other kinds of communication. We may use these recordings to check your instructions to us, assess, analyse and improve our service, train our people, manage risk or to prevent and detect fraud and other crimes. We may also use these recordings to make decisions on the outcome of your application. We may capture additional information about these interactions, e.g. telephone numbers that you call us from and information about the devices or software that you use. We use closed circuit television (CCTV) in and around our sites and these may collect photos or videos of you, or record your voice.
We will request, collect and process your personal data as part of our vetting procedures. This will be in order to confirm your identity, employment history and relevant qualifications with respect to a role, to comply with the law and for our legitimate interests to be able to assess and manage our risk.
We collect personal data during the recruitment process directly from the candidates for vetting to be performed by teams within HSBC Global vendors or other carefully selected third parties may also collect personal data for overseas vetting purposes for us.
We will typically collect, store, and use the following categories of personal information about you:
- personal contact details such as name (all legal and alias, current and previous names), title, addresses, telephone numbers, and personal email addresses;
- date of birth and gender;
- national insurance number or equivalent tax identification number;
- location of employment or workplace;
- recruitment information (including copies of right to work documentation, references and other information included in a cv or cover letter or as part of the application process);
- information concerning any qualifications you hold e.g., university education, professional certifications;
- employment records (including job titles, work history, working hours, training records and professional memberships).
Vetting checks that we may perform include:
- a right to work check;
- verification of identity;
- a credit reference check;
- a conduct check, which may include a criminal check
- a conflicts of interest check in relation to the employment of relatives, any former employment with an external auditor and any external directorships held;
- a search of publicly available internal HSBC watch lists and external watch lists or database files provided by third parties, indicating no involvement in activities such as fraud, financial crime, money laundering or breach of sanctions;
- a media research check indicating no involvement in activities such as fraud, financial crime, money laundering, breach of sanctions, terrorism.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note also that we may process your personal information without your knowledge or consent, where this is required or permitted by law.
We may conduct enhanced vetting for specific high risk posts within HSBC. We will conduct enhanced vetting during recruitment, and periodically throughout your employment, in line with HSBC’s vetting policy. If your role is identified as an enhanced vetting role, you will be required to pass a number of checks to the satisfaction of HSBC before or shortly after commencing the role. During the recruitment process, we will make you aware of any relevant specific vetting requirements for the role you are applying for.
We may request information about criminal convictions if it is appropriate (i.e., for regulated roles) and where we are legally able to do so. We may also collect information about criminal convictions to meet our legal obligations in connection with your employment. We may collect information about criminal convictions in any country or region where you have resided for a period of 6 months or more within the last five years.
We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.
Credit Reference Checks
As part of your application to us, we may perform credit and identity checks on you with one or more credit reference agencies (CRAs). We will conduct credit reference checks with CRAs in any country or region where you have resided for a period of 6 months or more within the last five years.
We may use this information to:
- prevent criminal activity, fraud and money laundering;
- manage your application(s).
Compliance with laws and regulatory compliance obligations
We’ll use your information to meet our compliance obligations, to comply with other laws and regulations and to share with regulators and other authorities that HSBC Group companies are subject to. This may include using it to help detect or prevent crime (including terrorism financing, money laundering and other financial crimes). We’ll only do this on the basis that it’s needed to comply with a legal obligation or it’s in our legitimate interests and that of others.
Who we might share your information with
We may share your information with others where lawful to do so including where we or they:
- have a public or legal duty to do so, e.g. to assist with detecting and preventing fraud, tax evasion and financial crime;
- need to in connection with regulatory, reporting, litigation or asserting or defending legal rights and interests;
- have a legitimate business reason for doing so, e.g. to manage risk, verify your identity or assess your suitability for roles; and
- have asked you for your permission to share it, and you’ve agreed.
We may share your information for these purposes with others including:
- other HSBC group companies and any sub-contractors, agents or service providers who work for us or provide services to us or other HSBC Group companies (including their employees, sub-contractors, service providers, directors and officers);
- your beneficiaries or intermediaries,
- tax authorities, trade associations, credit reference agencies;
- any people or companies where required in connection with potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of our rights or duties under our agreement with you;
- law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
- other parties involved in any disputes, grievances and investigations;
- fraud prevention agencies who’ll also use it to detect and prevent fraud and other financial crime and to verify your identity;
- anybody else that we’ve been instructed to share your information with by you.
Sharing aggregated or anonymised information
We may share aggregated or anonymised information within and outside of the HSBC Group with partners such as research groups, universities. You won’t be able to be identified from this information, e.g. we may share information about general employment trends to assist in research.
How long we’ll keep your information
We keep your information in line with our data retention policy. For example we’ll normally keep your core application data for a period of two calendar years from the year you are have formally applied.
If you are required to complete an on-line assessment as part of your application, your test results may be valid for future job applications for a period of twelve months. If you apply to either the same role or a different role with HSBC after twelve months from your initial application you may be required to complete a new on-line assessment.
We may need to retain your information for a longer period where we need the information to comply with regulatory or legal requirements or where we may need it for our legitimate purposes, e.g. to help us respond to queries or complaints, fighting fraud and financial crime, responding to requests from regulators, etc.
If we don’t need to retain information for this period of time, we may destroy, delete or anonymise it more promptly.
Transferring your information overseas
Your information may be transferred to and stored in locations outside the European Economic Area (EEA), including countries or regions that may not have the same level of protection for personal information. When we do this, we’ll ensure it has an appropriate level of protection and that the transfer is lawful. We may need to transfer your information in this way to carry out our recruitment process, to fulfil a legal obligation, to protect the public interest and / or for our legitimate interests. In some locations the law might compel us to share certain information, e.g. with tax authorities. Even in these cases, we’ll only share your information with people who have the right to see it.
You can obtain more details of the protection given to your information when it’s transferred outside the EEA by contacting us using the details in the ‘More details about your information’ section below.
You have a number of rights in relation to the information that we hold about you. These rights include:
- the right to access information we hold about you and to obtain information about how we process it;
- in some circumstances, the right to withdraw your consent to our processing of your information, which you can do at any time. We may continue to process your information if we have another legitimate reason for doing so;
- in some circumstances, the right to receive certain information you have provided to us in an electronic format and / or request that we transmit it to a third party;
- the right to request that we rectify your information if it’s inaccurate or incomplete;
- in some circumstances, the right to request that we erase your information. We may continue to retain your information if we’re entitled or required to retain it;
- the right to object to, and to request that we restrict, our processing of your information in some circumstances. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we’re entitled to continue processing your information and / or to refuse that request.
You can exercise your rights by contacting us using the details set out in the ‘More details about your information’ section below. You also have a right to complain to the data protection regulator in the country or region where you apply for a job.
What we need from you
You’re responsible for making sure the information you give us is accurate and up to date, and you must tell us if anything changes as soon as possible.
The absence or inaccuracy of any records may affect the outcome of your application or we may be prevented from complying with our legal obligations.
How we keep your information secure
We use a range of measures to keep your information safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.
More details about your information
If you’d like further information on anything we’ve said in this Privacy Notice contact us via email at firstname.lastname@example.org or by post to the attention of the Data Protection Officer - HSBC Continental Europe, Greece, Messoghion Avenue 109-111.